Blockchain threat intelligence account Dark Web Informer disclosed the incident the following day on X. Polymarket responded on the same day, stating that the involved data "was already accessible via public APIs," characterizing the event as a "feature" rather than a breach. However, the official statement did not directly address the specific API misconfigurations and exploit details listed by the hacker.

On April 27, an attacker operating under the alias "xorcat" uploaded a compressed archive to a darknet cybercrime forum: an 8.3MB JSON file that expanded to approximately 750MB after decompression, containing over 300,000 records extracted from Polymarket, five functional proof-of-concept (PoC) exploit scripts, and a technical report.

Polymarket responded the same day—but not with a conventional crisis PR apology or investigation. Instead, the platform’s official account on X issued a near-challenging rebuttal, asserting that all content could be accessed through public endpoints and on-chain data, labeling it as “a feature, not a vulnerability.”

The incident thus escalated into a narrative standoff: the hacker insists this was an unauthorized, publicly released data attack, specifically pointing to several API misconfigurations; the platform maintains that all data was publicly available and no private information was exposed.

Attack Vector: "A Series of Unlocked Doors"

As described by xorcat in the forum post, the attack did not rely on any single complex vulnerability but resembled passing through a series of unlocked doors. According to a reconstruction by cybersecurity media The CyberSec Guru, the attack primarily exploited three categories of issues: unpublished API endpoints, pagination bypass in the CLOB (Central Limit Order Book) trading API, and a CORS (Cross-Origin Resource Sharing) misconfiguration.

Public reports indicate that multiple endpoints on Polymarket reportedly required no authentication at all. For example, the comment endpoint enabled brute-force enumeration of complete user profiles; the report endpoint exposed user activity data; and the followers endpoint allowed anyone, without logging in, to map the full social graph of any wallet address.

What Was Actually Inside the 300K+ Records?

Reconstructions by xorcat’s forum post and analyses from The CyberSec Guru and The Crypto Times reveal that the leaked package was broadly organized into three categories: users, markets, and attack tools (refer to data cards below).

User-side data includes 10,000 distinct user profiles containing names, nicknames, bios, profile pictures, proxy wallet addresses, and underlying wallet addresses. 9,000 follower records enable mapping of social relationships. 4,111 comment entries each include associated user profiles. Among 1,000 report records, 58 unique Ethereum addresses were identified. Internal user ID fields such as createdBy and updatedBy are scattered throughout, indirectly reconstructing parts of the platform’s account structure.

Market-side data encompasses 48,536 markets from Polymarket’s Gamma system (including full metadata, condition IDs, token IDs), over 250,000 active CLOB markets (with FPMM contract addresses), 292 events with internal usernames and wallet addresses of submitters and adjudicators, and 100 reward configurations including USDC contract addresses and daily payout rates.

Wallet addresses are inherently anonymous on-chain, but when paired with names, bios, and profile pictures, anonymity collapses instantly. This is the core controversy that Polymarket’s response conspicuously sidestepped:

Whether data is “public” and whether aggregated data can still protect user identity are two fundamentally different questions.

"This Is a Feature, Not a Vulnerability": Polymarket’s Rebuttal

On April 28, Polymarket posted a single tweet on X. The response began with an emoji “😂,” questioning the term “hacked,” then systematically refuted each claim: on-chain data is inherently auditable, no data was “leaked,” and identical information could have been freely obtained via public APIs without payment. The entire statement concluded with the characterization: “This is a feature, not a vulnerability.”

The Crypto Times noted in its coverage that Polymarket’s response failed to directly engage with the specific technical allegations raised by the hacker—such as API misconfigurations, CORS errors, unpublished endpoints, and missing rate limiting. While the platform aggressively asserted that the data was public, it remained silent on the more critical security issue: attackers had batch-extracted and packaged data through non-intended pathways.

xorcat also stated they did not notify Polymarket beforehand, citing the absence of a bug bounty program. While this claim remains unverified by third parties, if accurate, it reflects a gap in Polymarket’s proactive security governance: lacking a formal responsible disclosure channel, attackers are incentivized to publish exploits publicly rather than report them internally.

This Isn’t Polymarket’s First Security Incident

Looking back at the timeline, between August and September 2024, multiple users who logged in via Google accounts reported losses of USDC. Attackers exploited a proxy function call within the Magic Labs SDK to redirect user balances to phishing addresses. Polymarket’s customer support confirmed at least five such incidents by late September.

In November 2025, hackers posted phishing links in Polymarket’s comment section; clicking these led to malicious scripts being implanted on users’ devices, resulting in cumulative losses exceeding $500,000 from related scams.

In December 2025, another wave of mass account theft occurred. Polymarket confirmed the event on Discord, attributing it to a “vulnerability in a third-party identity authentication service.” Social media discussions widely pointed toward users logging in via Magic Labs email, though the platform did not name the affected service provider nor disclose the number of impacted users or total financial loss.

After each incident, Polymarket issued varying responses: some blamed third-party vendors, others acknowledged issues and promised to contact affected users. This xorcat incident marks the first time the platform has fully defended itself using the argument that “this was always public data.” From a historical perspective, this response appears less like a standard security incident management and more like a strategic recharacterization of the event’s nature.

As of publication, Polymarket has not provided any remediation details for the specific technical vulnerabilities disclosed by xorcat, and the PoC scripts remain downloadable by anyone on the forum.

Author: Claude, DeepFlow TechFlow