Author: Claude, Deep Tide TechFlow

Deep Tide Introduction: The hacker, using the pseudonym "xorcat," uploaded a compressed file to a cybercrime forum on April 27, containing over 300,000 records extracted from Polymarket, 5 working exploit scripts, and 2 CVE-level vulnerabilities, with the original data being approximately 750MB.

The blockchain threat intelligence account Dark Web Informer revealed this incident on X the next day. Polymarket responded that day by stating that the data in question was "already accessible through a public API," characterizing the incident as a "function" rather than a leak. However, the official statement did not directly address the API misconfigurations and exploitation details listed by the hacker.

On April 27, the attacker under the pseudonym "xorcat" uploaded a compressed package on a cybercrime forum: a JSON file of 8.3MB that expanded to about 750MB upon extraction, containing over 300,000 records extracted from Polymarket, 5 working exploit scripts (PoC), and a technical report.

Polymarket responded that same day. However, the response was not a typical crisis management apology and investigation, but rather an almost provocative rebuttal. The platform's official account posted on X, mocking that all related content could be accessed through public endpoints and on-chain data, qualifying it as "this is a feature, not a bug."

The event thus evolved into a Rashomon: the hacker side firmly claimed that this was a data attack publicly released without notification, specifically pointing to several API misconfigurations; the platform claimed that all content was public data, and no confidential information was leaked.

Attack Path: "A Series of Unlocked Doors"

According to xorcat's description in the forum post, the attack did not rely on any single complex vulnerability, but rather resembled passing through a series of unlocked doors. Cybersecurity media The CyberSec Guru reviewed that the attack mainly exploited three types of issues: undisclosed API endpoints, pagination bypass of the CLOB (Central Limit Order Book) trading API, and a CORS (Cross-Origin Resource Sharing) misconfiguration.

Public reports indicated that multiple endpoints of Polymarket reportedly did not require any authentication at all. For example, the comments endpoint supported brute-force enumeration of complete user profiles; the report endpoint exposed user activity data; and the followers endpoint allowed anyone to outline a complete social relationship map of any wallet address without logging in.

What was contained in the 300,000+ records?

The forum post by xorcat and reviews from The CyberSec Guru and The Crypto Times show that the leaked package was generally organized into three categories: users, markets, and attack tools (see data card below).

The user side contains 10,000 independent user profiles that include names, nicknames, personal descriptions, avatars, proxy wallet addresses, and underlying wallet addresses. 9,000 follower profiles help outline the social relationship map. 4,111 comment data all contain associated user profiles. 1,000 report records involve 58 distinct Ethereum addresses. Internal user ID fields like createdBy and updatedBy are also scattered throughout, indirectly restoring part of the platform's account structure outline.

The market side covers 48,536 markets from the Polymarket Gamma system (including complete metadata, condition ID, token ID), over 250,000 active CLOB markets (with FPMM contract addresses), 292 events with submitter and adjudicator internal usernames and wallet addresses, and 100 reward configurations with USDC contract addresses and daily payment rates.

Wallet addresses are anonymous on the chain, but when they appear alongside names, personal descriptions, and avatars, anonymity collapses immediately. This is the core controversy not touched upon in Polymarket's response:

Whether data is "public" and whether user identities can still be protected after data aggregation are two different issues.

"This is a feature, not a bug": Polymarket's Rebuttal

Polymarket's response published on X on April 28 consisted of a single tweet. The platform opened with the emoji "😂," questioning the term "compromised," and then rebutting point by point: on-chain data can indeed be publicly audited, no data has been "leaked," the same information could originally be obtained for free through a public API, requiring no payment. The entire statement characterizes it as "this is a feature, not a bug."

The Crypto Times, in its report, pointed out that Polymarket's response did not directly address the specific technical accusations raised by the hacker, including API misconfigurations, CORS misconfigurations, undisclosed endpoints, and missing rate limits. The platform aggressively fired back on the easily refutable aspect of "whether the data is public," but remained silent on the more crucial security issue of "attackers using unintended paths to bulk extract and package" data.

xorcat also claimed that they did not notify Polymarket beforehand because the platform did not have a bug bounty program. This point has not been independently verified, but if true, it reflects a certain gap in Polymarket's proactive security governance: without a formal responsible disclosure channel, attackers tend to prefer public release rather than internal reporting.

This is not the first time Polymarket has been exposed to security issues

Returning to the timeline, from August to September 2024, multiple users who logged into Polymarket with Google accounts reported USDC theft, with attackers using the proxy function calls in the Magic Labs SDK to transfer users' balances to phishing addresses. Polymarket customer service confirmed at least 5 similar attacks by the end of September.

In November 2025, hackers exploited the comment section of Polymarket to post phishing links, which, when clicked, implanted malicious scripts on users' devices, leading to a total loss of over $500,000 from related scams.

In December 2025, there was another incident of bulk account theft. Polymarket confirmed the incident on Discord, attributing it to "a vulnerability in the third-party authentication service." Social media discussions commonly pointed to a user group that logged in via Magic Labs' email; the platform did not publicly name the service provider involved, nor did it disclose the specific number of affected users or the scale of losses.

After each incident, the platform provided responses of varying degrees: some blamed third-party service providers, while others acknowledged issues and promised to contact affected users. This incident with xorcat is the first one to use "this is public data" as a complete defense. Historically, this response resembles a contest over the nature of the incident rather than a conventional approach to security incident response.

As of the time of this writing, Polymarket has not provided a fix for the specific technical vulnerabilities disclosed by xorcat, and the PoC scripts on the forum are still available for anyone to download.