Polymarket Denies Data Breach After Hacker Claims to Sell 300,000 User Records

Prediction markets platform Polymarket has rejected claims of a security breach after a hacker posted on the dark web claiming to have stolen over 300,000 user records, calling the allegations “complete and utter nonsense” and stating the information is publicly accessible.

A hacker using the pseudonym “xorcat” posted on DarkForums on Tuesday claiming to have breached Polymarket and stolen data including 10,000 unique user profiles with full names, profile images, proxy wallets and base addresses. Cybersecurity company Vecert Analyzer and several X accounts that track dark web activity shared screenshots of the post.

Polymarket strongly denied the breach claims, stating the data the hacker is attempting to sell is already available through public application programming interfaces and on-chain data. “You compromised our platform by accessing publicly accessible API endpoints & on-chain data and checks notes are trying to sell the data we offer developers for free?” Polymarket said in an X post.

The prediction market platform emphasized that its blockchain-based transparency is intentional, not a vulnerability. “Part of the beauty of being on chain is all our data is publicly auditable, this is a feature, not a bug,” Polymarket stated. “No data was leaked, it’s accessible via our public endpoints & on-chain data.”

The alleged hacker claimed to have extracted the data through undocumented API endpoints, pagination bypass and CORS misconfiguration on Polymarket’s Gamma and CLOB APIs. Xorcat stated the data was being posted because Polymarket didn’t have a bug bounty program.

See also: North Korean Hackers Deploy AI-Powered Social Engineering in $100K Zerion Attack

However, Polymarket does maintain an active bug bounty program that launched on April 16 and has received 446 reports as of Wednesday. The platform pointed users to access its data for free through official APIs instead of paying the alleged hacker.

The hacker also claimed to have breached other prediction markets and planned to release additional data over the coming days. No other platforms have publicly confirmed any breaches at this time.

Several cybersecurity experts have expressed skepticism about the breach claims. Vladimir S, a threat researcher and chief security officer at Legalblock, said it appears “someone parsed data and is trying to present it as a [DB] leak. It does not seem probable to me.”

The incident comes amid a surge in crypto-related security incidents in April. Blockchain security company Hacken reported earlier this month that Web3 projects lost $482 million to hacks and scams in the first quarter of 2026 across 44 incidents, putting many in the industry on high alert.

Cryptocurrency wallet exploits and platform breaches have become an increasing threat to digital asset investors and users. Personal wallet compromises accounted for 37% of the value stolen in 2025, according to Chainalysis data, excluding major exchange hacks.

Polymarket’s response highlights a key distinction between traditional web platforms and blockchain-based services. While conventional platforms treat user data as private and confidential, blockchain platforms by design operate with public, transparent data that anyone can access and verify.

The prediction markets platform, which allows users to bet on future events and has gained significant traction during election cycles and major news events, emphasized this transparency as a core feature of its architecture. All wallet addresses and transactions are viewable on the blockchain by design.

The alleged hacker’s attempt to sell publicly available data raises questions about the sophistication of the operation. Security researchers note that parsing publicly accessible API endpoints and on-chain data does not constitute a breach, as this information is intentionally made available by the platform.

As of Wednesday afternoon, Polymarket confirmed no private user information such as email addresses, passwords, or financial details beyond public wallet addresses had been compromised. The platform continues to operate normally with no service disruptions reported.