Polymarket denies data breach claims by hacker Xorcat

Per HackRead, Polymarket, the world's largest decentralized cryptocurrency-based prediction market, has denied claims made by a hacker known as Xorcat, who alleged the theft of 300,000 user records. The alleged data, posted on April 27, 2026, on a cybercrime forum and Telegram, has been dismissed by Polymarket as fabricated.

Xorcat claimed to exploit several vulnerabilities, including undocumented API endpoints, a pagination bypass on the CLOB trading system by altering code to request nearly a million data points, and a CORS misconfiguration. The hacker also cited the exploitation of CVE-2025-62718 and CVE-2024-51479, which could allow bypassing login screens and accessing internal server data. The alleged leak includes user profiles with names and wallet addresses, follower profiles, comments, report records, and extensive market data from both Gamma and CLOB systems.

However, Polymarket stated that much of this data is publicly available due to its blockchain-based nature and suggested Xorcat likely scraped public information rather than executing a true data breach. The company pointed out that they have a bug bounty program, contradicting Xorcat's stated motivation for the leak. While Polymarket denies a breach, users are advised to be cautious about their public crypto wallet addresses being linked to their identities.

Source: HackRead