The Short Answer
Some are, some aren't, the dividing line is custody. Bots built on non-custodial wallet infrastructure can trade for you without ever being able to withdraw your funds. Bots whose teams hold user private keys directly are a different story: of the five copy trading bots we tested, both of the confirmed exploits happened on team-held-key bots.
$300,000+
Reported exploit losses
Across two of the five copy trading bots we tested
2 of 5 bots
Had confirmed exploits
Both were bots where the team holds user keys
Introduction
Most Polymarket bots run inside Telegram. They need the ability to place trades with your money. That's an unavoidable amount of trust, and it's why "is this bot safe?" is the right first question, ahead of speed, features or fees.
We've put five Polymarket copy trading bots through hands-on testing for our copy trading bots guide placing real-money trades and researching each bot's wallet infrastructure and incident history. This article collects everything we learned about the safety side specifically: how these bots hold funds, which ones have already been exploited, and how to vet one yourself before depositing anything.
How Bots Access Your Funds
Every copy trading bot needs signing authority — a way to place trades from a wallet you fund. The safety question is never whether a bot has that authority, but how it gets it. There are two models in this market, and the difference between them accounts for almost the entire spread in our security scores.
The Custody Divide
Non-custodial
The bot uses third-party wallet infrastructure — Privy, Gnosis Safe — to execute trades while you keep your private keys. It can trade on your behalf but cannot withdraw assets from your wallet, even if the bot itself were compromised.
Bots we tested: Kreo (Privy + Gnosis Safe), Polycool (Privy)
Team-held keys
The team behind the bot generates the wallet and holds its private keys directly. That means full withdrawal power over your deposit — you're trusting the team's honesty and their ability to keep attackers out of their systems.
Bots we tested: Polycop (Gnosis Safe), Polygun, Polycule
Every confirmed exploit in our testing happened on a bot whose team held user keys. Neither non-custodial bot has a reported incident.
Polycop does use Gnosis Safe, but the wallet is still created and controlled by the team rather than by the user. Because the team generates and retains the private keys, users must ultimately trust the operator not to misuse or lose access to those keys. This custody model introduces a level of trust that isn't present with fully non-custodial setups, which is why Polycop scores lower on security despite having no reported exploit of its own.
The Exploits That Already Happened
This isn't a theoretical risk. Two of the five copy trading bots we tested have confirmed exploits, and both hold user private keys themselves.
Polycule — roughly $230,000 taken
Polycule has confirmed a reported exploit that resulted in roughly $230,000 in user funds being taken the largest incident of any bot we tested. It has made no wallet security upgrade since, which is why it earns a 0/10 security score and we don't recommend it at all.
Polygun — roughly $70,000 taken
Polygun has a confirmed exploit resulting in roughly $70,000 in user funds being taken. The team has stated that user private keys remain safe, but a bot with no third-party wallet protection and a track record of losing funds earns the lowest score we give.
Worth stating clearly: we have no exploit reports for Kreo, Polycool or Polycop. But only the first two of those pair that clean record with infrastructure that would limit the damage if something did go wrong.
Security Scores Compared
Here's how every copy trading bot we've tested scores on security, alongside the custody facts behind each number.
| Bot | Security | Custody | Reported Exploits |
|---|---|---|---|
Kreo | 9/10 | Non-custodialPrivy + Gnosis Safe | None reported |
Polycool | 9/10 | Non-custodialPrivy | None reported |
Polycop | 2/10 | Team-held keysGnosis Safe (team-controlled) | None reported |
Polygun | 0/10 | Team-held keysNo third-party infrastructure | ~$70,000 exploit |
Polycule | 0/10 | Team-held keysNo third-party infrastructure | ~$230,000 exploit |
Security scores reflect our own research and hands-on testing. Betmoar isn't listed because it's a manual trading terminal, not a copy trading bot.
For how these security scores fit into each bot's overall rating, see our Compare Bots page or the full Telegram bots comparison.
How to Vet a Bot Before Connecting a Wallet
Five checks, in the order we'd run them. If a bot fails the first one, the rest barely matter.
- 1
Check who holds the keys
This is the single biggest safety question. Look through the bot's documentation for third-party wallet infrastructure like Privy or Gnosis Safe that setup means the bot can execute trades without ever being able to withdraw your funds. If the team generates and holds the wallet itself, everything you deposit depends on that team's honesty and their security practices. - 2
Search its exploit history
Search the bot's name alongside words like "exploit" or "hack" before depositing anything. Two of the bots we tested Polygun and Polycule have confirmed exploits, and Polycule hasn't upgraded its wallet security since losing roughly $230,000 of user funds. A past incident with no infrastructure change afterwards is the clearest red flag there is. - 3
Verify you're using the official bot
Copycat bots imitating real ones are a genuine risk on Telegram. Always reach the bot through its official website or documentation rather than a search inside Telegram, and confirm the handle matches the one those official channels reference. - 4
Look at the security features on offer
Check whether the bot offers protections like two-factor authentication, and whether it publishes anything about how funds are secured. None of the bots we tested currently has a published security audit. Even our top-rated pick, Kreo, loses a point for not yet offering 2FA so treat any bot's security claims as unverified until its infrastructure says otherwise. - 5
Start smaller than you think you need to
Whichever bot you choose, your first deposit should be a test, not a commitment. Place a small copied trade, withdraw once, and confirm the full cycle works before scaling up to a stake you'd actually mind losing.
Reducing Your Risk Even With a Safe Bot
A safe bot doesn't make copy trading safe
Bot security and trading risk are separate problems. Even a perfectly secure bot will faithfully copy a losing trader prediction markets carry real risk regardless of the tool. Choosing a wallet worth copying matters as much as choosing the bot.
Never connect your primary wallet
Create a dedicated wallet that you only use for copy trading, and fund it with just your trading stake. If a bot, or the team behind it, is ever compromised, the damage stops at that wallet instead of reaching everything you own.
Beyond that, deposit only what you're genuinely comfortable putting at risk, and confirm current fees directly with the bot before you start. And before following anyone, our guide to finding a wallet worth copying covers how to tell a genuinely profitable trader from a lucky streak.
Final Thoughts
So, are Polymarket bots safe? The honest answer is that the market splits cleanly in two. Non-custodial bots like Kreo and Polycool have the infrastructure to be trusted with a trading wallet.
Team-held-key bots ask for trust which they haven't earned. Roughly $300,000 in reported exploit losses, all of it on team-held-key bots, is the clearest signal this market has produced.
If you're still choosing, our ranked Telegram bots comparison covers speed, usability and features alongside the security story told here, and our step-by-step copy trading guide walks through a safe first setup end to end.
About This Guide
Written by Polymarket Academy Editorial Team
The Polymarket Academy Editorial Team independently researches, tests and reviews copy trading tools to help users make informed decisions.
Last reviewed: July 2026





