Polymarket Rejects Claim of 300K-Record Data Leak

Polymarket rejected a dark-web seller’s claim that it lost a database of more than 300,000 records and a roughly 1GB ‘exploit kit’. The company called the forum posting ‘nonsense’ and has not confirmed a material exposure matching the seller’s list.

The seller, using the handle ‘xorcat’, posted on a cybercrime forum that data was extracted through undocumented API endpoints, a pagination bypass and a CORS misconfiguration in Polymarket’s Gamma and CLOB APIs. The post included proof-of-concept scripts and an auto-dump tool described as able to reproduce the extraction.

According to the posting, the package contained about 10,000 user profiles with names, pseudonyms, bios, profile images and wallet addresses; more than 4,100 comments linked to profile objects; roughly 1,000 report records with 58 Ethereum addresses and an admin_auth_addr flag; and over 48,000 Gamma markets with metadata and token IDs.

The seller also listed roughly 250,000 active CLOB markets, more than 292 events with submitter and resolver addresses and internal usernames, 100 reward configurations including USDC contract addresses and daily rates, and about 9,000 follower profiles. The posting included scripts the seller said could automate data dumps.

Polymarket’s reply was brief and dismissive. The company has not published evidence that corroborates the specific datasets the seller described.

Federal authorities have raised concerns about prediction markets and data flows. The Department of Justice and the Commodity Futures Trading Commission have cited recent incidents when arguing for tighter oversight, warning that exposed trading or personal data could create risks for participants and for sensitive information.

Polymarket has reported several security incidents over the past year. In February 2026 attackers exploited a design flaw in the order system to manipulate APIs and bots by engineering ‘nonces’ that canceled on-chain trades while leaving off-chain records intact, causing automated traders to incur losses. In December 2025 a breach tied to a third-party authentication tool reportedly allowed some accounts to be drained despite two-factor authentication. In November 2025 a phishing attack on the comments system resulted in more than $500,000 in user losses.

Regulatory actions have followed. Brazilian authorities blocked 27 platforms in April 2026, including Polymarket and Kalshi. Romania and Portugal have blocked specific political contracts to curb speculative betting on elections. U.S. agencies and the White House warned against trading on non-public information related to geopolitical conflicts.

Polymarket tightened internal trading rules in March 2026 to bar wagers based on stolen information or insider knowledge of geopolitical events, and it entered a Regulatory Services Agreement with the National Futures Association to implement real-time surveillance.

Analyst forecasts point to market growth. Bernstein analyst Gautam Chhugani projects total prediction-market volume of about $240 billion in 2026, a 370% increase year over year, and estimates the market could reach $1 trillion annually by the start of the next decade if current growth continues.

The exchange of allegations on the forum and Polymarket’s denial leave questions about the scope and veracity of the claimed leak. Regulators and market monitors have said confirmed incidents will inform policy and oversight going forward.