Behind the Numbers: Did Polymarket Really Suffer a Massive Data Breach?

On a quiet April evening, the crypto world was jolted by allegations of a massive data breach at Polymarket, the world’s largest decentralized prediction market. A hacker, styling themselves as “Xorcat,” boasted on underground forums that they’d siphoned off hundreds of thousands of user records. Screenshots, compressed files, and technical jargon flooded Telegram groups. But as the dust settles, one question remains: was this a true breach, or just a well-publicized case of digital window shopping?

Unpacking the Breach Claims

Xorcat’s claims were dramatic: exploiting hidden API endpoints, bypassing pagination limits, and leveraging serious vulnerabilities (including CVE-2025-62718 and CVE-2024-51479) to allegedly access private Polymarket data. The supposed haul? Over 2GB of records, with user profiles, wallet addresses, internal admin data, and even details about reward setups and daily payouts.

Screenshots of folders like profile_images and massive JSON files fueled speculation, especially when the hacker hinted at accessing sensitive admin details. The leak, Xorcat insisted, could expose users’ trading histories by linking names to crypto wallets - a potential privacy nightmare for high-stakes bettors.

Polymarket’s Rebuttal

Polymarket’s response was swift and unequivocal: “Total nonsense.” The company pointed out that its platform, by nature of being blockchain-based, exposes much of this information by default. In essence, anyone with the right tools can already access trading histories, wallet addresses, and market data. Their stance? Xorcat merely scraped public data, repackaged it with technical flair, and passed it off as a breach.

Adding to the doubt, Polymarket revealed that they’ve operated a bug bounty program - contradicting Xorcat’s claim that the leak was retaliation for the absence of such a scheme. The company suggested the real story is about opportunistic scraping, not criminal hacking.

What’s at Stake?

Whether or not Xorcat truly breached internal systems, the incident shines a light on a critical issue: even “public” data can become a privacy risk when aggregated and republished. Linking wallet addresses with names and trading patterns could expose users to targeting, scams, or even regulatory scrutiny. For now, Polymarket users are advised to stay vigilant and monitor their accounts, as their pseudonymous bets may no longer be as private as they thought.

Conclusion

In the high-stakes world of crypto prediction markets, the line between public transparency and personal privacy is razor-thin. Whether a true breach or a masterclass in scraping, the Polymarket saga is a wakeup call: in the blockchain era, your data might be more visible - and vulnerable - than you think.

WIKICROOK

• API Endpoint: An API endpoint is a specific web address where software systems exchange data, acting as a secure digital service window for requests and responses.
• Pagination Bypass: Pagination bypass lets attackers access more data than allowed by manipulating page numbers or limits in web application requests.
• CORS (Cross: CORS is a browser security feature that manages cross-domain requests, helping prevent unauthorized access to resources and enhancing web application security.
• Data Scraping: Data scraping is the automated extraction of large amounts of information from websites using bots or software tools, often for analysis or research.
• Bug Bounty Program: A bug bounty program rewards independent researchers for finding and reporting software vulnerabilities, helping organizations enhance their cybersecurity.