Polymarket Dismisses Alleged Data Breach as Public Information Already Available Online

Dark Web Claims Spark Security Concerns

A recent controversy has erupted in the cryptocurrency world after a person claiming to be a hacker posted on dark web forums alleging they had successfully breached Polymarket, a popular prediction markets platform. The individual, operating under the pseudonym “xorcat,” made bold claims about stealing a substantial amount of user data, sparking immediate concern across the crypto community. Cybersecurity company Vecert Analyzer, along with several social media accounts that regularly monitor dark web activity, shared screenshots from DarkForums showing xorcat’s claims. According to the posts, the alleged hacker claimed to have obtained over 300,000 records from Polymarket’s systems, including approximately 10,000 unique user profiles containing sensitive information such as full names, profile images, proxy wallets, and base addresses. The timing of these claims couldn’t be worse for the industry, as April has seen a concerning spike in cryptocurrency-related hacks and exploits, putting the entire sector on heightened alert and making companies and users alike more vigilant about security threats.

Polymarket’s Firm Rebuttal

Polymarket wasted no time in responding to these allegations, delivering a forceful and unambiguous denial of any actual data breach. The company characterized the hacker’s claims as “complete and utter nonsense,” asserting that the information allegedly stolen was already publicly accessible through legitimate channels. In a statement that reflected both confidence and a touch of sarcasm, Polymarket explained that their platform operates on blockchain technology, which by design makes transaction data publicly auditable and transparent. This transparency, they emphasized, is not a vulnerability but rather a fundamental feature of blockchain-based systems. The company went further by pointing out the irony of the situation, questioning why someone would attempt to sell data that Polymarket already provides to developers free of charge through publicly accessible API endpoints and on-chain data. In what appeared to be a jab at potential competitors or bad actors, Polymarket even quipped, “Which VC paid you to post this?” suggesting that the alleged breach might be an attempt to damage the company’s reputation rather than a genuine security incident. The company’s response highlighted an important distinction in the blockchain world: the difference between a genuine security breach involving protected private information and simply accessing publicly available data that exists by design on transparent blockchain networks.

The Nature of Blockchain Transparency

Polymarket’s defense centers on a crucial aspect of blockchain technology that many outside the cryptocurrency space might not fully understand: the inherent transparency of blockchain systems. In traditional centralized platforms, user data is stored in private databases that should only be accessible to authorized personnel with proper credentials. However, blockchain-based platforms operate differently, with transaction data and certain user information being recorded on public ledgers that anyone can view and verify. This transparency serves important purposes, including allowing users to verify transactions, enabling developers to build complementary applications, and ensuring accountability in the system. Polymarket emphasized this point in their response, stating: “Part of the beauty of being on chain is all our data is publicly auditable, this is a feature, not a bug. No data was leaked, it’s accessible via our public endpoints & on-chain data. Instead of paying for the data, you can access it for free via our APIs.” This explanation highlights how what might appear to outsiders as a security failure is actually the normal functioning of a blockchain-based platform. The company provides this data freely to developers and researchers through documented application programming interfaces (APIs), making any attempt to “steal” and sell this information essentially pointless and fraudulent. However, this situation also raises questions about user privacy expectations and whether platform users fully understand what information about their activities is publicly accessible when they participate in blockchain-based services.

Technical Claims and Industry Context

The alleged hacker provided specific technical details about how they supposedly accessed Polymarket’s data, claiming to have exploited undocumented API endpoints, pagination bypass techniques, and CORS (Cross-Origin Resource Sharing) misconfiguration on Polymarket’s Gamma and CLOB APIs. These technical terms refer to potential vulnerabilities in how web applications communicate with servers and manage data requests. Undocumented API endpoints are system access points that developers might not have intended for public use, pagination bypass refers to techniques for accessing more data than intended through sequential data requests, and CORS misconfiguration can potentially allow unauthorized websites to access data from a different domain. Xorcat also claimed that the motivation for posting this information publicly stemmed from Polymarket’s alleged lack of a bug bounty program—a system where companies reward security researchers for responsibly reporting vulnerabilities. However, this claim was quickly proven false, as Polymarket actually does maintain an active bug bounty program that launched on April 16 and had already received 446 reports by Wednesday, demonstrating that the company takes security seriously and provides legitimate channels for researchers to report genuine vulnerabilities. The hacker also made additional claims about breaching other prediction market platforms and threatened to release that data in the coming days, though no evidence has been provided to substantiate these assertions. This incident occurs against a backdrop of genuine security concerns in the cryptocurrency industry, with blockchain security firm Hacken reporting that Web3 projects lost a staggering $482 million to hacks and scams across 44 separate incidents just in the first quarter of 2025, making the community understandably sensitive to any reports of potential breaches.

Expert Skepticism and Analysis

Security experts in the cryptocurrency field have largely expressed doubt about the legitimacy of xorcat’s claims, with several specialists weighing in to provide their professional assessments. Vladimir S, who serves as both a threat researcher and chief security officer at Legalblock, offered his analysis suggesting that the alleged breach appears to be nothing more than someone collecting publicly available data and attempting to misrepresent it as a database leak from a security compromise. His statement—”It does not seem probable to me”—reflects the skepticism that experienced security professionals feel when examining the evidence presented. This expert opinion aligns with Polymarket’s own assertions and suggests that the incident may be an attempt to create fear, uncertainty, and doubt (commonly known as FUD in the crypto community) rather than representing a genuine security threat. The distinction matters significantly because real data breaches involving private information like passwords, financial details, or personal identification documents require immediate action from affected users, while the collection of publicly available blockchain data poses no such risk. Security professionals understand that in the blockchain ecosystem, certain information is meant to be public and transparent, and accessing this information through normal means doesn’t constitute hacking in any meaningful sense. The response from both Polymarket and independent security experts suggests a coordinated effort to educate the public about the difference between legitimate security breaches and attempts to sensationalize normal blockchain operations for attention or to damage a company’s reputation.

Broader Implications for Crypto Security

This incident, regardless of its ultimate legitimacy, serves as an important reminder of the complex security landscape facing cryptocurrency platforms and their users. The surge in crypto-related hacks and exploits during April has created an environment where every security claim receives heightened attention, sometimes making it difficult to separate genuine threats from false alarms or deliberate misinformation campaigns. For users of blockchain platforms, this situation highlights the importance of understanding what information is public by design and what should remain private. When participating in blockchain-based services, users should be aware that transaction histories, wallet addresses, and related data are typically visible on public ledgers—this is fundamental to how these systems operate and verify transactions without requiring a central authority. However, truly private information like passwords, private keys, email addresses (when not voluntarily shared), and off-chain personal details should never be publicly accessible and would represent a genuine security breach if exposed. The crypto industry continues to mature in its approach to security, with more platforms implementing bug bounty programs, conducting regular security audits, and educating users about best practices for protecting their accounts and assets. For Polymarket specifically, their swift and detailed response to these allegations demonstrates the kind of transparency and communication that users should expect from reputable platforms. As the prediction markets platform continues to grow and gain mainstream attention, particularly during election cycles and major events, it will likely remain a target for both legitimate security researchers and bad actors seeking attention or attempting to manipulate markets through fear. The company’s emphasis on the intentional transparency of blockchain systems, combined with their active bug bounty program and engagement with the security community, suggests they’re taking a responsible approach to balancing the open nature of blockchain technology with the need to protect genuinely private user information.