Dark Web Claims Polymarket Hack, But the Platform Fires Back

📄Full Article· Automatically extracted by trafilatura2523 words

Polymarket has dismissed claims of a data breach after a threat actor known as xorcat posted 300,000 records on a cybercrime forum. The decentralized prediction market said the information is publicly available through its APIs and on-chain history. The actor, surfaced by the Dark Web Informer monitoring account, claimed to have extracted user profiles, comments, market data, and exploit code. Polymarket responded, calling the disclosure a feature rather than a vulnerability. Polymarket User Data Leaked? The forum post advertised a 750 MB pack containing roughly 10,000 user profiles, 4,111 comments, 48,536 markets from Polymarket’s Gamma API, and more than 250,000 active markets from its CLOB API. The actor also included follower lists, reward configurations, and internal user identifiers. Beyond the raw data, the package allegedly bundled proof-of-concept exploits. These covered an Axios proxy bypass tracked as CVE-2025-62718, a CORS misconfiguration on the CLOB API, a Next.js middleware authentication bypass, and a pagination flaw that the seller said accepted unlimited query sizes. The post framed the dump as evidence of broken access controls across Polymarket and claimed the platform had no bug bounty program and was never notified before publication. Polymarket’s Response Polymarket pushed back within hours. In a statement on X, the platform said all data flagged in the post is auditable on-chain or reachable through its documented endpoints. “Part of the beauty of being on-chain is all our data is publicly auditable… this is a feature, not a bug. No data was ‘leaked’ — it’s accessible via our public endpoints & on-chain data.” The team added that researchers do not need to pay a forum seller for this. The information is already published by the protocol for free. The team pointed users to its API documentation. Bug Bounty Limits Polymarket also rebutted the claim that no bug bounty exists. The platform highlighted its $5 million program hosted with Cantina, while clarifying that scraping public API endpoints does not qualify for any reward. Eligible submissions involve verified vulnerabilities affecting funds, contracts, or private user data. The dispute mirrors a recurring tension across prediction markets and other onchain platforms. Transparent ledgers often blur the line between disclosure and discovery. Polymarket’s stance suggests it sees little risk in continuing to expose market activity. The response may shape how future findings around the platform are reported.

Data Status✓ Full text extractedRead Original (BeInCrypto)

🔍Historical Similar Events· Keyword + Asset Matching6 items

2026-04-18

Polymarket Strait of Hormuz Odds Crash After Iran Fires on Tankers

Similarity 130%關鍵字 polymarket/fires

2026-04-29

DeFi shaken by $292 million hack, but showing resilience, Standard Chartered says

Similarity 120%關鍵字 hack同分類 hot

2026-04-29

Polymarket hacked by xorcat, 300,000 records and exploit tools exposed; platform responds: it was designed to be public

Similarity 120%關鍵字 polymarket同分類 hot

2026-04-28