- Threat actor claims over 300,000 Polymarket records extracted using API flaws and exploits.
- Polymarket denies breach, says all referenced data is publicly accessible via APIs and on-chain.
- Dispute highlights tension between data scraping claims and decentralized transparency model.
Dark Web Informer, a cybercrime watcher on X, highlighted a major data breach at Polymarket. He alleges that over 300,000 records were extracted using API weaknesses. Meanwhile, Polymarket has denied the claim, stating the data is publicly accessible.
Alleged Data Leak and Exploit Details
A cyber threat actor identified as “xorcat” has alleged a large-scale data extraction involving Polymarket. The claim appeared on a cybercrime forum and was amplified by Dark Web Informer on X.
According to the post, the actor released a dataset containing more than 300,000 records, alongside an exploit kit and technical documentation. The dataset includes a wide range of platform data. This includes about 10,000 user profiles with details such as names, pseudonyms, bios, profile images, and wallet-linked addresses.
The release also lists over 250,000 active market records, 48,000 gamma markets, and thousands of comments tied to user accounts.
Additional records include follower profiles, internal user identifiers, and reports linked to Ethereum addresses. The total dataset size was described as roughly 750 MB in extracted form. A compressed version of about 8.3 MB was also shared.
Methods and Vulnerabilities Cited
Notably, the actor claims the data was obtained through multiple technical weaknesses. These include undocumented API endpoints, pagination bypass, and a cross-origin resource sharing misconfiguration.
The post also referenced several vulnerabilities, including an authentication bypass in Next.js middleware and a server-side request forgery issue linked to Axios.
Proof-of-concept exploits were included in the release. The package also includes an automated script that continuously extracts fresh data from the platform. According to the actor, some endpoints were accessible without authentication and could be queried repeatedly without rate limits.
The post further claims that certain endpoints exposed full user profiles, social connections, and activity logs. These assertions have not been independently verified.
Polymarket Denies Any Breach
However, Polymarket has rejected the claims and disputed the characterization of the incident. In its response, the company said no private data was leaked or compromised. It stated that all referenced information is already publicly accessible through its APIs and blockchain-based systems.
The platform emphasized that transparency is a core feature of decentralized infrastructure. It argued that the data in question can be accessed freely without exploiting any protected systems. The company described the claims as a misrepresentation of how its platform operates.
Polymarket also addressed claims that it lacks a bug bounty program. It confirmed that it operates an active program with rewards of up to $5 million for critical findings. The company clarified that accessing public endpoints does not qualify as a vulnerability under its rules.
Related: How AI Crypto Scammers Drained a Retiree’s $300K Savings
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
Source: https://coinedition.com/polymarket-rejects-claims-of-300k-data-breach/
