The decentralized prediction market platform is at the center of a heated dispute over what constitutes a data breach. A threat actor operating under the handle “xorcat team” posted on a cybercrime forum claiming to have extracted more than 300,000 records from Polymarket’s infrastructure, along with a full exploit kit and working proof-of-concept scripts Monday.
- Polymarket denies a data breach after a threat actor claims to have stolen 300,000 user records via undocumented API endpoints.
- The alleged 750-megabyte cache includes user profiles and activity logs extracted through unauthenticated pagination bypasses and CORS misconfigurations.
- Security researchers at vx-underground warn that Polymarket’s dismissive response ignores the risk of targeted phishing via aggregated wallet data.
The alleged cache includes approximately 750 megabytes of compressed data spanning user profiles, activity logs, market metadata, follower relationships and reward configurations. The actor claims the extraction was performed entirely through unauthenticated means, exploiting undocumented API endpoints, a pagination bypass and a CORS misconfiguration.
Polymarket Denies Breach, Calls Data Public
Polymarket directly disputed the hacker’s claims in a series of posts on X on April 29. “We are investigating these claims, but initial review indicates that the ‘leaked’ data consists of information already publicly accessible on-chain and via public APIs,” the platform said.
The company maintained that no private user information, including email addresses, passwords or government identification documents, was compromised.
This response drew sharp criticism from the security community. vx-underground, a prominent malware research collective, warned that Polymarket’s dismissive tone could backfire.
Genuine News Deserves Honest Attention.
High-conviction projects require an intelligent audience. Connect with readers who value sharp reporting.
👉 Submit Your PR“I don’t think it is Polymarket’s best interest to mock Threat Actors who are claiming to have exfiltrated data from them,” vx-underground posted on X. “It is probably in their best interest to keep an eye on this and not mock criminals who are obviously interested in their organization. I don’t know, man. I don’t think this stuff is a joke.”
The Technical Claims
The threat actor alleged that multiple vulnerabilities were chained together to extract the data. These reportedly include a pagination bypass allowing bulk harvesting of market data, a CORS misconfiguration with wildcard origins, and unauthenticated endpoints exposing full user profiles and social graph data.
The threat actor claimed Polymarket has no bug bounty program and received no prior notification before the public posting.
User Risk
The immediate risk for users is phishing, according to Dark Web Informer. The combination of real names, usernames and wallet addresses enables attackers to craft personalized messages asking users to “secure” their accounts or “verify” transactions, leading to credential theft or drained wallets.
Polymarket did not confirm whether any of the alleged vulnerabilities have been patched. The platform did not respond to requests for comment.
Chain Street’s Take
The truth is probably in the middle. Polymarket is technically correct that on-chain data is public. But aggregated, packaged and cross-referenced with usernames and bios, that same data becomes a targeting map.
vx-underground’s warning should not be dismissed. The hacker is selling an exploit kit on a cybercrime forum. Even if Polymarket patches everything tomorrow, the tooling is now in the wild. Instead of memeing the situation, Polymarket would be better served by a transparent post-mortem. The dismissive response erodes trust faster than any data leak ever could.
Activate Intelligence Layer
Institutional-grade structural analysis for this article.
