Dark Web Claims Polymarket Hack, But the Platform Fires Back 

Polymarket has dismissed claims of a knowledge breach after a menace actor referred to as xorcat posted 300,000 data on a cybercrime discussion board. The decentralized prediction market stated the data is publicly obtainable via its APIs and on-chain historical past.

The actor, surfaced by the Dark Web Informer monitoring account, claimed to have extracted consumer profiles, feedback, market knowledge, and exploit code. Polymarket responded, calling the disclosure a characteristic somewhat than a vulnerability.

You “compromised” our platform by accessing publicly accessible API endpoints & on-chain knowledge and… *checks notes* try to promote the knowledge we provide builders free of charge?

Which VC paid you to submit this? https://t.co/fdvD68Xr4A

— Polymarket Developers (@PolymarketDevs) April 28, 2026

Polymarket User Data Leaked?

The discussion board submit marketed a 750 MB pack containing roughly 10,000 consumer profiles, 4,111 feedback, 48,536 markets from Polymarket’s Gamma API, and greater than 250,000 lively markets from its CLOB API.

The actor additionally included follower lists, reward configurations, and inner consumer identifiers.

Beyond the uncooked knowledge, the package deal allegedly bundled proof-of-concept exploits. These lined an Axios proxy bypass tracked as CVE-2025-62718, a CORS misconfiguration on the CLOB API, a Next.js middleware authentication bypass, and a pagination flaw that the vendor stated accepted limitless question sizes.

The submit framed the dump as proof of damaged entry controls throughout Polymarket and claimed the platform had no bug bounty program and was by no means notified earlier than publication.

Polymarket’s Response

Polymarket pushed again inside hours. In a statement on X, the platform stated all knowledge flagged in the submit is auditable on-chain or reachable via its documented endpoints.

“Part of the great thing about being on-chain is all our knowledge is publicly auditable… it is a characteristic, not a bug. No knowledge was ‘leaked’ — it’s accessible by way of our public endpoints & on-chain knowledge.”

The crew added that researchers don’t have to pay a discussion board vendor for this. The data is already printed by the protocol free of charge. The crew pointed customers to its API documentation.

Bug Bounty Limits

Polymarket additionally rebutted the declare that no bug bounty exists. The platform highlighted its $5 million program hosted with Cantina, whereas clarifying that scraping public API endpoints doesn’t qualify for any reward.

Eligible submissions contain verified vulnerabilities affecting funds, contracts, or non-public consumer knowledge.

The dispute mirrors a recurring stress throughout prediction markets and different onchain platforms. Transparent ledgers typically blur the line between disclosure and discovery.

Polymarket’s stance suggests it sees little danger in persevering with to show market exercise. The response might form how future findings round the platform are reported.

The submit Dark Web Claims Polymarket Hack, But the Platform Fires Back  appeared first on BeInCrypto.