Polymarket Denies xorcat Data Breach Claims, Says Stolen Records Are Public On-Chain Data

Polymarket denied recent claims that its customer data was breached after a hacker using the pseudonym “xorcat” posted what the person claimed was a trove of private user details on dark web forums.

“Summary - Polymarket said recent hacking allegations were "complete nonsense" and that there had been no data leak involving user information”

bloomingbit

Cointelegraph reports that cybersecurity company Vecert Analyzer and several other X accounts shared screenshots from DarkForums on Tuesday showing xorcat claiming to have breached Polymarket.

bloomingbit

In the post, xorcat said they had stolen over 300,000 records, including 10,000 unique user profiles with full names, profile images, proxy wallets and base addresses, according to Cointelegraph.

Polymarket called the claims of a data breach “complete and utter nonsense” and said the information the hacker posted is already available online, as Cointelegraph and CoinCentral both report.

Cointelegraph also quotes Polymarket saying, “You compromised our platform by accessing publicly accessible API endpoints & on-chain data and *checks notes* are trying to sell the data we offer developers for free? Which VC paid you to post this?”

CoinCentral similarly reports Polymarket’s statement that “No data was leaked, it’s accessible via our public endpoints & on-chain data,” and adds that developers can access the same information for free.

The dispute centers on whether what was posted constitutes a breach or a repackaging of information Polymarket says is publicly accessible by design.

Multiple reports describe the dark web post as a claim of large-scale extraction and sale of data, with xorcat presenting details about what was taken and how it was obtained.

Cointelegraph says the hacker claimed to have stolen over 300,000 records and included “10,000 unique user profiles with full names, profile images, proxy wallets and base addresses.”

CoinCentral

Cointelegraph also reports that xorcat said the data was pulled via “undocumented API endpoints, pagination bypass and CORS misconfiguration on Polymarket's Gamma and CLOB APIs,” and that the hacker planned to release the data in the next few days.

Cryptonews.net similarly describes the alleged dataset as including “full names, profile images, proxy wallet information, and base addresses,” and states that Polymarket called the breach claims “complete and utter nonsense.”

CoinCentral adds that the post claimed the data included “10,000 user profiles with names and images,” and that it lists “proxy wallets and base addresses tied to accounts.”

The Crypto Times reports that the disclosure, flagged by Dark Web Informer in an X post on Tuesday, attributes the incident to xorcat and says the dataset was extracted on “April 27, 2026,” using “undocumented API access points and misconfigurations.”

Across the coverage, the hacker’s narrative is that the data was gathered through technical pathways rather than simply observed, even as Polymarket disputes the characterization of a leak.

A key point of contention in the reporting is whether Polymarket had a bug bounty program and how that relates to xorcat’s decision to post data publicly.

“The platform said the information mentioned by the so-called attacker was already publicly available through its APIs and on-chain blockchain data, not the result of unauthorized access”

Coinpaper

Cointelegraph says the so-called hacker said the data was being posted because Polymarket didn’t have a bug bounty program, but it adds that Polymarket has a live bug bounty program that started April 16 and has received 446 reports as of Wednesday.

CoinCentral likewise states that the hacker said they scraped data because Polymarket lacked a bug bounty program, but that Polymarket launched a live bug bounty on April 16 and “received 446 reports as of Wednesday.”

Cointelegraph also quotes Polymarket’s argument that transparency is built into the platform, saying, “Part of the beauty of being on chain is all our data is publicly auditable, this is a feature, not a bug. No data was leaked, it's accessible via our public endpoints & on-chain data.”

Coinpaper similarly reports that Polymarket rejected claims that it lacked a bug bounty program and said the information mentioned by the attacker was already publicly available through its APIs and on-chain blockchain data, not the result of unauthorized access.

The dispute therefore plays out as a clash between Polymarket’s “public endpoints & on-chain data” defense and the hacker’s claim that the extraction involved undocumented or misconfigured access paths.

Even where Polymarket insists no private data was leaked, the reporting shows that the hacker’s package is described as including exploit scripts and technical material, which Polymarket does not treat as evidence of a breach.

Several reports include skepticism from security researchers who question whether the incident is truly a database leak rather than a scrape of publicly accessible information.

Cointelegraph says “Several security experts have expressed doubt,” and it quotes Vladimir S, a threat researcher and chief security officer at Legalblock, saying it appears “someone parsed data and is trying to present it as a [DB] leak. It does not seem probable to me.”

Cointelegraph

CoinCentral similarly identifies Vladimir S as chief security officer at Legalblock and includes the same quote about someone parsing data and presenting it as a database leak.

Coinpaper also frames the skepticism by stating that “Security researchers also questioned the breach allegations, with some suggesting the data may have been scraped from public sources rather than leaked from internal systems.”

The Crypto Times adds that Polymarket’s response “does not directly address the specific technical claims related to API misconfigurations or exploit methods outlined by the threat actor,” which leaves the technical dispute unresolved even as Polymarket argues the data was public.

Cointelegraph also notes that the crypto industry saw a sudden surge in crypto-related hacks and exploits in April, putting many in the space on high alert, and it ties that environment to heightened scrutiny of claims like xorcat’s.

Together, the quotes and figures show that the debate is not only about what was posted, but also about whether the alleged method indicates unauthorized compromise or simply large-scale extraction of data already available through public interfaces.

The Polymarket dispute is reported against a backdrop of broader cyber losses in Web3, with multiple outlets citing Hacken’s figures for the first quarter of 2026.

“Prediction markets platform Polymarket has denied recent reports that its customer data was breached after a hacker on the dark web posted what the person claimed was a trove of private user details”

Cryptonews.net

Cointelegraph says blockchain security company Hacken reported earlier this month that Web3 projects lost $482 million to hacks and scams in the first quarter of 2026 across 44 incidents.

Cryptonews.net

Cryptonews.net repeats that Hacken reported “$482 million” in losses during the first quarter of 2026 across “44 incidents,” and it ties the figure to a sudden surge in crypto-related hacks and exploits in April.

Cointelegraph also states that the crypto industry saw a sudden surge in crypto-related hacks and exploits in April, putting many in the space on high alert, which helps explain why the dark web claims were quickly amplified.

In the same reporting set, Cointelegraph quotes Polymarket’s challenge to the hacker’s motives, asking, “Which VC paid you to post this?” while the company insists the data is accessible via public endpoints and on-chain data.

The Crypto Times adds that the episode highlights “ongoing tension between transparency in on-chain systems and expectations around data exposure,” even when the data is technically public.

Across outlets, the combination of large claimed record counts, named technical pathways like “undocumented API endpoints” and “CORS misconfiguration,” and the cited industry-wide losses forms the context for why the dispute matters to security teams and users monitoring prediction markets.