A hacker called Xorcat claims to have stolen a massive 300,000 records from Polymarket. It is the world’s largest decentralised cryptocurrency-based prediction market where users bet on world events. The alleged stolen data was posted on a cybercrime forum and Telegram on 27 April 2026. However, Polymarket has rejected these claims.
Hacker’s claims
Xorcat claims to have taken advantage of several flaws in the website’s code. One method involved using undocumented API endpoints. Another method was a pagination bypass on Polymarket’s CLOB (Central Limit Order Book) trading system.
Usually, a website only shows a small list of items at once to keep things fast, but the hacker, reportedly, found that by changing a number in the website’s code to 999,999, they could force the system to hand over almost a million pieces of data in one go.
Xorcat also mentioned exploiting a CORS misconfiguration- a security setting for Polymarket, which possibly wasn’t set up correctly, thus allowing a hacker to make requests as if they were a logged-in user.
Also, the hacker exploited the high-severity CVE-2025-62718 CVSS 9.9 (Axios NO_PROXY bypass) and CVE-2024-51479 CVSS 7.5 (Next.js middleware authentication bypass), which allows hackers to skip login screens or reach internal parts of the server that are supposed to remain private.
What was Found in the Files
The compressed version of the leak is smaller, but the total dump allegedly contains 2.24 GB of data, with 750MB of raw data compressed into 8.3MB of JSON files. A screenshot shared by the hacker reveals a profile_images folder and various data files like gamma_markets.json, gamma_metadata.json, and a massive 1.2GB file titled xorcat.deals polymarket clob_markets.json.
The data includes 10,000 user profiles with names, bios, and wallet addresses, which, when linked, can reveal a person’s private trading history. There are also 9,000 follower profiles, 4,111 comments, and 1,000 report records containing 58 unique ETH addresses. One specific detail, called admin_auth_addr, has raised questions about whether the hacker reached internal parts of the system.
On the market side, the data allegedly includes 48,536 markets from the Gamma system, over 250,000 active CLOB markets, 292 events with internal usernames, email addresses, wallet addresses for people who submit or settle bets, a hundred reward setups with USDC addresses, and daily payout rates. The leak even includes internal user IDs, which could show how the company’s internal accounts are structured.
Polymarket Fires Back
Polymarket has strongly denied that a breach happened, calling the claims total nonsense. They explained that because their platform uses a blockchain, much of the data is already out in the open for anyone to see. The company believes that the hacker simply copied this public data and now wants to gain the reputation of an expert hacker by making such claims.
Scraping Rather Than Theft
This appears to be a data scraping incident rather than data theft. In data scraping, attackers use software to quickly copy information that’s already public. The hacker’s claims are doubtful because xorcat also claims they released the data because Polymarket didn’t have a bug bounty program, whereas Polymarket has had a program since 16 April, and the company has already received hundreds of reports.
Therefore, it seems more likely that someone just gathered public data and repackaged it to look like a leak. Still, users should stay alert as their names might now be linked to their public crypto wallets.
