Polymarket Data Breach: Platform Denies Massive Xorcat Hacking Claims

The boundary between a “feature” and a “vulnerability” has never been thinner than in the high-stakes world of decentralized prediction markets. On April 29, 2026, the industry leader Polymarket found itself at the center of a firestorm following claims of a massive Polymarket data breach. A threat actor operating under the alias “Xorcat” posted a 2.24 GB data dump on several cybercrime forums, alleging that they had exfiltrated over 300,000 user records by exploiting critical flaws in the platform’s API architecture and modern web framework. While Polymarket has officially dismissed these claims as “complete and utter nonsense,” the incident has sparked a profound debate over the security of public-facing APIs and the increasing sophistication of AI-powered reconnaissance tools.

The Xorcat Allegations: A Detailed Anatomy of the “Breach”

The controversy began earlier in the week when Xorcat, a hacker known for targeting fintech and Web3 infrastructure, released a sample of what they termed a “comprehensive exfiltration” of Polymarket’s internal database. According to the threat actor, the “Polymarket data breach” was achieved not through a brute-force attack on the blockchain itself, but by targeting the middleware and API endpoints that connect the decentralized backend to the user-facing web application. Xorcat’s primary claim is that the platform suffered from a Next.js middleware authentication bypass and a failure to secure undocumented API endpoints.

The leaked dataset, which totals approximately 750 MB in its raw JSON form, allegedly includes:

• 10,000 Unique User Profiles: Containing full names, bios, profile images, and linked “base” and “proxy” wallet addresses.
• 300,000+ Activity Records: Including thousands of comments, follower graphs, and internal user identifiers.
• Market Metadata: Detailed records of over 250,000 active CLOB (Central Limit Order Book) markets and 48,000 Gamma markets.
• Administrative Identifiers: The presence of a field labeled admin_auth_addr has caused particular concern among security researchers, suggesting the potential exposure of privileged account indicators.

Despite the volume of the data, Polymarket’s security team was quick to issue a rebuttal. In a statement posted to social media, the platform argued that 100% of the “stolen” data was already publicly accessible via their open APIs and on-chain blockchain records. They characterized the event as a large-scale data scraping incident rather than a breach of private servers or non-public databases.

Technical Deep Dive: The Vulnerabilities at the Center of the Storm

To understand the gravity of the Polymarket data breach claims, one must look at the specific vulnerabilities Xorcat cited. The hacker claimed to have utilized a chain of exploits involving CVE-2025-29927 and CVE-2025-62718, alongside more traditional API abuse techniques like pagination bypass.

Exploiting the Next.js Middleware (CVE-2025-29927)

The most alarming technical detail in the Xorcat report involves the exploitation of Next.js middleware. In modern web development, middleware is a layer of code that runs before a request is completed, often used for authentication and authorization. However, CVE-2025-29927 is a critical vulnerability that allows an attacker to bypass these checks by spoofing internal headers.

Specifically, the vulnerability exploits the x-middleware-subrequest header. In many Next.js configurations, the server “trusts” this header to identify internal requests that have already been vetted by the middleware. By injecting this header into an external request, Xorcat claims they were able to trick Polymarket’s servers into skipping the authentication layer entirely, granting them direct access to internal API routes that were never intended for public consumption.

The Mechanics of Pagination Bypass

Xorcat also detailed a relatively simple but highly effective pagination bypass on the platform’s Central Limit Order Book (CLOB) API. Standard API design limits the number of records returned in a single request (e.g., 50 or 100 records) to preserve server resources. Developers typically use parameters like limit or offset to manage this.

According to the hacker, Polymarket’s API failed to enforce a maximum value on the limit parameter. By manually setting the limit to 999,999, the attacker could force the system to dump the entire contents of a database table into a single JSON response. When combined with automated scripts, this allowed for the rapid harvesting of hundreds of thousands of records in minutes, a hallmark of high-efficiency data exfiltration in 2026.

CORS Misconfigurations and API Shadowing

Finally, the attacker pointed to a Cross-Origin Resource Sharing (CORS) misconfiguration. CORS is a security feature that restricts which domains can request resources from an API. Xorcat alleged that Polymarket’s CORS policy was overly permissive, allowing requests from unauthorized origins and facilitating the use of an “Exploit Kit” that could be run directly from a browser to pull sensitive user metadata.

Polymarket’s Defense: The “On-Chain Audit” Argument

Polymarket’s defense centers on the inherent transparency of decentralized finance (DeFi). In a strongly worded response, the platform noted that “the beauty of being on-chain is that all our data is publicly auditable.” They argued that because user trades, wallet addresses, and market structures are written to the blockchain, any person with sufficient technical skill can compile this data without needing “unauthorized access.”

The platform pointed to their Bug Bounty Program, which was launched on April 16, 2026, as proof of their commitment to security. As of the time of the alleged breach, the program had already received over 440 reports from ethical hackers. Polymarket suggested that Xorcat, rather than discovering a new vulnerability, had simply “repackaged” public data to gain notoriety or damage the platform’s reputation amidst a period of intense regulatory scrutiny.

However, security experts have noted that while wallet addresses are public, the linkage between a user’s “base” wallet and their “proxy” wallet (used for gasless transactions) is often not as easily discoverable for the average user. If Xorcat’s dump successfully mapped these relationships across 300,000 accounts, it represents a significant erosion of user privacy, regardless of whether the data was “public” in its raw form.

The Rise of AI-Powered API Exploitation in 2026

The Polymarket data breach incident highlights a growing trend in the cyber threat landscape of 2026: the use of agentic AI to find and exploit undocumented API endpoints. Traditional security scanners often miss “shadow APIs”—endpoints that are used for testing or internal services but remain exposed to the internet.

In 2026, hackers are increasingly using LLM-driven agents to perform reconnaissance. These AI tools can:

• Predict Endpoint Paths: By analyzing the naming conventions of public APIs, AI can guess the URLs of hidden or administrative endpoints.
• Automate Logic Abuse: AI agents can test millions of combinations of API parameters to find business logic flaws, such as the pagination bypass mentioned earlier.
• Chain Vulnerabilities: Automatically identifying that a Next.js header bypass can be paired with an Axios SSRF (Server-Side Request Forgery) to reach a backend database.

This automated efficiency is what allowed Xorcat to claim such a massive volume of data in a relatively short window. It signifies a shift from the “slow and steady” exfiltration of the past to “machine-scale” data harvesting that can overwhelm traditional Web Application Firewalls (WAFs).

The Broader Impact on the DeFi Ecosystem

The fallout from the contested Polymarket data breach arrives at a precarious time for the prediction market sector. In April 2026 alone, governments in Brazil, Romania, and Portugal moved to block platforms like Polymarket and Kalshi, citing concerns over consumer debt and speculative risks. A perceived security failure only adds fuel to the regulatory fire.

Furthermore, the incident underscores the “Privacy Paradox” of Web3. While users are drawn to the decentralization and censorship-resistance of these platforms, the transparency of the blockchain makes them vulnerable to sophisticated doxing. If a hacker can scrape 300,000 records and link on-chain wallets to off-chain identities (even if only via pseudonyms and bios), the promise of anonymity is effectively broken.

Conclusion: Lessons from the Xorcat Incident

Whether one classifies the Xorcat event as a “breach” or “scraping,” the reality remains that 300,000 user records are now circulating on the dark web. For Polymarket, the challenge is to move beyond the technicality of the word “leaked” and address the underlying API security gaps that allowed such a massive amount of data to be aggregated so easily.

For the broader tech community, the lesson is clear: relying on the “public” nature of blockchain data is not a substitute for robust access control. As we move further into 2026, the combination of Next.js middleware flaws and AI-driven API abuse will require a new “defense-in-depth” strategy. Platforms must not only secure their servers but also monitor for abnormal API consumption patterns that signal a scraping effort in progress. In the age of AI, the front door of your API is just as critical as the back door of your database.