10,000 complete profiles with real name, pseudonym and wallet address were exposed.
The leaked packet comprises approximately 750 megabytes of data.
An attacker identified as “xorcat” published more than 300,000 records on a cybercrime forum on April 27 extracted from the Polymarket prediction market, according to the alert issued today, April 28, by Dark Web Informer, a firm specialized in monitoring threats on the dark web. At the time of this writing, Polymarket has not shared any statement in this regard.
As Dark Web Informer warns, the most immediate risk for users is the crossing of identity with assets. The leaked data includes 10,000 complete profiles with real name, pseudonym and wallet addressand 9,000 additional follower profiles with the same fields.
This combination allows an attacker to identify a person, know their wallet address, consult their balance on the chain and build a phishing personalized, that is, a deception specifically directed at that person to give them access to their funds.
The Dark Web Informer team detailed that the leaked packet comprises approximately 750 megabytes of raw data. In addition to user profiles, includes 4,111 comments with attached profile data48,536 markets from the Gamma platform with their internal identifiers, more than 250,000 active markets from the Polymarket order system with their contract addresses, and 100 reward setups with contract addresses in the USDC stablecoin and daily rates.
Also exposed were 1,000 internal reporting records containing 58 unique Ethereum addresses with an administrator authentication indicator, data that could guide attacks targeting accounts with high permissions within the platform.
How did the attack and leak happen?
According to Dark Web Informer, the actor extracted the data by exploiting flaws in Polymarket’s public programming interfaces (APIs): access without authentication that any user could consult without identifying themselves, and an incorrect configuration that allowed requesting unlimited data volumes.
The published package also includes a script of automatic extraction that continues to download fresh data from Polymarket as long as those vulnerabilities remain unfixed, which means that the volume of exposed data could continue to grow, they point out from Dark Web Informer.
Finally, the actor pointed out, according to the alert, that Polymarket does not have a bug bounty program (a mechanism through which platforms pay researchers who discover and report vulnerabilities privately before publishing them) and that it was not notified before the disclosure.
The absence of such a program on a platform that handles real user funds removes the incentive for responsible disclosure and leaves users without the protection that this process offers.