Polymarket Rejects Breach Claims Amid 300K Record Leak Reports

Prediction market platform Polymarket has denied claims of a security breach after reports surfaced that more than 300,000 records and an exploit kit were leaked on a cybercrime forum.

The disclosure, flagged by Dark Web Informer in an X post on Tuesday, attributes the incident to an actor identified as “xorcat.” The dataset is said to have been extracted on April 27, 2026, using a combination of undocumented API access points and misconfigurations.

Platform says data is public, not leaked

Polymarket pushed back on the characterization of the incident, stating that the data referenced in the leak is publicly accessible by design.

In a post on X, the platform said its on-chain architecture makes data auditable and available through public endpoints. It added that no private data was compromised and that the same information can be accessed freely through its APIs, framing the claims as a misrepresentation of how its system works.

What the leak allegedly contains

Despite the denial, the dataset described by the threat actor is said to include a large volume of platform data, spanning user profiles, activity records, and market information.

The reported material includes around 10,000 user profiles with associated metadata such as names, pseudonyms, bios, profile images, and wallet-linked addresses. It also references thousands of comments tied to user accounts, extensive records from Gamma and central limit order book markets, and event-level data containing Ethereum addresses and internal usernames.

Other elements in the dataset reportedly map follower relationships, reward configurations linked to USDC contracts, and internal identifiers embedded within platform metadata, which could allow reconstruction of user activity patterns.

Technical claims behind the extraction

The threat actor claims the dataset was assembled by exploiting gaps in Polymarket’s API infrastructure. These include the use of undocumented endpoints, weak pagination controls that allowed large-scale data extraction, and cross-origin resource sharing (CORS) settings that allegedly permitted credentialed requests from unrestricted sources.

Some endpoints were also described as accessible without authentication, including those tied to comments, reports, and follower data. The leak package reportedly includes automated scripts capable of continuously extracting data until such access points are restricted.

Referenced vulnerabilities and exploit kit

The disclosure cites multiple known vulnerabilities, including an Axios-related proxy bypass that could enable server-side request forgery and a middleware authentication bypass affecting Next.js applications.

It also points to insufficient validation of API parameters and exposure of endpoints without proper access controls. The shared package is said to include proof-of-concept exploits, a structured technical report, and additional datasets.

Gaps between claims and response

While Polymarket maintains that the data is public and not the result of a breach, its response does not directly address the specific technical claims related to API misconfigurations or exploit methods outlined by the threat actor.

The actor, for their part, claims no prior disclosure was made to the platform and alleges the absence of a bug bounty program, though these points remain unverified.

Wider context

The episode highlights ongoing tension between transparency in on-chain systems and expectations around data exposure. Even when data is technically public, the aggregation and structuring of large datasets can raise concerns about user privacy and platform safeguards.

The situation remains unresolved, with competing claims over whether the incident reflects a security failure or the reuse of openly accessible data.

Also Read: Polymarket Moves to Regain U.S. Access With CFTC Approval Push

Follow The Crypto Times on Google News to Stay Updated!