Polymarket’s “Hack”: A Tale of Public Data and Grandstanding Thieves

by

In the shadowed realm where the digital and the absurd converge, Polymarket has cast aside the whispers of a data breach with the disdain of a man swatting at a gnat. A specter known as xorcat, emerging from the depths of the Dark Web, proclaimed to have seized 300,000 records, only to be met with the platform’s scornful retort: “You call this theft? It is but a mirror held to our own transparency.”

The so-called actor, unearthed by the ever-vigilant Dark Web Informer, boasted of pilfering user profiles, comments, market data, and exploit code. Yet, Polymarket, with a shrug that could only be described as Olympian, declared the act not a heist but a farce. “You have ‘compromised’ our platform,” they scoffed, “by accessing what we freely offer to the world. Pray tell, which venture capitalist paid you to peddle our generosity as your own?”

You “compromised” our platform by accessing publicly accessible API endpoints & on-chain data and… checks notes are trying to sell the data we offer developers for free?

Which VC paid you to post this?

– Polymarket Developers (@PolymarketDevs) April 28, 2026

The Great Data “Leak”

The forum post, a manifesto of misplaced pride, advertised a 750 MB trove: 10,000 user profiles, 4,111 comments, 48,536 markets from the Gamma API, and over 250,000 active markets from the CLOB API. Follower lists, reward configurations, internal user identifiers-all laid bare, as if the world had not already seen them through Polymarket’s own lens.

The package, it was claimed, included proof-of-concept exploits: an Axios proxy bypass (CVE-2025-62718), a CORS misconfiguration on the CLOB API, a Next.js middleware authentication bypass, and a pagination flaw that accepted queries of infinite greed. Yet, Polymarket stood firm, declaring, “This is not a breach but a testament to our openness. You have not stolen; you have merely copied.”

The post, with the gravitas of a street-corner pamphleteer, decried broken access controls and the absence of a bug bounty program. Polymarket, unmoved, replied, “We have a $5 million bounty, but scraping public data does not a hero make. Find a true flaw, and perhaps we shall speak.”

Polymarket’s Unyielding Stance

In a statement on X, Polymarket spoke with the clarity of a prophet: “Our data is on-chain, auditable by all. This is not a bug but a feature. No leak has occurred; only the ignorant would pay for what we give freely.” They pointed to their API documentation, a beacon in the digital wilderness, and asked, “Why buy the cow when the milk flows unfettered?”

“Part of the beauty of being on-chain is all our data is publicly auditable… this is a feature, not a bug. No data was ‘leaked’ – it’s accessible via our public endpoints & on-chain data.”

The Bug Bounty Conundrum

Polymarket, with a wave of their hand, dismissed the claim of no bug bounty. “We have a program,” they declared, “but it is not for those who mistake openness for vulnerability. Find a flaw in our funds, contracts, or private data, and we shall reward you. Until then, you are but a thief crying for recognition.”

This drama, a microcosm of the on-chain world, reveals the tension between transparency and secrecy. Polymarket, unapologetic, stands as a beacon of openness, while xorcat, the would-be hero, is left holding a mirror to their own folly. The platform’s response is clear: “We fear no light, for we are the light.”

And so, the tale continues, a reminder that in the digital age, the line between theft and transparency is as thin as a blockchain transaction. Will Polymarket’s stance shape the future of such disputes? Only time, and perhaps a few more grandstanding thieves, will tell.

Read More

2026-04-29 14:21