Home
News
Details

Telegram Trading Bot Polycule on Polymarket Hacked, $230K Stolen

iconPANews
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
AI summary iconSummary

expand icon
On-chain data reveals that Polycule, a leading Telegram trading bot on Polymarket, was hacked on January 13, 2026, with $230,000 stolen from user funds. The team immediately took the bot offline, deployed a patch, and promised to reimburse users via Polygon. On-chain analysis shows the incident has reignited concerns over security for Telegram-based trading bots.

Author:ExVul SecurityWeb3 security company

I. Event Summary

On January 13, 2026, Polycule officially confirmed that its Telegram trading bot had been hacked, resulting in the theft of approximately $230,000 in user funds. The team quickly updated users on X: the bot was immediately taken offline, a patch was rapidly developed and deployed, and they promised to compensate affected users on the Polygon network. A series of updates from last night to today have further intensified the ongoing security discussions around Telegram trading bots.

II. How Polycule Works

Polycule's positioning is clear: to allow users to browse markets, manage positions, and allocate funds on Polymarket directly within Telegram. The main modules include:

Account Opening and Dashboard:`/start` will automatically assign a Polygon wallet and display the balance. `/home` and `/help` provide entry points and instruction explanations.

Market and Trading`: /trending`, `/search`, and directly pasting a Polymarket URL can all retrieve market details; the bot provides market/limit order placement, order cancellation, and chart viewing.

Wallet and Funds:`/wallet` supports viewing assets, withdrawing funds, swapping POL/USDC, and exporting private keys; `/fund` guides the deposit process.

Cross-Chain Bridge:Deep IntegrationdeBridgeHelp users bridge assets into Solana, and automatically deduct 2% SOL to convert into POL for gas fees by default.

Advanced Features: `/copytrade` opens the copy trading interface, allowing you to follow trades based on a percentage, a fixed amount, or custom rules. It also offers extended features such as pausing, reverse copying, and strategy sharing.

The Polycule Trading Bot is responsible for communicating with users and parsing commands. It also manages keys in the background, signs transactions, and continuously monitors on-chain events.

After the user inputs `/start`, the backend automatically generates a Polygon wallet and stores the private key. The user can then proceed to use commands like `/buy`, `/sell`, and `/positions` to check prices, place orders, and manage positions. The bot can also parse Polymarket web links and directly return the trading entry. Cross-chain funds are handled through integration withdeBridgeSupport bridging SOL to Polygon, and by default, 2% of the SOL is automatically converted to POL for future transaction gas fees. More advanced features include copy trading, limit orders, and automatic monitoring of target wallets, which require the server to remain online continuously and to sign transactions on behalf of users.

III. Common Risks of Telegram Trading Bots

Behind the convenient chat-based interaction are several security vulnerabilities that are difficult to avoid:

First, almost all bots store users' private keys on their own servers, and transactions are signed directly by the backend. This means that once the server is hacked or data is accidentally leaked during operations, attackers can batch export private keys and drain all users' funds at once. Second, authentication relies on the Telegram account itself. If a user experiences SIM card hijacking or device loss, attackers can take control of the bot account without needing to know the recovery phrase. Finally, there is no local pop-up confirmation step. Traditional wallets require users to personally confirm each transaction, but in the bot model, if there is a flaw in the backend logic, the system could automatically transfer funds without the user's knowledge.

Four. Unique Attack Surfaces Revealed by the Polycule Document

Based on the content of the document, it can be inferred that the main focus of this incident and potential future risks include the following points:

Private Key Export Interface:The `/wallet` menu allows users to export private keys, indicating that the backend stores reversible key data. Once SQL injection, unauthorized API endpoints, or log leaks exist, attackers can directly invoke the export function. This scenario closely matches the circumstances of the current theft incident.

URL parsing may trigger SSRF:The bot encourages users to submit Polymarket links to obtain market data. If the input is not strictly validated, attackers could forge links pointing to internal networks or cloud service metadata, causing the backend system to proactively "fall into a trap," which could further lead to the theft of credentials or configurations.

The listening logic of Copy Trading:Copy trading means that the bot will follow and synchronize operations with the target wallet. If the monitored events can be forged, or if the system lacks secure filtering of the target transactions, followers may be led into malicious contracts, resulting in their funds being locked or even directly stolen.

Cross-chain and Automatic Coin Swapping Process:The process of automatically converting 2% SOL to POL involves exchange rates, slippage, oracles, and execution permissions. If the code does not strictly validate these parameters, hackers could potentially amplify exchange losses or drain the gas budget during bridging. Additionally, insufficient verification of deBridge receipts could lead to risks such as false deposits or double-counting.

Five、Reminders for the Project Team and Users

What the project team can doIncluding: Deliver a complete and transparent technical post-mortem before restoring services; conduct specialized audits on key storage, permission isolation, and input validation; re-examine server access control and code deployment processes; introduce secondary confirmation or limit mechanisms for critical operations to reduce potential further damage.

The end user shouldConsider controlling the amount of funds in the robot, promptly withdrawing profits, and prioritizing security measures such as enabling two-factor authentication and independent device management on Telegram. Before the project team provides clear security commitments, it's advisable to remain cautious and avoid adding more capital.

Six. Afterword

The Polycule incident once again highlights that when trading experiences are condensed into a single chat command, security measures must also be upgraded in parallel. Telegram trading bots will remain a popular entry point for prediction markets and Meme coins in the short term, but this area will also continue to be a hunting ground for attackers. We recommend that project teams treat security development as an integral part of their product, and update users on progress transparently. Users should also remain vigilant and not treat chat shortcuts as risk-free asset managers.

Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.