Polymarket Debunks 'Breach' Claims, Citing Public On-Chain Data as 'Feature, Not a Bug'

Polymarket Denies Breach, Calls Public Data a 'Feature'

Prediction market Polymarket has pushed back forcefully against recent claims of a significant data breach, asserting that a self-proclaimed hacker is merely repackaging and attempting to monetize information already transparently available on-chain and through their public APIs. The incident highlights a critical distinction in the blockchain space: the difference between a genuine security compromise and the inherent public nature of distributed ledger technology.

The Allegation: 'xorcat' Claims 300,000 Records Stolen

The controversy ignited when a dark web persona, operating under the pseudonym 'xorcat,' posted on DarkForums, claiming to have infiltrated Polymarket's systems. The alleged hacker boasted of stealing over 300,000 records, including 10,000 unique user profiles complete with full names, profile images, proxy wallets, and base addresses. Xorcat further detailed the supposed methods of extraction, citing undocumented API endpoints, pagination bypasses, and CORS misconfigurations on Polymarket's Gamma and CLOB APIs. A key part of the hacker's narrative was the assertion that Polymarket lacked a bug bounty program, a common incentive for ethical hackers to report vulnerabilities.

Polymarket's Rebuttal: Transparency as a Shield

Polymarket's response was swift and unequivocal. The platform dismissed the breach claims as "complete and utter nonsense," clarifying that the data 'xorcat' was attempting to sell is, in fact, publicly auditable on the blockchain and freely accessible via their developer APIs. "Part of the beauty of being on chain is all our data is publicly auditable, this is a feature, not a bug," Polymarket stated, emphasizing that "No data was leaked, it's accessible via our public endpoints & on-chain data."

Crucially, Polymarket also debunked the hacker's claim regarding a bug bounty program. The platform confirmed it launched a live bug bounty on April 16, which had already received 446 reports by the time the breach claims surfaced. This detail further undermines the credibility of the hacker's narrative, suggesting a lack of due diligence or an intentional misrepresentation of facts.

Expert Skepticism and Broader Implications

The incident quickly drew scrutiny from cybersecurity experts. Vladimir S, a threat researcher and CSO at Legalblock, expressed significant doubt, suggesting it appears "someone parsed data and is trying to present it as a [DB] leak. It does not seem probable to me." This expert assessment aligns with Polymarket's stance, reinforcing the idea that the 'breach' is a mischaracterization of publicly available information.

This episode serves as a timely reminder for the wider crypto community, particularly amid a surge in crypto-related hacks and exploits in early 2026, which saw Web3 projects lose $482 million in Q1 alone. For traders and investors, it underscores the importance of understanding the inherent transparency of blockchain technology. While on-chain data offers unparalleled auditability, it also means that certain activities and associated public addresses are, by design, visible to all. For builders and protocol developers, it highlights the need for clear communication about what data is public versus private, and robust API security practices, even for publicly available endpoints, to prevent misinterpretation or exploitation.

Ultimately, Polymarket's firm denial and the expert skepticism surrounding the claims reinforce a core tenet of decentralized systems: transparency. While this transparency can sometimes be misconstrued as vulnerability, it is often a foundational security feature, allowing for public scrutiny and auditability that centralized systems lack.

FAQ