The platform said the information mentioned by the so-called attacker was already publicly available through its APIs and on-chain blockchain data, not the result of unauthorized access. Polymarket also rejected claims that it lacked a bug bounty program. Security researchers also questioned the breach allegations, with some suggesting the data may have been scraped from public sources rather than leaked from internal systems. Polymarket Denies Leak Prediction markets platform Polymarket denied allegations that it suffered a customer data breach after claims surfaced on dark web forums that a hacker stole private user information. The controversy began when cybersecurity monitoring accounts and security researchers shared screenshots from DarkForums showing a user operating under the pseudonym “xorcat” claiming responsibility for the supposed breach. According to the post, the hacker alleged that more than 300,000 records were obtained, including around 10,000 unique user profiles. The claimed data reportedly included full names, profile images, proxy wallet information, and base addresses. These claims quickly attracted attention from the crypto community, particularly because the industry recently experienced an increase in cyberattacks, scams, and exploits. Polymarket responded publicly and dismissed the allegations, calling the breach claims “complete and utter nonsense.” The company stated that the information referenced by the hacker was not stolen private data, but instead consisted of information that was already publicly accessible through its open APIs and on-chain blockchain records. Polymarket argued that transparency is a core feature of blockchain-based systems, where transaction and market data can be openly audited by anyone. In a response on social media, the platform mocked the hacker’s claims by suggesting that publicly available data was simply collected and repackaged as if it were a leak. Polymarket explained that developers and users can already access a lot of this information for free through official endpoints. This means that no unauthorized breach of internal systems actually took place. The hacker also claimed the data was being released because Polymarket allegedly lacked a bug bounty program. However, this claim was contradicted by Polymarket as it launched an active bug bounty initiative on April 16 and already received hundreds of submissions by Wednesday. This weakened the credibility of the hacker’s narrative. Other claims from xorcat suggested that undocumented API endpoints, pagination bypass techniques, and CORS misconfigurations in Polymarket’s Gamma and CLOB APIs were used to gather the data. The hacker also said other prediction market platforms were compromised and threatened to release more information in the coming days. Despite the dramatic claims, several cybersecurity experts also expressed their skepticism. Vladimir S, a threat researcher and chief security officer at Legalblock, said the situation looked more like someone scraping publicly available information and falsely presenting it as a database leak rather than exposing any genuine compromise.
