The decentralized prediction platform Polymarket has become the focus of controversy after the Dark Web Informer account on X published allegations that the platform had been hacked, with over 300,000 data records leaked to cybercrime forums. Polymarket quickly denied the allegations, claiming that all related data is publicly available information on the blockchain.
Allegations from Dark Web Informer
According to information released by Dark Web Informer, the attackers claimed to have breached Polymarket on April 27, 2026, through multiple technical vectors, including: exploiting undocumented API endpoints, bypassing pagination, and taking advantage of CORS (Cross-Origin Resource Sharing) misconfiguration vulnerabilities.
The alleged data leak includes: approximately 10,000 personally identifiable users (PII), 41,000 comments, 485,000 market metadata, 250,000 active CLOB markets, and 292 wallet addresses of event proposers and settlers.
More concerningly, the attacker also published concept exploit code for several vulnerabilities, including CVE-2025-62718 with a CVSS score of 9.9 – extremely high severity – along with CVE-2024-51479 (CVSS 7.5) and a CORS configuration flaw. The attacker also pointed out that Polymarket does not have a bug bounty program and was not notified in advance about these vulnerabilities.
Polymarket: "This is a feature, not a flaw."
Responding quickly on X, Polymarket completely denied the data leak allegations. The platform asserted that all on-chain data is publicly verifiable, a core characteristic of decentralized blockchains, not a security vulnerability. Data can be accessed free of charge through public APIs and on-chain data without any fees.
The line between “public data” and “actual data leak” is blurred.
The incident raises a crucial question within the DeFi ecosystem: when does accessing and aggregating on-chain data become exploitation? While Polymarket emphasizes transparency as a strength of blockchain, the fact that 10,000 records of personally identifiable user information are included in the allegedly leaked data list is concerning, as PII information is typically not stored on-chain and should not be freely accessible.
