Polymarket hacked by xorcat, 300,000 records and exploit tools exposed; platform responds: it was designed to be public

📄Full Article· Automatically extracted by trafilaturaGemini 翻譯2454 words

As the leading prediction market Polymarket is in talks for a $400 million funding round at a $15 billion valuation, threat actor xorcat publicly leaked over 300,000 user records on a cybercrime forum on April 27, along with a complete exploit kit, claiming to have extracted the data at scale by bypassing API pagination and exploiting CORS misconfigurations. Polymarket denied the breach, stating that all data is "publicly accessible by design"—but this denial is unlikely to quell concerns regarding KYC data security and trust in prediction market regulation. (Previous coverage: Polymarket in talks for $400M funding, valuation hits $15B: ICE invested $600M last month, prediction markets enter Wall Street frenzy) (Background: The "Hand of God" at Polymarket: Frequent prediction controversies and the black box of adjudication under the "centralization" dilemma) The leading prediction market, valued at $15 billion and currently raising significant capital, has been dealt a heavy blow at its most sensitive moment. On April 27, 2026, a threat actor calling themselves xorcat posted on a well-known cybercrime forum, claiming to have successfully breached Polymarket and leaking over 300,000 user records, along with a complete exploit kit and functional PoC scripts. This information was first disclosed on X by security intelligence account Dark Web Informer, sparking widespread discussion in the crypto community. ‼️ Polymarket, the decentralized prediction market platform, has allegedly been breached, with 300,000+ records and an exploit kit leaked on a popular cybercrime forum. The actor states Polymarket has no bug bounty program and was not notified. ⠀ ‣ Threat Actor: xorcat ‣… pic.twitter.com/UAmCL46pk3— Dark Web Informer (@DarkWebInformer) April 28, 2026 According to xorcat's forum post, this data extraction was not a brute-force hack, but rather an exploitation of three key design flaws in Polymarket's API infrastructure: - Undocumented endpoints: Direct access to the database layer via hidden interfaces not listed in official documentation. - Weak pagination controls: Passing 999,999 into the limit parameter of the CLOB trading API, bypassing intended query caps to batch-extract all records at once without triggering any rate limiting. - CORS misconfiguration: Cross-Origin Resource Sharing settings allowed credentialed cross-origin requests, theoretically enabling attackers to initiate requests by impersonating legitimate users. In the post, xorcat stated that they did not notify Polymarket beforehand, citing a straightforward reason: "The platform has no bug bounty program." Polymarket has categorically denied the allegations. The platform claims that the data "leaked" by xorcat is essentially "publicly accessible on-chain and API data," emphasizing that its on-chain architecture is designed for public auditability and that data can be freely obtained via public endpoints, with no private information compromised. This argument is not entirely without technical merit—the core logic of prediction markets is indeed built on transparency, and on-chain transaction records are intended to be publicly verifiable. However, critics immediately pointed out that "data being public by design" and "data being systematically aggregated into tradeable datasets circulating on crime forums" are two very different things. Furthermore, a CORS misconfiguration allowing credentialed cross-domain requests is certainly not part of a "normal public design." The most ambiguous aspect of Polymarket's denial lies in the status of KYC (Know Your Customer) data. Since Polymarket was approved by the CFTC to return to the U.S. as a "Designated Contract Market," U.S. users must complete a full KYC process, submitting their names, Social Security Numbers (SSN), and addresses. If the 300,000 leaked records contain any KYC fields, the severity would far exceed the platform's dismissive definition of "public data." Currently, Polymarket has not provided a clear explanation regarding whether KYC data was included in the leak. This incident is not the first time Polymarket has faced a security crisis. Over the past few months, the platform has accumulated three major incidents: - December 2025: Third-party authentication breach, leading to the compromise of accounts even with 2FA enabled, resulting in financial losses for multiple users. - January 2026: Polycule, a Telegram trading bot on Polymarket, was attacked, resulting in a loss of $230K. - February 2026: Off-chain nonce manipulation attack targeting automated trading bots. Three incidents in three months, coupled with this latest API security cloud, form a clear pattern: Polymarket's security infrastructure has failed to keep pace with

Data Status✓ Full text extractedRead Original (動區 BlockTempo)

🔍Historical Similar Events· Keyword + Asset Matching3 items

2026-04-29

Dark Web Claims Polymarket Hack, But the Platform Fires Back

Similarity 120%關鍵字 polymarket同分類 hot

2026-04-27

Romania Blocks 300 Sites and Launches €5M Treatment Fund as Polymarket Ban Holds in Court

Similarity 120%關鍵字 polymarket同分類 hot

2026-04-24

Trump Says World Becoming a ‘Casino’ as Soldier Charged Over Polymarket Maduro Bets

Similarity 120%關鍵字 polymarket同分類 hot

💡 Currently matching via keywords + symbols (MVP) · Will be upgraded to embedding semantic search later