Polymarket, a crypto-native prediction market that lets users bet on real-world events using stablecoins, appears to have been hit by a significant data breach. A threat actor going by the handle “xorcat” posted on a well-known cybercrime forum claiming to have pulled over 300,000 records from the platform, along with a full exploit kit and working proof-of-concept scripts for multiple vulnerabilities.
The actor says Polymarket was never contacted before the post went up. The reason given: no bug bounty program. Whether that’s justification or just an explanation depends on who you ask, but it’s worth noting that several of the vulnerabilities described are the kind that a responsible disclosure process might have quietly resolved months ago.
What makes this particular leak notable isn’t just the volume of records. It’s the nature of what was supposedly extracted and how.
How It Was Done
According to xorcat, the attack didn’t rely on any single clever exploit. It was more like walking through a series of unlocked doors. The methods listed include undocumented API endpoints, a pagination bypass on Polymarket’s CLOB (Central Limit Order Book) trading API, and a CORS misconfiguration that allowed cross-origin requests with credentials. Some of these are genuinely embarrassing for a platform handling real money.
The pagination bypass is particularly straightforward. By passing a limit parameter of 999,999 into an API call that should cap results at a reasonable number, the attacker was apparently able to bulk-extract market data without any rate limiting triggering. That’s not a zero-day. That’s a missing input validation check.
The CORS misconfiguration is arguably worse. A wildcard origin combined with credentials=true is a configuration that security documentation explicitly warns against. It means any website, from any domain, could make authenticated API requests on behalf of a logged-in Polymarket user. That’s not theoretical. That’s a real attack surface.
On top of that, multiple endpoints were apparently completely unauthenticated. The comments endpoint allowed brute-force enumeration of full user profiles. The reports endpoint exposed user activity data, including something labeled as an admin_auth_addr field. The followers endpoint let anyone map out the full social graph of any wallet address without logging in at all.
What Was Taken
The actor claims the dump contains roughly 750MB of raw data, compressed down to about 8.3MB of JSON files. The breakdown reads like a fairly complete export of Polymarket’s user-facing database.
Ten thousand unique user profiles with names, pseudonyms, bios, profile images, proxy wallet addresses, and base wallet addresses. That last part matters because wallet addresses are pseudonymous on-chain, but once you tie them to a name and a profile image, the pseudonymity starts to collapse.
There are also 9,000 follower profiles with similar detail, 4,111 comments with attached profile data, and 1,000 report records containing 58 unique ETH addresses. The inclusion of something called admin_auth_addr in the reports data is the kind of detail that raises questions about what else might have been accessible beyond what’s listed.
On the market data side, the dump allegedly includes 48,536 markets from Polymarket’s Gamma system with full metadata, condition IDs, and token IDs, plus over 250,000 active CLOB markets with FPMM contract addresses, and 292 events with internal usernames and wallet addresses attached to the submitter and resolver roles. A hundred reward configurations are also included, complete with USDC contract addresses and daily payout rates.
Internal user IDs from createdBy and updatedBy fields are exposed throughout, which means the leak also inadvertently maps out some of the platform’s internal account structure.
The CVEs in the Pack
Beyond the data itself, xorcat claims to have included five working proof-of-concept exploits in the ZIP file. Two of these are tied to specific CVEs.
CVE-2025-62718 is an Axios NO_PROXY bypass with a CVSS score of 9.9. At that severity level, it’s about as serious as vulnerabilities get without being a full remote code execution. In practice, this type of flaw enables server-side request forgery, meaning an attacker can potentially use the vulnerable server to make requests to internal services that aren’t exposed to the public internet. In the context of a crypto platform with backend infrastructure, the downstream possibilities from that are worth taking seriously.
CVE-2024-51479 is a Next.js middleware authentication bypass at CVSS 7.5. This vulnerability affects how Next.js handles route-level authentication checks, and its presence here suggests the frontend application layer had its own independent authentication gap separate from the API-level misconfigurations.
The other three exploits in the pack target the CORS misconfiguration, the pagination bypass, and a WebSocket endpoint.
Why This Is Worth Paying Attention To
Prediction markets are an odd hybrid. Users interact with them through a relatively standard web interface, but the underlying assets are crypto wallets, and the financial exposure is real. Polymarket in particular has grown significantly over the past couple of years, processing hundreds of millions of dollars in trades around major events.
The combination of real financial activity and what appears to be fairly permissive API security is a bad one. Several of the issues described here like unauthenticated endpoints, missing rate limits, CORS misconfigurations, aren’t difficult to find if you’re looking. The fact that they may have persisted long enough for 750MB of data to be extracted quietly says something about whether the platform’s security posture kept pace with its growth.
The threat actor’s decision to package this as a full exploit kit and post it to a public forum rather than report it quietly also changes the risk profile. Even if Polymarket patches every vulnerability in the next 24 hours, the POCs are already out. Other actors now have working scripts.
Whether the leaked data is genuine hasn’t been independently confirmed as of this writing. Polymarket has not issued a public statement. The post on the cybercrime forum was made on April 27, 2026, and claims all data was extracted that same day.
If you have an account on Polymarket and use a wallet address you also use elsewhere, it’s worth assuming your on-chain identity may now be linked to whatever personal information you provided during registration. The nature of blockchain pseudonymity means there’s no changing your wallet history, but you can at least be aware of what’s connected to it.
