Polymarket has denied claims that its systems were hacked after a seller alleged that more than 300,000 user records had been stolen. The platform called the allegation “complete and utter nonsense,” arguing that the data being marketed was already available through public on-chain records and Polymarket’s public APIs.
The dispute highlights a growing privacy challenge for blockchain-native platforms: information can be publicly auditable without being privately breached. For investors, product teams and compliance officers, that distinction affects incident reporting, user trust, privacy obligations and how platforms define their true data-exposure surface.
🚨 INTELLIGENCE ALERT: EXPLOIT KIT AND DATASET SALE – POLYMARKET 🌐📈🔓
Threat actor xorcat has put up for sale a package containing a "Red Team" exploit kit and a structured dataset exfiltrated from Polymarket (https://t.co/Cxg2Y8jFCE)—the world's largest decentralized… pic.twitter.com/PjsAEbziGq
— VECERT Analyzer (@VECERTRadar) April 27, 2026
Seller Claims API Weaknesses, Polymarket Calls It Aggregation
The seller, using the handle “xorcat,” claimed to have aggregated data including full profiles, wallet addresses and internal identifiers. The alleged dataset was said to include roughly 300,000 records and 10,000 full profiles with names and images.
The seller also claimed access through undocumented API endpoints, pagination bypasses and CORS misconfigurations in Polymarket’s Gamma and CLOB APIs. The bundle was reportedly offered for sale in Monero, with asking prices said to reach as high as $25,000.
Polymarket rejected that framing. In a post on X, the company said: “Part of the beauty of being on-chain is all our data is publicly auditable — this is a feature not a bug. No data was leaked; it’s accessible via our public endpoints and on-chain data.”
That defense reframes the incident as scraping and repackaging rather than unauthorized access. Polymarket also pointed to its bug bounty program, launched on April 16, 2026, and said it had received hundreds of reports, including 446 submissions as of its latest update.
Transparency Still Creates Privacy Risk
Independent researchers appeared skeptical of the breach narrative. Vladimir S., chief security officer at Legalblock, said the evidence suggested the information had been parsed from public sources and then “repackaged as a database leak,” rather than extracted from a compromised internal database.
Even so, the episode raises real operational questions. Public APIs and on-chain data can still expose user relationships, wallet activity and behavioral patterns in ways that feel invasive to users, even if no internal system was compromised. Public availability does not eliminate privacy risk.
A true breach may trigger incident-reporting obligations, while public aggregation may instead raise questions around disclosures, data minimization and whether users understood what information could be reconstructed from open sources.
Polymarket’s next credibility test will come through technical follow-up. Market participants will watch for bug-bounty disclosures, independent audit findings and any API changes that clarify the boundary between public transparency and sensitive user metadata. The broader issue will remain: decentralized platforms must make on-chain auditability useful without allowing public data aggregation to undermine user trust.