The AdrianCronauer Drain: $2M Gone in Seven Minutes on Polymarket

On the afternoon of May 31, 2026, one of Polymarket's largest individual accounts went from roughly $2 million to $0.51 in seven minutes. The wallet behind the handle "AdrianCronauer", an account with over $17 million in lifetime trading volume, was emptied in nine transactions, the largest two worth $500,000 each. The funds are gone. They are not coming back.

This post does two things. First, it walks through exactly what happened, on-chain, separating what's confirmed from what's still rumor, because a lot of what's circulating on X right now is guesswork. Second, it turns that into a concrete security playbook for everyone who trades on Polymarket, whether you use a self-custodied wallet or the email login. Crypto is unforgiving in a way traditional finance is not, and the AdrianCronauer drain is a $2M reminder of what that actually means.

What we can prove on-chain

We traced the wallet ourselves on Polygon. This part isn't speculation, it's public, verifiable blockchain data.

The account's Polymarket proxy wallet is 0xf9c1190aa8184bcbe418e6f5321c53b0bfbc39e2. Between 15:01:53 and 15:08:58 UTC on May 31, 2026, it was drained of 2,008,261.01 USDC across nine transfers:

That's a near-perfect match for the "$2M" figure being thrown around on X, not a rounded guess, but the real number. And the two destinations tell you what the attacker did next: both are Relay.link contracts, a cross-chain bridge. About $1.54M went to Relay's RelayDepository (0x4cd00e38…) and $470K to its RelayRouterV3 (0xb92fe925…). In other words, the moment the funds left the victim's wallet, they were bridged off Polygon to another chain.

Two details matter here.

First, the method. Every transfer used a relayCall, a gasless meta-transaction routed through Polymarket's relayer. Polymarket proxy wallets are designed to be operated by a signature rather than by the wallet paying its own gas. Whoever drained this account had the ability to produce valid signatures authorizing transfers out of the proxy. That is the signature of a compromised key or a malicious approval, not a bug in Polymarket's contracts.

Second, the funds were laundered cross-chain in real time. Routing straight into a bridge, rather than parking the money in a wallet, is a deliberate move to make tracing harder and to get the funds onto a chain where they can be swapped and cashed out. By the time the drain was even noticed on X, the money had already left Polygon. That's a big part of why recovery is so unlikely: there's no single "thief's wallet" sitting on Polygon to freeze.

The wallet today holds about $0.51 and a balance of 10 "polyclaim.one" tokens, a worthless scam "claim/airdrop" token. Junk tokens like that are a classic phishing fingerprint: they get airdropped to a target to lure them toward a malicious "claim" site.

We also pulled Polymarket's own public data API for this account, which confirms two more things. First, the proxy wallet's display name on Polymarket is literally "AdrianCronauer", so the wallet and the handle are the same account, not a guess. Second, and more striking: the money wasn't all sitting in cash waiting to be swept. In the same five-minute window (15:03:28–15:08:36 UTC), the attacker force-sold positions across 28 separate markets for about $456,000 in proceeds before withdrawing. Every one of them was a geopolitical market, Strait of Hormuz shipping, US–Iran peace and ceasefire deals, Iran nuclear and uranium markets, plus a WTI crude oil bet. The largest single liquidation was ~$42K in "Strait of Hormuz traffic returns to normal by end of June?"

That's the smoking gun for the "it moved multiple markets" claim. Dumping ~$456K of concentrated positions across thin geopolitical markets in five minutes is exactly the kind of forced selling that absorbs liquidity and whipsaws prices, and here it's not a rumor, it's in Polymarket's own trade history.

What's confirmed but second-hand

The incident surfaced publicly on X around 15:24 UTC on May 31, minutes after the drain, with on-chain watchers posting screenshots of the rapid-fire withdrawals. One widely shared post put it bluntly:

"One of Polymarket's largest users, AdrianCronauer, just got drained for 2m+. Always be careful of links in the comment section, as it is plagued with phishing scams."

His betmoar profile corroborates the scale: roughly $17.5M lifetime volume, a heavy specialist in US–Iran geopolitical markets, with single days swinging as much as +$362K and −$377K, and a current portfolio of $0. So the size of the account and the totality of the wipeout are real.

What's still just rumor, be skeptical

Here's where you should slow down, because the confident version of this story going around is running ahead of the evidence.

• "It was a phishing link in Polymarket's comment section." Plausible, and consistent with a months-long pattern (more on that below), but as of writing this is a single-source claim. Nobody has produced the specific link AdrianCronauer clicked, or a forensic trail from a comment to the drain. The relayCall mechanism and the polyclaim.one token are consistent with phishing, but they don't prove the comment-section vector specifically. It could equally have been a malicious approval signed on a fake site, a compromised device, or a leaked key.
• "His account was deleted." It wasn't. As of checking, the profile is still up, it just shows empty positions and a zero balance.

If you take one media-literacy lesson from this: in crypto, real incidents get tagged by on-chain analysts (ZachXBT, @25usdc, PeckShield) within hours, with addresses and amounts. The parts that are verified here are verified because there's an address and a number. The parts that aren't should be held loosely.

The pattern this fits

AdrianCronauer didn't happen in a vacuum. Polymarket users have been hunted for months.

• The December 2025 third-party auth breach. Around December 22–24, 2025, a wave of users, many of whom insisted they had not clicked any phishing link, found their accounts drained, often after a burst of unexpected login-notification emails. Polymarket confirmed a "vulnerability introduced by a third-party authentication provider," widely attributed by the community to the email-login wallet provider Magic Labs. The takeaway that stung: some victims did everything right and still got hit, because the weakness was in the login layer, not in their behavior.

The comment-section phishing campaign. Since around November 2025, senior trader @25usdc and others have warned that scammers post comments under popular markets advertising "private markets" with "better odds," then drop an obfuscated link to a fake Polymarket login page. The page harvests your email login, then shows a fake Cloudflare "verify you're human" prompt that, in some variants, copies a malicious shell command to your clipboard. Aggregate reported losses crossed $500,000, with one individual losing $90,000. Polymarket's own PSA was unambiguous:

"There is no Polymarket 'private market' website with 'better odds.' Never enter your Polymarket email or login verification code on anything other than our official site."

One thing to not conflate with any of the above: on May 22, 2026, ZachXBT flagged a ~$520K–$700K drain on Polygon, and early headlines screamed "exploit." But that was a private-key compromise of an internal Polymarket rewards/top-up wallet, not user funds, and not a contract bug. Polymarket rotated the key and froze part of the funds. User balances were never at risk in that one. It's a separate story from the user-phishing drains, even though the timelines blur together.

Why none of it is recoverable

This is the part that traditional-finance instincts get wrong.

When someone skims your credit card, there's a chargeback. When a bank wire goes to a fraudster, there's sometimes a recall. There is a phone number, a dispute process, a regulator, an institution that can move money back.

On a public blockchain, a confirmed transaction is final. There is no admin who can reverse AdrianCronauer's nine transfers. Polymarket's contracts performed exactly as designed, they honored validly signed instructions. The $2M is now in addresses the thief controls, and the only thing that ever claws any of it back is a voluntary freeze by a centralized exchange if the funds are dumb enough to land there, plus law enforcement, plus luck. Plan as if the answer is zero, because it usually is.

That's the mental model to internalize before the safety tips: you are your own bank, your own fraud department, and your own last line of defense. Acting accordingly costs you a little convenience. Not acting accordingly cost this account everything.

Security playbook: self-custodied (EOA) wallets

If you hold your own keys, the attacker's whole job is to get you to either reveal your seed phrase or sign a malicious transaction. Make both as hard as possible.

1. Use a hardware wallet for anything meaningful. A Ledger or Trezor keeps your private key off your internet-connected computer. Even if your machine is fully compromised, the thief can't move funds without physical confirmation on the device.
2. Separate your "trading" wallet from your "vault." Keep only what you're actively trading in your hot/Polymarket wallet. Park the rest in cold storage. A drain of a $5K trading wallet is a bad day. A drain of your entire net worth is a life event. AdrianCronauer kept ~$2M in one operational proxy.
3. Never type your seed phrase into anything, ever. No legitimate site, app, support agent, or "wallet validator" will ever need it. The moment a page asks for your 12/24 words, it's a thief. Full stop.
4. Audit and revoke token approvals regularly. Many drains don't steal your key at all, they trick you into signing an approve that lets a contract spend your tokens later. Use a tool like revoke.cash to review and kill stale approvals, especially anything with unlimited spend.
5. Read what you're signing. Use a wallet that simulates transactions (shows you what will actually move) before you confirm. "Connect wallet" should never silently equal "give permission to transfer." If a signature request doesn't make sense for what you're doing, reject it.
6. Treat every link as hostile, especially in comment sections. This is the exact vector being used against Polymarket users right now. Don't click links in market comments, DMs, or replies. Navigate to sites yourself, from a bookmark.
7. Bookmark the real URL and only ever use the bookmark. Phishing depends on look-alike domains. If you never type the address and never click an inbound link, you can't be fooled into the wrong one.
8. Ignore surprise "claim" tokens. That polyclaim.one token in the victim's wallet is the template: a junk token appears, "claiming" it sends you to a drainer. Tokens you didn't buy are bait. Leave them.

Security playbook: email / Magic-login accounts

If you signed up for Polymarket with just an email (the "magic link" experience), a wallet was created for you behind the scenes. That's convenient, and it changes your threat model. Your email is your wallet's front door.

1. Understand the trade-off you've made. Convenience came at the cost of a custody model where compromising your email/login can compromise your funds. That's not a reason to panic, but it is a reason to lock down the login itself.
2. Harden the email account ruthlessly. Turn on the strongest 2FA available, ideally an authenticator app or hardware key, not SMS. The December 2025 breach showed how account-layer weaknesses bypass even careful users; don't hand attackers an easy email on top of that.
3. Never enter your login code on any site but the official one. Repeat Polymarket's own PSA back to yourself every time: the verification code goes only into the real app. A code prompt on any other domain is an attack in progress.
4. Watch for unexpected login emails. A sudden burst of "someone is trying to log in" notifications was the early warning sign in the Magic Labs incident. If you see them, assume someone is probing your account and act immediately.
5. For large balances, graduate to self-custody. If your Polymarket balance is becoming real money, withdraw the bulk to a wallet whose keys you control (ideally hardware-backed). An email login is fine for $200 of fun. It is not where you want $200,000 to live.
6. Don't reuse that email's password anywhere. Credential-stuffing from an unrelated breach is a free entry point. Unique password, password manager, done.

Never link your wallet to random "checkers": and why ours is different

Here's the single highest-leverage habit: be extremely suspicious of any site that asks you to connect your wallet or sign a message, especially "airdrop checkers," "eligibility checkers," and "reward claimers."

This is exactly how a huge share of drains start. With the POLY airdrop speculation running hot, a wave of fake "check your POLY allocation" sites has predictably appeared. The malicious ones ask you to connect and sign "to verify", and that signature is the theft. They are engineered to exploit the same FOMO that makes airdrops exciting.

So we want to be explicit about how our own tool works, because we built it specifically to avoid this trap:

The Polytrage airdrop checker never asks you to connect a wallet, sign anything, or enter a private key, seed phrase, or login. It only needs your public wallet address, the same string you'd paste into any block explorer. With that address it makes read-only API calls to pull your public on-chain Polymarket history and scores it against the leading speculation criteria. There is no transaction to sign, no permission to grant, and therefore nothing to drain. A public address is safe to share; it reveals only what the blockchain already shows everyone. You can check your estimate at polytrage.com/airdrop-checker without ever exposing your funds.

That's the rule of thumb to carry everywhere: a tool that only needs your public address is read-only and safe. A tool that wants you to connect and sign can move your money. Know which one you're using before you click.

The one-line takeaway

A $17M-volume account became worth fifty-one cents in seven minutes, on a chain where nobody can hit undo. You can't outsource your security on Polymarket, but you can make yourself a hard target: hardware wallet for the serious money, a small hot wallet for trading, zero links from comment sections, codes only on the real domain, and a permanent allergy to anything that wants you to "connect and sign to verify."

Stay safe out there. If you want to trade on Polymarket, our referral link is https://polymarket.com/?r=polytrage, and you can run a safe, read-only check of your potential POLY allocation at polytrage.com/airdrop-checker.