Polymarket Dismisses Data Breach, Says Hacker Sells Public Data
Polymarket refutes a dark web hacker's claim of a data breach, asserting the allegedly stolen records are publicly available via APIs and blockchain. The incident highlights crypto's heightened security alert after $482 million in Q1 hack losses.
Quick Take
Hacker claims to have stolen 300K Polymarket user records.
Polymarket dismisses breach, says data is public via APIs and on-chain.
Security experts doubt the claim, noting public data is being resold.
Incident occurs amid $482M in crypto hack losses in Q1 2026.
Market Impact Analysis
NeutralThe incident appears to be a false claim; confirmed public data, so limited market impact.
Speculation Analysis
Key Takeaways
- Polymarket dismissed a hacker's claim of stealing 300,000 user records as "complete and utter nonsense"
- The alleged breach data is already publicly accessible via Polymarket's APIs and on-chain data
- Security researchers cast doubt on the claim, suggesting public data is being resold as a leak
- The incident occurs amid a spike in crypto hacks, with $482 million lost in Q1 2026
What Happened
On Tuesday, a dark web hacker using the pseudonym "xorcat" claimed to have breached prediction market Polymarket, boasting 300,000 stolen records including 10,000 unique user profiles. Polymarket swiftly denied the breach, calling it "complete and utter nonsense." The platform stated the data in question is publicly accessible via its APIs and on-chain data. The hacker, posting on DarkForums, cited a lack of a bug bounty program as motivation, despite Polymarket having launched one on April 16 with 446 reports already received. Security experts quickly expressed skepticism, noting the data appears to be publicly available information rebranded as a breach. The claim triggered a brief alert in the crypto community, already on edge after a surge in hacks.
The Numbers
The hacker alleged over 300,000 records stolen, with 10,000 unique profiles containing full names, profile images, proxy wallets, and base addresses. Polymarket's bug bounty program, launched April 16, has already attracted 446 reports, indicating active security engagement. Meanwhile, the broader crypto industry suffered $482 million in losses from hacks and scams in Q1 2026 across 44 incidents, according to Hacken. This context made the claim resonate, but experts like Vladimir S of Legalblock called it improbable, suggesting parsed public data being passed off as a database leak.
Why It Happened
The incident stems from misunderstanding of blockchain transparency. Polymarket, like many Web3 platforms, exposes data via public APIs and on-chain records for auditability. The hacker claimed to exploit undocumented API endpoints, pagination bypass, and CORS misconfiguration on Gamma and CLOB APIs. However, Polymarket noted this is a feature, not a bug: all data is publicly auditable. The hacker's pitch鈥攕elling freely available data鈥攁ppears to be a scheme to monetize public information. The crypto community's heightened security alert, following recent hacks, amplified the false claim before it was debunked.
Broader Impact
While the breach proved false, the episode highlights ongoing tensions around API access controls and bug bounty programs in crypto. Polymarket may review its API exposure to prevent similar resale attempts. The incident also underscores the need for users to understand what data is inherently public on blockchain platforms. For the industry, it's a reminder that transparency can be weaponized as misinformation.
What to Watch Next
- Polymarket's potential API access changes in response to the resale attempt
- Whether the hacker follows through on threats to release data from other prediction markets
- The crypto industry's bug bounty adoption rate amid rising security concerns
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
漏 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
