-
Polymarket rejected dark web hacker xorcat’s data breach claims, stating the 300,000+ records advertised for sale on DarkForums were already publicly accessible through open APIs and on-chain blockchain data.
-
The platform proved the hacker wrong about its bug bounty program, which has already received 446 vulnerability reports.
-
Security experts expressed doubt about the breach, with one researcher stating the situation looks like repackaged public data rather than an actual database compromise.
Polymarket, a decentralized prediction market platform, has rejected the allegations of a data breach on its customers with vigor.
A user on the dark web, going by the name “xorcat,” made claims that they had stolen more than 300,000 users’ data and are selling the data on a cybercrime forum.
The hacker’s post, which appeared on DarkForums, alleged the stolen data included approximately 10,000 unique user profiles with full names, profile images, proxy wallet addresses, and base addresses.
Polymarket responded swiftly, calling the claims “complete and utter nonsense” and dismissing the supposed breach as nothing more than publicly accessible information.
Platform Says Hacker Merely Collected Publicly Available Data
Polymarket explained that all the information cited by xorcat already sits on public blockchains or remains accessible through its open APIs. The company stated that developers and users can freely access this data without any payment or special authorization.
The platform mocked the hacker’s claims on social media, questioning which venture capital firm paid for such a misleading post.
Not all dark web data claims are as easily dismissed. The alleged sale of 58 million Indonesian students’ records represents a genuine breach of private educational data, highlighting the difference between repackaged public information and actual stolen personal data from vulnerable populations.
Polymarket highlighted that all data is publicly auditable by design since they are on-chain, meaning the hacking allegations are inaccurate due to transparency being a positive feature instead of potential security vulnerabilities.
Vladimir S, the chief security officer at Legalblock, was skeptical about the statements of the hacker. The researcher suggested the situation looks like someone simply parsed public data and repackaged it as a database leak rather than exposing any genuine compromise.
Hacker’s Technical Claims Include API Exploits and Bug Bounty Criticism
Xorcat claimed to have extracted the data using unauthorized API endpoints, a CORS misconfiguration, and a pagination bypass in the Gamma and CLOB APIs of Polymarket. The hacker also alleged the platform lacks a bug bounty program; he justified the public disclosure on those grounds.
However, Polymarket proved this claim false. The platform launched an actively running bug bounty program on Cantina on April 16, this year, just days before the hacker’s post went public. According to the Cantina report, the current number of reported vulnerabilities is 446.
Allegedly, the leaked proof-of-concept code was part of several published exploits. There was evidence in the exploit regarding an Axios Proxy Bypass with a CVSS score of 9.9 and a Next.js Middleware Authentication Bypass.
Regulatory and Security Pressure on Polymarket Continues
Polymarket is under severe regulatory and safety pressure, amid recent claims of data breaches. The Department of Justice and the Commodity Futures Trading Commission are using recent incidents to advocate for additional regulation of prediction markets by seeking further oversight of these types of financial devices.
Regulators are worried about the potential effects of such platforms on spreading classified material for gain. The present episode, no matter the legitimacy of it, exposes many traders, including several notable members of society, to the risk of a phishing or harassment campaign.
Last year, Polymarket had numerous legitimate security issues. For example, in December, the company made updates to its platform to prevent a large-scale compromise of accounts via Discord through a flaw within a third-party authentication provider. Additionally, in November last year, a phishing attack in Polymarket’s comment section caused users to lose over $500,000.
While the company still claims that its system is sound and operates securely within a competent and capable environment, the individual responsible for breaking into their platform has also threatened to make available records from a number of other prediction market sites in the next few days. However, no independent company has confirmed the information in the hacker’s claim.
