Decentralized prediction market Polymarket has suffered a significant data breach, with more than 300,000 records exposed by a threat actor operating under the handle "xorcat." According to reporting from Phemex News, the incident occurred on April 27, 2026, and the stolen dataset, alongside a packaged exploit toolkit, was published on a cybercrime forum. The leak includes user profiles, comments, and reported records, raising serious concerns about the platform's API security posture.

What Happened

On April 27, 2026, threat actor xorcat publicly leaked a trove of data scraped from Polymarket on a cybercrime forum. The disclosure was unusual in that it bundled not just the stolen records but also a complete exploit toolkit, including proof-of-concept code, automated scraping scripts, and a red team report detailing the methodology. The actor claims to have abused weaknesses in Polymarket's API endpoints, including pagination bypasses and CORS misconfigurations, to enumerate and extract data at scale. The release effectively turns a single intrusion into a reusable attack kit for any opportunist willing to download it.

What Was Taken

The leaked archive contains over 300,000 records spanning multiple data classes harvested from the platform. Confirmed contents include approximately 10,000 user profiles, 4,111 comments, and 1,000 reported records, alongside additional sensitive metadata. While Polymarket's wallet-based identity model means traditional credentials are not in play, profile data, behavioral activity, and on-platform interactions can still be weaponized for targeted phishing, doxing, and social engineering against high-value traders on the platform.

Why It Matters

Polymarket sits at the intersection of crypto finance and politically sensitive prediction markets, making its user base an attractive target for both financially motivated actors and those interested in deanonymizing political bettors. The bundling of an exploit kit alongside the data dump means the attack surface remains live for copycat actors until every disclosed vulnerability is remediated. The incident also lands during a sensitive period for the company, which is reportedly pursuing a $400 million funding round and seeking CFTC approval to re-enter the U.S. market, amplifying regulatory and investor scrutiny.

The Attack Technique

According to the leaked red team report, xorcat chained several common but high-impact web application flaws. Pagination bypass logic allowed the actor to iterate beyond intended record limits and extract bulk data from endpoints that should have been rate-limited or capped. CORS misconfigurations broadened the trust boundary, enabling cross-origin requests that should have been rejected. The toolkit references proof-of-concept code for CVE-2025-62718 and CVE-2024-51479, suggesting the actor combined known CVEs with platform-specific logic flaws and automated scrapers to industrialize the data harvest.

What Organizations Should Do

  1. Audit all public API endpoints for pagination, offset, and cursor manipulation flaws, and enforce server-side hard caps on result set sizes regardless of client-supplied parameters.
  2. Review CORS policies and eliminate wildcard origins or overly permissive credentialed configurations on any endpoint exposing user or behavioral data.
  3. Patch and verify remediation of CVE-2025-62718 and CVE-2024-51479 across all dependencies, and inventory third-party components for additional exposure.
  4. Deploy aggressive anomaly detection and rate limiting on read-heavy endpoints, with alerting tuned to detect enumeration patterns rather than only authentication abuse.
  5. Treat behavioral metadata, comments, and profile activity as sensitive PII for risk assessment, even when wallet addresses replace traditional identifiers.
  6. Monitor cybercrime forums and paste sites for follow-on weaponization of the leaked exploit toolkit, and prepare customer communications for likely phishing waves targeting affected users.

Sources: Polymarket Data Breach Exposes 300,000 Records | Phemex News