POLYMARKET SAYS “NO HACK” — BUT 300K RECORDS LEAKED ON DARK WEB 👀

What happened:

Dark Web Informer flagged a cybercrime forum leak on April 27, 2026. Actor “xorcat” claims 300,000+ Polymarket records + exploit kit were dumped using undocumented API endpoints.

Polymarket’s Response 🧑‍💻

CEO Shayne Coplan on X:

> “Part of the beauty of being on-chain is all our data is publicly auditable… this is a feature, not a bug. No data was ‘leaked’ — it's accessible via our public endpoints & on-chain data.”

Their claim:

1. No private data compromised — wallets, bets, positions are all on-chain by design

2. Same data free via API — you don’t need to pay hackers, just query them

3. Not a security flaw— transparency is inherent to prediction markets

But critics say:

1. Aggregation risk: 750MB of user data scraped via pagination bypass + misconfigured CORS

2. Exploit kit leaked: Working scripts now public for anyone to scrape more

3. Privacy issue: Wallet addresses linked to registration info = on-chain doxxing

Context you need:

This isn’t Polymarket’s first security headache. Dec 2025: Third-party Magic Labs auth flaw drained user USDC. Sep 2024: Google login proxy attacks hit users.

My take:

On-chain ≠ anonymous. If you bet on Polymarket, assume your wallet + positions are public forever.The “leak” is real data — Polymarket just argues it was always public.

The real issue: No bug bounty program + permissive APIs = hackers will keep scraping.

Protect yourself:

1. Use burner wallets for prediction markets

2. Never reuse wallet addresses across platforms

3. Assume anything on-chain is public data

Polymarket trading volume > Kalshi last year, but this transparency debate won’t die.

Do you trust on-chain betting after this? 👇

#PolymarketDeniesDataBreach #Polymarket #CryptoNews #OnChain #Web3Security

_NFA. DYOR. Using prediction markets = public exposure of your trades._