Polymarket Refutes Hacker Claims, Data Remains Public

Polymarket, the prediction markets platform, has pushed back against a flare of reports alleging a data breach after a dark web post claimed to expose private user details. A hacker using the handle “xorcat” and cybersecurity accounts circulating on X claimed to have stolen more than 300,000 records, including 10,000 full profiles with names, profile images, proxy wallets, and base addresses. Polymarket characterized the allegations as “complete and utter nonsense,” arguing that the information cited is already publicly available.

The controversy emerged as the crypto security community and on-chain markets monitor a wave of hacks and data exposure last month. Hackers and misconfigurations have contributed to a broad set of incidents, with Hacken reporting that Web3 projects lost roughly $482 million in hacks and scams across 44 events in the first quarter of 2026. That backdrop has heightened scrutiny of how much data is exposed by on-chain and API-accessible systems and what constitutes a breach versus an auditable public data surface.

Polymarket’s stance was reinforced by a direct rebuttal on X, where the team said the breach claims were “complete and utter nonsense” and noted that the allegedly stolen data is information already accessible online. In another post, Polymarket emphasized the on-chain and publicly auditable nature of its data: “Part of the beauty of being on chain is all our data is publicly auditable, this is a feature, not a bug. No data was leaked, it’s accessible via our public endpoints and on-chain data. Instead of paying for the data, you can access it for free via our APIs.”

The hacker’s claim centered on breaches through allegedly compromised API endpoints and on-chain data, with assertions that undocumented API endpoints, pagination bypass, and CORS misconfigurations on Polymarket’s Gamma and CLOB APIs were exploited. The attacker also suggested plans to release more data from other prediction markets in the coming days.

Several security researchers expressed skepticism about the breach story. Vladimir S., a threat researcher and chief security officer at Legalblock, cautioned that the evidence suggested data was parsed rather than leaked in a true breach, describing the scenario as unlikely to reflect a real DB compromise.

Key takeaways

• The incident centers on a claim of data theft from Polymarket, which the operator rejects as untrue, asserting that the reported data is publicly accessible and already published.
• Polymarket maintains that its data remains on-chain and publicly auditable, emphasizing that developers and users can access information for free via public APIs.
• The platform counters a narrative that there was no bug bounty program, noting a live program that began on April 16 and has since received hundreds of reports—raising questions about the timing and scope of the alleged data exposure.
• Industry context matters: Hackers and misconfigurations contributed to a broad wave of crypto security incidents in Q1 2026, underscoring the sector’s ongoing vulnerability to data leakage and access-control flaws.
• Skeptics argue the claim could reflect data parsing or misinterpretation rather than a true breach, highlighting the tension between on-chain transparency and sensitive, user-level data exposure.

Polymarket’s response and the data-access debate

At the center of the dispute is Polymarket’s assertion that there was no data breach and that the information cited by the hacker is already public. In posts observed on X, the platform argued that publicly accessible API endpoints and the availability of on-chain data mean that users and developers can retrieve the same data without an intrusion. The company’s position aligns with a broader debate in crypto: when on-chain activity is inherently public and auditable, at what point does exposure become a breach rather than a design characteristic of the architecture?

The exchange also pointed to its API strategy, suggesting that the data being claimed as stolen is accessible to anyone via its APIs rather than representing a security compromise. This framing has drawn mixed reactions from the security community, with some experts acknowledging the public nature of certain data while others caution that exposing sensitive user metadata—especially combined with wallet addresses and profile identifiers—could raise privacy concerns even if technically public.

Beyond the specifics of Polymarket, the episode touches on a longer-running issue in crypto infrastructure: how to balance openness and auditability with the protection of user privacy. On-chain data and API-based access can enable rapid verification and transparency, but they may also broaden the surface area for data collection and potential misuse if not properly controlled or anonymized. The ongoing discussion underscores why platforms must clearly delineate what data is publicly visible versus what is considered sensitive or restricted.

Bug bounty program and security posture

A central counterpoint to the “no bug bounty” narrative is Polymarket’s stated bug bounty program. The platform indicates a live initiative that started on April 16 and has since collected hundreds of reports—446, as of the most recent update. This cadence suggests an active effort to identify and remediate vulnerabilities, even as the current episode unfolds in the public eye. The existence of a formal bug bounty program can be a signal of ongoing security maturity, but it also invites scrutiny about the scope of bug reporting and the responsiveness of fixes in a rapidly evolving threat environment.

Industry observers will be watching whether new vulnerabilities or misconfigurations continue to surface in Polymarket’s API layers or if the current episode remains limited to a misinterpretation of publicly available data. The interaction between bug bounty activity, disclosure timelines, and incident response will offer a read on how quickly the platform can recover trust if any genuine issues emerge.

Industry backdrop: security incidents and on-chain transparency

The broader crypto security landscape adds context to the Polymarket episode. Hackers and misconfigurations have pushed Web3 security to the forefront, with Q1 2026 reporting notable losses across numerous incidents. While the total losses and incident counts vary by source, the trend illustrates that even established markets and prediction platforms remain attractive targets for attackers seeking a data or financial edge.

Analysts note that the public nature of on-chain data can be a double-edged sword: it enables rapid verification and accountability but can also complicate privacy considerations if user-identifying information becomes intertwined with transparent transaction data. In this environment, platforms that champion openness must also ensure robust access controls, careful data minimization, and clear user-facing privacy policies to navigate evolving regulatory and market expectations.

As the narrative around Polymarket evolves, observers will want to see how the platform responds to ongoing scrutiny, whether it publishes more technical details about its API configurations and security controls, and how it communicates any future findings from bug-bounty disclosures. Reports from security researchers, exchange operators, and independent researchers will continue to shape market perceptions about the reliability of data on popular prediction platforms.

In reporting this week, Cointelegraph drew on Hacken’s assessment of the period’s security landscape, underscoring that the first quarter of 2026 saw a significant volume of exploits across the Web3 space. The confluence of public data accessibility and high-profile hack narratives makes clear why investors and builders are paying closer attention to how platforms handle data exposure, API security, and incident response in real time.

Source: Polymarket posts on X, cybersecurity researchers’ commentary, and industry data cited by Hacken and Cointelegraph.

Polymarket is committed to independent, transparent journalism. This news article adheres to Cointelegraph’s Editorial Policy and aims to provide accurate and timely information. Readers are encouraged to verify information independently.

This article was originally published as Polymarket Refutes Hacker Claims, Data Remains Public on Crypto Breaking News – your trusted source for crypto news, Bitcoin news, and blockchain updates.