Market Prediction: Polymarket Wallet Hacked! $5,000 POL drained every 30 seconds, over $600k evaporated

On-Chain Analysis Platform Bubblemaps Issues Alert: One of Polymarket's UMA CTF Adapter wallets has been attacked. The attacker is draining 5,000 $POL every 30 seconds, with losses exceeding $600k USD as of the time of writing. On-chain detective ZachXBT also issued a warning, confirming that the attacker has dispersed funds into 15 addresses.
(Background: Polymarket submitted a "Cross-Chain Contract" CFTC self-certification! SEC Chair Gary Gensler predicts market ETF consultation)
(Additional background: After the THORChain hack, a recovery proposal was launched: the protocol absorbs the $600k loss, destroying the attacker’s RUNE)

Summary Highlights

• Polymarket's UMA CTF Adapter contract was hacked, with the attacker draining 5,000 POL every 30 seconds
• As of Bubblemaps' posting, losses have exceeded $600k USD; ZachXBT confirms ongoing attack
• Attacker addresses have been locked, stolen funds dispersed to 15 addresses, suspected to be initiating money laundering

On-chain analysis platform Bubblemaps issued an emergency alert today (5/22) on X, indicating that the wallet used for settling prediction markets via Polymarket's UMA CTF Adapter is under continuous attack. The attacker is extracting funds at a rate of 5,000 $POL every 30 seconds, with total losses surpassing $600k USD and still rising.

Polymarket's latest statement clarifies that the hacked wallet is used for internal storage, separate from user funds, and unrelated to market settlement.

ALERT: 🚨 Polymarket contract exploited

Attackers are removing 5,000 $POL every 30 seconds – $600k stolen so far

Pause all Polymarket activity for now pic.twitter.com/DpqOp5ggVj

— Bubblemaps (@bubblemaps) May 22, 2026

Bubblemaps directly urges all users to "immediately suspend all Polymarket operations." On-chain detective ZachXBT also issued a warning, confirming the attack is ongoing.

Attacker address has been locked, funds dispersed to 15 wallets

According to on-chain data, the main attacker address has been marked as 0x8F98…9B91. The stolen funds were immediately split and transferred into 15 different addresses, a typical on-chain money laundering prelude: first splitting, then mixing, and finally withdrawing via cross-chain bridges or centralized exchanges.

The UMA CTF Adapter is the core settlement component for Polymarket prediction markets, responsible for verifying market outcomes through UMA's Optimistic Oracle and settling accordingly. The breach of this contract indicates a vulnerability in the entire prediction market settlement layer, potentially affecting more than just the currently known losses.

DeFi Hacker Wave Continues in May

This is the third recent security incident faced by Polymarket. Previously, the platform experienced user account breaches due to third-party login service vulnerabilities, and faced allegations of data leaks (which the official later denied).

The entire DeFi ecosystem has been hit by a series of attacks in May, with five separate hacker incidents in just one week, totaling 19 incidents this month with losses around $38.2 million USD. Yesterday, THORChain announced the ADR028 recovery plan following a $10.7 million hack.

Frequently Asked Questions

What is the UMA CTF Adapter?

The UMA CTF Adapter is Polymarket's prediction market settlement contract, which verifies market outcomes via UMA's Optimistic Oracle and completes settlement. The breach indicates a vulnerability in the settlement layer, with potential for broader impact.

What should Polymarket users do now?

Bubblemaps urges users to immediately suspend all Polymarket activities, including opening new positions and withdrawals. The attack is ongoing, and users should wait for official confirmation of the vulnerability fix before resuming use.