Image credit: Shutterstock
Polymarket has denied claims that it suffered a data breach after a hacker said they were selling more than 300,000 records tied to the prediction market platform.
The company said the information being marketed as leaked data was already publicly available through its APIs and on-chain records. Polymarket said no private user data was compromised and told users they could access the same information for free rather than paying for it.
Seller Claimed Public Data and Tools
The incident began after a threat actor using the name “xorcat” reportedly advertised a dataset and exploit toolkit on a cybercrime forum. The data was said to include user profiles, comments, market information, wallet-linked identifiers and other platform metadata.
Cybersecurity reports alleged that the dataset was assembled through public and undocumented API endpoints, weak pagination controls and configuration issues. The package was also described as including scripts or proof-of-concept tools for collecting data at scale.
Polymarket pushed back on the idea that this was a breach. In a public post on X, Polymarket said on-chain data is publicly auditable by design and that the information came from public endpoints and blockchain records.
Public Data Still Raises Privacy Questions
The dispute highlights a familiar issue for on-chain platforms. Data can be public in a technical sense without being easy for ordinary users to collect, organize or analyze. Large-scale aggregation can make wallet-linked activity, usernames, comments and trading behavior easier to track over time. That does not necessarily mean private data was stolen, but it can still create privacy and operational security concerns.
For prediction markets, that distinction matters. Platforms such as Polymarket rely on transparent markets and auditable trades, but users may not expect public records and platform metadata to be bundled and sold as a searchable dataset.
No Private Data Has Been Confirmed Exposed
So far, there is no confirmed evidence that passwords, private keys, payment details or other confidential user information were exposed. Polymarket’s position is that the material being sold was public and did not come from a compromise of its internal systems.
The company’s response does not fully address the claims about undocumented endpoints, pagination controls or possible API misconfiguration. If undocumented endpoints or misconfigurations allowed unusually broad data collection, Polymarket may still face pressure to explain what should be publicly accessible and whether its API controls need tightening.
For now, the incident appears less like a traditional breach and more like a dispute over large-scale exposure of public data. Polymarket says nothing private was leaked, while the seller is trying to profit from data the platform says anyone could already pull.
