Polymarket has pushed back after a dark-web actor claimed to have obtained more than 300,000 platform records, arguing that the advertised material comes from public APIs and on-chain data rather than a private data breach.
The claim surfaced through Dark Web Informer, which flagged a cybercrime-forum post from an actor using the name xorcat. The listing allegedly offered a 750 MB package tied to Polymarket activity, including user profiles, comments, market data, follower lists, reward configurations, and internal identifiers. It also claimed to include proof-of-concept exploit material.
Polymarket’s developer account responded by mocking the breach framing, saying the actor had accessed publicly reachable API endpoints and on-chain records, then tried to sell data that developers can access for free. A separate Polymarket response said no private data had leaked and that the data being discussed is available through public endpoints and blockchain history.
The dispute sits in a gray area that is becoming more common for on-chain platforms. Polymarket’s architecture makes a large amount of market activity visible by design. Its market data documentation says market data is available through public REST endpoints without an API key, authentication, or wallet. The same documentation lists Gamma API endpoints for events, markets, profiles, tags, and discovery, alongside CLOB endpoints for prices and order books.
That supports Polymarket’s core response: collecting public data at scale is not the same as compromising a private database. On-chain prediction markets are built around transparent markets, tokenized positions, public settlement, and externally readable data.
The harder question is whether the alleged exploit toolkit points to anything beyond scraping. The forum post reportedly referenced API, CORS, pagination, and middleware issues. Those claims remain unverified until Polymarket, a security partner, or an independent researcher publishes technical evidence that a protected system, private endpoint, or sensitive user field was actually exposed.
The dark-web post also claimed Polymarket had no bug bounty program, but Polymarket’s own documentation says security vulnerabilities can be submitted through a Cantina bug bounty program. The same contracts page lists Polymarket’s deployed Polygon contracts, audit references for CTF Exchange V2, and security resources for researchers.
That distinction matters for researchers and threat actors. A real vulnerability affecting funds, contracts, authentication, private user data, or trading integrity belongs inside a responsible disclosure channel. Scraping public market data or pulling open API responses usually does not qualify as a security bug, even if the resulting dataset looks large.
The size of a dataset can still sound alarming to users. A file containing hundreds of thousands of records may look like a breach headline, especially when packaged on a cybercrime forum. But in crypto markets, record count alone is not enough. The key question is whether the data was already public, whether it could identify users beyond what Polymarket exposes by design, and whether any private account data, credentials, emails, payment details, or authentication secrets were included.
Polymarket’s response highlights a recurring tension for crypto applications. Public data is a feature when users want transparency, verifiability, and open developer access. The same data can become a public-relations problem when a threat actor aggregates it, repackages it, and markets it as a leak.
That does not mean platforms can ignore aggregation risk. Even public data can create privacy concerns when user profiles, wallet-linked activity, comments, positions, and market behavior are combined into searchable datasets. The security question may not be “was the chain hacked?” but “does the platform give users enough clarity about what activity is permanently public?”
For Polymarket, the stronger technical position is that no confirmed private data breach has been shown. The weaker communication point is that many users do not think like developers. If public API data can be bundled into a dark-web product, the platform still needs clear user-facing explanations about what information is public, why it is public, and what is not exposed.
Polymarket can close the gap by clarifying whether any of the alleged CORS, pagination, middleware, or proxy-bypass claims affect protected systems. It can also confirm whether the listed “internal identifiers” are private fields or ordinary platform IDs already exposed through public endpoints.
Polymarket denies a breach, says the data is public, and points to its open API model and on-chain transparency. The dark-web listing raises questions about data aggregation and platform messaging, but it has not yet proven that private user data was compromised.
The post Polymarket Pushes Back After Dark Web Actor Claims Data Breach appeared first on Crypto Adventure.
