Prediction market platform Polymarket is reportedly at the center of a large-scale data exposure, after a threat actor claimed to have leaked more than 300,000 records along with an exploit kit on a cybercrime forum.
The disclosure, flagged by Dark Web Informer in an X post on Tuesday, attributes the incident to an actor identified as “xorcat.” The dataset is said to have been extracted on April 27, 2026, using a combination of undocumented API access points and misconfigurations.
Crypto Times team reached out to Polymarket for the official confirmation regarding this alleged attack, but hasn’t received any response yet.
Scope of the alleged data leak
According to the claims, the leaked dataset is described as containing over 750 MB of extracted information, later compressed into smaller JSON files. It reportedly spans user profiles, activity logs, and market data tied to the platform’s prediction markets.
Among the exposed information are roughly 10,000 user profiles that include names, pseudonyms, bios, profile images, and wallet-linked addresses. The dataset also allegedly includes thousands of comments linked to user accounts, detailed records from Gamma and central limit order book markets, and event-level data containing Ethereum addresses and internal usernames.
Additional elements reportedly cover follower relationships, reward configurations tied to USDC contracts, and internal identifiers embedded in metadata fields such as “createdBy” and “updatedBy,” potentially allowing deeper mapping of platform activity.
Exploit kit and technical claims
The actor claims the data was obtained by exploiting multiple weaknesses in Polymarket’s API infrastructure. These reportedly include:
- Use of undocumented endpoints across Gamma and CLOB APIs
- Pagination bypass allowing unusually large data pulls without rate limits
- Cross-origin resource sharing (CORS) misconfiguration enabling credentialed requests from any origin
- Unauthenticated endpoints exposing comments, reports, and follower data
In addition to raw data, the package allegedly contains working proof-of-concept exploits, including scripts designed to automate data extraction until vulnerabilities are patched.
Referenced vulnerabilities
The disclosure references multiple known weaknesses, including an Axios-related proxy bypass enabling server-side request forgery and a middleware authentication bypass affecting Next.js applications. Additional issues cited include insufficient validation on pagination parameters and exposure of API routes that could be queried without proper access controls.
The exploit package is also said to contain a structured report mapping the attack techniques to established threat frameworks, along with additional data dumps.
Questions around disclosure and response
The threat actor claims that no prior disclosure was made to the platform and alleges the absence of a bug bounty program. These assertions have not been independently verified.
As of now, there has been no confirmed public response from Polymarket addressing the claims or verifying the authenticity of the leaked data.
Broader implications
If verified, the incident would highlight risks tied to API security in crypto-native platforms, particularly those handling user-linked wallet data and large-scale market infrastructure.
The exposure of both user profiles and market mechanics could raise concerns about privacy, platform integrity, and potential misuse of on-chain and off-chain data connections.
Also Read: Polymarket Moves to Regain U.S. Access With CFTC Approval Push
