Key Takeaways:
- ZachXBT warned on May 4, 2026, that Polyarb hosts an active wallet drainer targeting crypto users.
- Prominent accounts replying to Polyarb posts amplify the scam to new audiences without realizing it.
- The alert follows ZachXBT’s recent exposure of a U.S. law firm seeking $71 million in Lazarus-linked frozen funds.
What Polyarb Is Doing
Wallet drainers work by disguising a malicious smart contract approval as a routine transaction, such that when a user connects their wallet and signs what appears to be a deposit, claim, or market entry action, the drainer triggers a hidden separate approval that grants the attacker full access to the wallet’s funds.
ZachXBT specifically highlighted an amplification risk, i.e., a prominent crypto account had replied to a Polyarb post, giving the platform organic reach it would not otherwise achieve. Replying to a scam platform’s content, even skeptically, pushes that platform in front of the replying user’s entire audience, which can number in the millions, with no indication that the source is malicious.
Part of a Wider Happening
Fake decentralized finance ( DeFi) and prediction market platforms have become an increasingly common attack vector in 2026. Scam operators exploit the growing visibility of legitimate platforms like Polymarket and Kalshi, both of which have disclosed regulatory relationships with the Commodity Futures Trading Commission (CFTC), by creating look-alike sites with similar branding and no audited contracts.
ZachXBT has built a consistent record of exposing these and other related threats before significant losses accumulate. Earlier this month, the investigator revealed that a U.S. law firm (Gerstein Harrow) had filed claims seeking to seize $71 million in ethereum frozen after the April 2026 KelpDAO exploit tied to the Lazarus Group, using a 2015 legal judgment against North Korea to jump ahead of actual hack victims in any recovery queue.
How to Stay Safe
Before connecting a wallet to any prediction market or DeFi platform, users should verify the contract address against the platform’s official documentation and confirm that a public smart contract audit from a reputable security firm exists. Red flags include no disclosed regulatory relationship, no audited contracts, and social media profiles that appeared recently relative to their claimed activity level.
Revoking token approvals after any suspicious interaction using tools such as Revoke.cash can limit ongoing exposure if a drainer has already been triggered. Using a hardware wallet, rather than a browser-based hot wallet holding significant funds, when connecting to unfamiliar platforms, can provide an additional layer of protection, as every transaction requires physical confirmation.
