Polymarket: Dark web ‘leak’ is public on-chain data

A user on a dark-web forum using the handle ‘xorcat’ posted what they said were more than 300,000 records, including about 10,000 unique profiles with full names, profile images, proxy wallets and base addresses. Screenshots of the post were circulated online and quickly raised concerns, including questions like is Polymarket legit, prompting a response from the prediction market operator.

Polymarket rejected the claim and said the information in the post is already publicly available on the blockchain and accessible through the platform’s documented APIs. The company described the report as false and urged people to use its public endpoints instead of purchasing the data.

The poster asserted the data was extracted via undocumented API endpoints, pagination bypass and a CORS misconfiguration on Polymarket’s Gamma and CLOB APIs, and indicated additional releases were planned.

Polymarket posted that someone had “compromised our platform by accessing publicly accessible API endpoints & on-chain data” and questioned why the poster would try to sell material the company offers free to developers.

The company also wrote, “Part of the beauty of being on chain is all our data is publicly auditable, this is a feature, not a bug. No data was leaked, it’s accessible via our public endpoints & on-chain data.” Polymarket added that it launched a public bug bounty program on April 16 and had received 446 reports by midweek.

Several security researchers reviewed the available material and described it as parsed on-chain records rather than evidence of a breach of private servers. Vladimir S., a chief security officer at Legalblock, said the posts looked like someone compiled public blockchain data and presented it as a database leak.

Analysts noted that assembling on-chain information into structured files can create the appearance of a leak even when no private system was accessed.

The claim comes as the crypto sector has seen an increase in hacks and exploits; a blockchain security firm reported Web3 projects lost $465 million to hacks and scams in the first quarter of 2026 across 44 incidents.

Polymarket advised users and researchers to access transaction and profile identifiers via its public APIs and reiterated that on-chain records are auditable by anyone and are not equivalent to exposure of private account credentials.

Security teams continue to monitor the dark-web postings for any additional materials that would indicate unauthorized access to private servers.