300,000 users’ data leaked in a bundled breach; Polymarket remains trapped in its “public data” defense
TechFlow Selected TechFlow Selected
300,000 users’ data leaked in a bundled breach; Polymarket remains trapped in its “public data” defense
The platform insists that all content is public data and no private information has been leaked.
Navigating Web3 tides with focused insightsAuthor: Claude, TechFlow
TechFlow Intro: On April 27, a hacker using the pseudonym “xorcat” uploaded a compressed package to a cybercrime forum. The package contained over 300,000 records scraped from Polymarket, five functional exploit scripts, and two CVE-level vulnerabilities—totaling approximately 750 MB of raw data.
The blockchain threat intelligence account Dark Web Informer disclosed the incident on X the following day. Polymarket responded the same day, stating that the data involved “was already accessible via public APIs,” and characterized the incident as a “feature,” not a breach. However, its official statement did not directly address the API misconfigurations or exploit details outlined by the hacker.
On April 27, an attacker operating under the alias “xorcat” uploaded a compressed package to a cybercrime forum: an 8.3 MB JSON file that expands to roughly 750 MB upon decompression, containing over 300,000 scraped records from Polymarket, five working proof-of-concept (PoC) exploit scripts, and a technical report.
Polymarket responded the same day—but not with the typical crisis-management apology and investigation. Instead, it issued a near-provocative rebuttal. Its official X account posted a tongue-in-cheek message suggesting all relevant data was accessible via public endpoints and on-chain sources, declaring, “This is a feature, not a bug.”
The incident thus evolved into a he-said-she-said standoff: the hacker insists this was an uncoordinated, public disclosure of a data-extraction attack, explicitly citing several API misconfigurations; the platform maintains all data was publicly available and no private information was compromised.
Attack Pathway: “A Series of Unlocked Doors”
According to xorcat’s forum post, the attack did not rely on any single sophisticated vulnerability but rather resembled walking through a series of unlocked doors. As reconstructed by cybersecurity media The CyberSec Guru, the attack primarily exploited three issues: undocumented API endpoints, pagination bypass in the CLOB (Central Limit Order Book) trading API, and a misconfigured CORS (Cross-Origin Resource Sharing) policy.
Public reports indicate that multiple Polymarket endpoints reportedly require no authentication whatsoever. For example, the comments endpoint allows brute-force enumeration of complete user profiles; the reports endpoint exposes user activity data; and the followers endpoint permits anyone—even without logging in—to map out the full social graph associated with any wallet address.
What Exactly Was in the 300,000+ Records?
xorcat’s forum post, along with reconstructions by The CyberSec Guru and The Crypto Times, show the leaked dataset is broadly organized into three categories: users, markets, and attack tools (see the data card below).
The user-side dataset includes 10,000 distinct user profiles containing names, nicknames, bios, profile avatars, proxy wallet addresses, and underlying wallet addresses. Another 9,000 follower records allow mapping of social relationships. 4,111 comment entries each include attached user profiles. Among 1,000 report records, 58 unique Ethereum addresses are referenced. Internal user ID fields such as createdBy and updatedBy appear scattered throughout, indirectly reconstructing parts of the platform’s account architecture.
The market-side dataset covers 48,536 markets from Polymarket’s Gamma system (including full metadata, condition IDs, and token IDs), over 250,000 active CLOB markets (with FPMM contract addresses), 292 events listing internal usernames and wallet addresses of submitters and arbitrators, and 100 reward configurations—including USDC contract addresses and daily payout rates.
Wallet addresses are inherently anonymous on-chain—but when paired with names, bios, and avatars, that anonymity collapses instantly. This is the core controversy Polymarket’s response failed to address:
Whether data is “public” is fundamentally different from whether aggregated data still preserves user identity.
“This Is a Feature, Not a Bug”: Polymarket’s Rebuttal
Polymarket’s sole response on X, posted on April 28, consisted of a single tweet. It opened with the emoji “😂”, questioned the use of the term “breach,” then systematically countered each claim: on-chain data is inherently publicly auditable; no data was “leaked”; identical information had always been freely obtainable via public APIs—no payment required. It concluded by definitively labeling the situation: “This is a feature, not a bug.”
The Crypto Times noted in its coverage that Polymarket’s response did not directly engage the hacker’s specific technical allegations—including API misconfigurations, CORS misconfigurations, undocumented endpoints, and missing rate-limiting controls. The platform aggressively contested only the most easily refutable point—“Was the data public?”—while remaining silent on the more critical security issue: “Did attackers extract and package data at scale via unintended pathways?”
xorcat stated they had not notified Polymarket in advance, citing the platform’s lack of a bug bounty program. This claim has yet to be independently verified—but if true, it highlights a notable gap in Polymarket’s proactive security governance: without formal responsible disclosure channels, attackers are incentivized to publish exploits publicly rather than report them internally.
This Isn’t Polymarket’s First Security Incident
Looking back at the timeline: From August to September 2024, multiple users who logged into Polymarket via Google accounts reported thefts of their USDC. Attackers exploited the proxy function call in Magic Labs’ SDK to divert user balances to phishing addresses. Polymarket’s customer support confirmed at least five such incidents by the end of September.
In November 2025, hackers used Polymarket’s comment section to distribute phishing links. When clicked, these links installed malicious scripts on users’ devices, resulting in cumulative fraud losses exceeding $500,000.
In December 2025, another wave of mass account compromises occurred. Polymarket confirmed the incident on Discord, attributing it to “a vulnerability in a third-party identity verification service.” Social media discussions widely pointed to users who signed in via Magic Labs email, though Polymarket did not publicly name the affected service provider nor disclose the number of impacted users or total loss figures.
After each incident, the platform issued responses of varying degrees: some blamed third-party providers; others acknowledged issues and pledged to contact affected users. The xorcat incident marks the first time Polymarket has deployed “this data was always public” as its sole line of defense. Viewed historically, this response appears less like conventional security incident management—and more like a contest over how the event itself should be defined.
As of publication, Polymarket has not released any statements regarding remediation of the specific technical vulnerabilities disclosed by xorcat, and the PoC scripts remain publicly downloadable from the forum.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
深潮TechFlow
