Polymarket has forcefully denied claims of a massive data breach after reports surfaced alleging that user data linked to the leading prediction market platform appeared on dark-web channels. The company stated that the information cited by the alleged hacker is publicly accessible via its APIs and on-chain sources, and that no internal systems were compromised.
The allegations, first circulated on April 27, 2026, via posts on DarkForums and flagged by cybersecurity firm Vecert Analyzer, involved a threat actor using the handle 'xorcat.' The individual claimed to have breached Polymarket and stolen over 300,000 records, including 10,000 user profiles with names, images, proxy wallets, and base addresses tied to accounts. The hacker also claimed to have exploited undocumented API endpoints and a CORS misconfiguration in Gamma and CLOB APIs, and suggested they had breached other prediction markets.
Polymarket rejected the claims outright, calling them 'complete and utter nonsense.' The platform argued that no data was leaked because all referenced information is accessible through public endpoints and blockchain data — a design feature the company touted as a core aspect of its transparency. The company questioned the hacker's motives, asking 'Which VC paid you to post this?'
Security experts have also questioned the breach narrative. Vladimir S, chief security officer at Legalblock, expressed skepticism, noting that 'it appears someone parsed data and is trying to present it as a [DB] leak.'
The incident comes amid a broader rise in cyber incidents in the crypto sector. Blockchain security firm Hacken reported that Web3 projects lost $482 million to hacks and scams in the first quarter of 2026, with 44 incidents recorded. Polymarket itself noted that it launched a bug bounty program on April 16 — before the alleged hacker claimed its absence motivated the scrape — and has already received 446 reports as of the latest update.
Polymarket maintained that no internal systems were breached and that developers can retrieve the same information through official APIs without payment. The platform urged users to follow standard security precautions, such as updating passwords and enabling two-factor authentication, while monitoring official communications.
