AI News CryptoTRADE THE NEWS
A dimly lit office with a desk, computer, and
Crypto
Web3

Polymarket denies ‘xorcat’ breach claim, says dataset is public API and on-chain data

A dark-web seller alleged 300,000 records and 10,000 user profiles, but Polymarket called the claim “complete and utter nonsense.”

By AI News Crypto Editorial Team5 min read

Polymarket is disputing a dark-web actor’s claim that more than 300,000 platform records were stolen, arguing the dataset is compiled from public API endpoints and on-chain data. The allegation is unverified in the packet, but it keeps platform-risk and user exposure in focus for prediction-market traders.

Key Takeaways

  • A DarkForums user using the pseudonym “xorcat” claimed to be selling over 300,000 Polymarket records, including 10,000 unique user profiles with identifying fields.
  • Polymarket rejected the breach narrative, calling it “complete and utter nonsense” and framing the dataset as information accessible through public API endpoints and on-chain records.
  • The post alleged specific vectors involving undocumented endpoints, pagination bypass, and a CORS misconfiguration tied to Polymarket’s Gamma and CLOB APIs, but no independent validation is included.
  • Polymarket was described as running a live bug bounty launched April 16 with 446 reports as of Wednesday, undercutting the actor’s claim that no bounty existed.

Polymarket Rejects ‘xorcat’ Breach Claim as Public-Data Scrape

Polymarket pushed back on a dark-web “breach” claim after screenshots circulated of a DarkForums post from a seller using the handle “xorcat.” The actor claimed to have breached Polymarket and stolen more than 300,000 records.

Polymarket’s response was categorical. The platform called the breach claim “complete and utter nonsense” and said the information being marketed is already available online via publicly accessible API endpoints and on-chain data.

That leaves the story, for now, as a credibility contest. The packet contains screenshots of the claim and Polymarket’s denial, but no forensic proof that any non-public customer data was accessed.

What the DarkForums Post Alleged: 300,000 Records, 10,000 Profiles, and API Misconfig Vectors

The DarkForums post attributed to “xorcat” described a dataset of “over 300,000 records,” including “10,000 unique user profiles” with “full names, profile images, proxy wallets and base addresses.” The actor also claimed the data was being posted because Polymarket didn’t have a bug bounty program.

On the technical side, the actor alleged the data was pulled via “undocumented API endpoints, pagination bypass and CORS misconfiguration” affecting Polymarket’s Gamma and CLOB APIs. An API endpoint is the interface a service exposes for software requests. A CORS misconfiguration is a web security settings error that can, in some cases, allow unauthorized websites to access data from an API. A CLOB, or central limit order book, is an exchange-style matching system for bids and offers.

None of those vectors are independently corroborated in the packet. Traders should treat the method claims as unverified until a third party reproduces them or Polymarket confirms a specific issue.

Bug Bounty Timeline and Third-Party Skepticism From Legalblock’s CSO

One detail cuts against the actor’s stated motive. Polymarket was described as having a live bug bounty that started April 16 and had received 446 reports as of Wednesday, contradicting the claim that no bounty existed.

A public read from a security executive also leans toward “scraped/parsed” rather than “database compromise.” Vladimir S, a threat researcher and chief security officer at Legalblock, said it appears “someone parsed data and is trying to present it as a [DB] leak. It does not seem probable to me.”

Polymarket’s own framing was blunt and specific about the source of the data: “You compromised our platform by accessing publicly accessible API endpoints & on-chain data and checks notes are trying to sell the data we offer developers for free? Which VC paid you to post this?”

Signals Traders Should Monitor if More Data Drops in the ‘Next Few Days’

The immediate catalyst risk is whether “xorcat” follows through on the claim to release more data “over the next few days,” and whether any new drops contain non-public fields beyond what Polymarket says is available via APIs and on-chain records.

Polymarket’s next statements matter too, especially any clarification of what endpoints and fields are intentionally public, and whether the platform makes API configuration changes after the allegation.

The bug bounty is another live signal. If reports tied to the alleged vectors (undocumented endpoints, pagination bypass, CORS misconfiguration) get confirmed and remediated, that would shift the story from pure narrative conflict to a concrete security event.

Independent security researchers corroborating or disputing the “parsed public data” interpretation is the cleanest path to resolution.

Why ‘Public by Design’ Still Creates Real-World Exposure for Prediction-Market Users

Prediction markets sit in a market that is already jumpy about security headlines. Hacken reported $482 million in Web3 losses in Q1 2026 across 44 incidents, and that backdrop makes even unverified breach claims tradable as sentiment.

I don’t need a confirmed database leak to see the practical risk: “public by design” systems can still concentrate identity breadcrumbs when APIs, profiles, and on-chain addresses get stitched together. The threshold that matters is whether any released dataset proves access to non-public fields or privileged endpoints. If that line holds and the data is truly public, this looks more like a sentiment catalyst than a fundamental shift, but it still pressures user opsec and platform trust in a way that can hit activity and liquidity where it counts.

Sources