Polymarket Rejects Data Breach Claims as Hacker Alleges 300K Records Stolen

Polymarket, the leading decentralized prediction market, found itself at the center of a data‑security controversy in late April 2026. A self‑styled hacker, Xorcat, posted what they claim is a 2.24 GB dump containing 300,000 records on a cybercrime forum, citing exploitation of undocumented API endpoints, a pagination bypass in the platform’s central limit order book, and a CORS misconfiguration. The leak allegedly includes 10,000 user profiles, extensive market data, and an internal admin address, prompting immediate concern among traders who fear their on‑chain activity could be linked to real‑world identities.

Technical analysts note that Xorcat references two high‑severity CVEs—CVE‑2025‑62718 (Axios NO_PROXY bypass, CVSS 9.9) and CVE‑2024‑51479 (Next.js middleware authentication bypass, CVSS 7.5)—to bolster the credibility of the claim. However, Polymarket’s response frames the incident as a classic data‑scraping episode rather than a true breach, emphasizing that the blockchain inherently makes transaction data public. The platform points to its recently launched bug‑bounty program, which has already attracted hundreds of reports, as evidence of proactive security stewardship.

Regardless of the factual accuracy, the episode serves as a cautionary tale for the broader DeFi ecosystem. As prediction markets and other crypto‑native services scale, they must reconcile the transparency of blockchain data with user privacy expectations. Strengthening API authentication, regularly auditing third‑party libraries, and maintaining an active bug‑bounty framework are essential steps to mitigate reputational risk and comply with emerging regulatory scrutiny. Users, meanwhile, should consider using privacy‑preserving wallets and avoid linking personally identifiable information to on‑chain addresses.