Why the viral Polymarket copytrading bot all over your feed is a scam.
Three different people forwarded me the same Polymarket bot scam in the same week.
A verified X account, “I’m quitting my job to go full-in on Claude.” Then a short video, dark-mode dashboard, live-looking data, a Copytrade Engine in LIVE MODE, a leaderboard of wallet addresses up $312k and $184k, green P&L curve climbing. The caption claimed it turned $2K into $12K overnight, 70% win rate, monitoring 500+ wallets, Telegram bot handles everything. “You only need: Claude + a device + 1 hour per day.” The dashboard is called POLY//TERMINAL, and on first watch it looks like something from a Bloomberg terminal room.
I have been working in IT for over twenty years, and I trade at night too, mostly REITs and dividend stocks with some US positions mixed in, because I find it interesting and because I want the portfolio to do real work for my family long term. Although I’m not a professional trader, I’ve learnt both at work and with money, to look carefully at things before I touch them. So I studied this one properly.
The edge percentages on the Mispricing Scanner were the first thing that stood out. A contract priced at 67 cents with a fair value of 75.4 cents is labelled with an edge of +8,409,044,361,225%.
Eight trillion percent.
A real 8-cent price discrepancy on a prediction market is 8 percentage points, worth a handful of dollars on a small trade, so that number isn’t a rounding error and nobody ships a live system with one like that. It’s there because whoever built this didn’t actually know what the number was supposed to represent. And right there in the corner of the screen, the dashboard is labelled “DEMO COPY.” Not live data at all, just a mockup.
Finance writer Andrew Collins documented this exact production pipeline in May 2026, where you open Claude Artifacts, paste a screenshot of a real dashboard, ask the AI to copy the design with whatever numbers you want, export as HTML, screen-record it and post.¹ The whole thing takes a couple of minutes, and most of the Polymarket profit dashboards flooding timelines that month had nothing real behind them.
It’s a scam, built as a funnel. The tweet is bait, the terminal video is fabricated proof, and the Telegram link or GitHub repo at the bottom is the actual payload.
Security researchers at StepSecurity spent time in early 2026 pulling apart a cluster of these copytrading bot repos. They found that attackers had hijacked a legitimate, verified GitHub organisation, a real Japanese DeFi project with years of history, and seeded it with over twenty Polymarket bot variants, each with fake star counts to look credible. Inside the npm dependencies were hidden packages that, the moment you ran npm install, would lift your wallet’s private key, copy sensitive files off your machine and send them to an attacker-controlled server. All while you’re following the README like a responsible person.²
The Telegram bot route isn’t much safer either. In January 2026, Polycule, one of the more popular Polymarket bots at the time, was compromised and around $230,000 in user funds was drained before they pulled it offline.³ These bots hold private keys on their own servers, so once you deposit, they are in control. Most people don’t think about that until something goes wrong.
The reason it works so well is that there’s something real buried underneath. Polymarket is a decentralised prediction market platform where users trade on the outcomes of real-world events, from elections to crypto prices. Prediction market arbitrage is a genuine strategy, and when the “Yes” and “No” contracts on a binary market briefly sum to less than a dollar, you can buy both sides and lock in the difference regardless of how the event resolves. CoinDesk reported in February 2026 on a bot that ran this trade across nearly 9,000 executions, capturing a small spread each time and generating real money.⁴ The catch is that those gaps now close in milliseconds, and the people catching them run dedicated infrastructure connected directly to Polygon with sub-100ms execution. They are not running a Telegram bot on a phone for an hour a day. The window that generated those early documented wins has been swallowed by professional machines, and what gets sold in these posts is the memory of an edge that no longer exists at the retail level.
Sterling Crispin, a former Apple researcher who actually knows how to build this stuff, wrote a public piece calling out these viral Claude-built Polymarket bot posts specifically.⁵ He made his point in a memorable way, building and open-sourcing a real Polymarket bot deliberately designed to lose money, then tracking it publicly. An on-chain study of 2.5 million wallets found that over 84% of people who have traded on Polymarket have lost money.⁶ The wallets in those viral leaderboards are real, they’re just the ones sitting at the top of a very large pile of losses the post isn’t showing you.
If you come across something like this, the single most important thing is to never paste a private key or seed phrase into a .env file for a third-party tool. Because once it’s in someone else’s code the wallet is effectively theirs.
A GitHub repo that appeared two months ago with hundreds of stars is suspicious rather than reassuring, since star counts are easy to buy. Any bot that asks you to deposit money to activate it isn’t a bot, it’s a collection mechanism.
If someone’s claiming a win rate, ask for the wallet address and check it on-chain yourself. Polymarket trades are all on Polygon and real results are auditable in a way that a nice-looking HTML dashboard isn’t.
Part-time trading is worth doing. Slow and unglamorous tends to work, dividend income, REITs, positions that compound quietly over years without making headlines. Nobody’s making a slick terminal mockup showing a REIT paying out distributions every quarter, and there’s a reason for that.
But the people behind these posts are working hard, just at something other than trading. The effort that went into making that terminal look real, the fake star counts, the layered funnel, all of that took considerably more than an hour a day. The post itself took a couple of minutes to make. Getting your money back after following it will take considerably longer.
Not financial advice. Do your own research before putting money anywhere.
Sources
- Andrew Collins, “I Gave Claude AI a FREE 5-Minute Scalping Strategy: Here’s What Happened,” The Finance Edge, Medium, May 2026. https://medium.com/the-finance-edge
- StepSecurity, “Malicious Polymarket Bot Hides in Hijacked dev-protocol GitHub Org and Steals Wallet Keys,” February 2026. https://www.stepsecurity.io/blog/malicious-polymarket-bot-hides-in-hijacked-dev-protocol-github-org-and-steals-wallet-keys
- KuCoin News, “Telegram Trading Bot Polycule on Polymarket Hacked, $230K Stolen,” January 2026. https://www.kucoin.com/news/flash/telegram-trading-bot-polycule-on-polymarket-hacked-230k-stolen
- CoinDesk, “How AI Is Helping Retail Traders Exploit Prediction Market Glitches to Make Easy Money,” February 2026. https://www.coindesk.com/markets/2026/02/21/how-ai-is-helping-retail-traders-exploit-prediction-market-glitches-to-make-easy-money
- Sterling Crispin (@sterlingcrispin), X post and article, 2026. https://x.com/sterlingcrispin/status/2007576511747146232
- On-chain analysis of 2.5 million Polymarket wallets by Andrey Sergeenkov, reported by Protos / MEXC News, April 2026. https://www.mexc.com/news/1026037
