The Reveal Platform
On April 28, 2026, the threat actor identified as XORCAT claimed responsibility for an alleged large-scale data exposure involving the decentralized prediction market platform Polymarket. According to the actor, the incident involved a significant API-related exposure affecting more than 10 million records and approximately 300,000 user-associated identities. The actor also claimed to possess tooling associated with automated data extraction activities.
If validated, the exposed information could present privacy, profiling, and reconnaissance risks for affected users, particularly through the correlation of publicly accessible platform metadata and blockchain-linked identities.
The incident was publicly attributed to the threat actor alias XORCAT. However, there is a notable discrepancy between the actor’s claims and Polymarket’s official statement regarding the nature of the exposure.
Polymarket stated that no internal data breach occurred and that the referenced information was already accessible through public APIs and on-chain data sources.
At the time of writing, the full scope of the incident remains unverified. Based on currently available evidence, the event appears more consistent with large-scale aggregation of publicly accessible API and blockchain-derived information rather than a confirmed backend compromise or unauthorized database exfiltration.
Organization: Polymarket
Sector: Financial Services / Web3 / Decentralized Finance (DeFi)
Location: Headquartered in New York City, USA, with decentralized infrastructure and global operations.
Operational Significance: As of 2026, it is the world’s largest decentralized prediction market platform, processing over $4.9 billion in trading volume in early 2026 alone.
XORCAT is the alias used by the actor claiming responsibility for the alleged Polymarket data exposure. At the time of writing, limited publicly verifiable intelligence is available regarding the actor’s operational history or technical capabilities.
The claims associated with this incident primarily involve the large-scale collection and redistribution of publicly accessible platform data. No independently verified evidence currently confirms that the actor achieved unauthorized access to internal infrastructure or private backend systems.
Polymarket officially stated that no data was “leaked” and that the referenced information was already publicly accessible through platform APIs and blockchain data sources.
The statement suggests that the exposed information may have originated from publicly accessible API endpoints and blockchain-derived metadata rather than unauthorized backend access. This distinction is important because it changes the incident classification from a conventional data breach to a potential data aggregation and exposure event.
To validate the actor’s claims, publicly accessible Polymarket API endpoints were reviewed and correlated against the shared sample dataset. The extracted records aligned with user-related metadata exposed through the platform APIs, indicating that portions of the circulated dataset may have been compiled through automated collection of publicly available information.
Initial analysis suggests that the alleged dataset may have been generated through automated interaction with publicly accessible APIs combined with blockchain-derived attribution techniques. At the time of analysis, no evidence confirmed unauthorized backend compromise.
The observed exposure demonstrates how publicly accessible platform metadata can be aggregated and enriched to identify user activity patterns, associated wallet information, and behavioral correlations.
Initial observations indicate that the alleged exposure may have relied on large-scale enumeration of publicly accessible API endpoints rather than exploitation of a software vulnerability.
The analysis identified several characteristics commonly associated with automated data aggregation activity:
Although the information may have originated from publicly accessible sources, large-scale aggregation of exposed metadata can still introduce substantial operational and privacy risks for affected users.
The incident also highlights broader security concerns surrounding excessive exposure of user-associated metadata through decentralized platforms and publicly accessible APIs.
Even when sourced from public endpoints, aggregated platform data can introduce multiple security and privacy risks.
Threat actors can leverage aggregated metadata to build enriched intelligence profiles that combine platform activity, blockchain transactions, and external OSINT sources.
Organizations operating API-driven platforms should monitor for behaviors commonly associated with automated scraping and large-scale enumeration activity.
Gurucul SIEM can help identify suspicious API abuse, anomalous enumeration behavior, automated reconnaissance activity, and large-scale metadata aggregation attempts through centralized monitoring and behavioral analytics.
Organizations should implement layered defensive controls to reduce the risk of large-scale metadata aggregation and automated collection activities.
Gurucul SIEM can help security teams detect suspicious API access patterns, abnormal user behavior, automated reconnaissance attempts, and high-volume data extraction activity across exposed services.
The alleged Polymarket incident highlights the growing security challenges associated with publicly accessible APIs, decentralized ecosystems, and large-scale metadata aggregation. While current evidence does not confirm a traditional network intrusion or backend compromise, the incident demonstrates how publicly exposed information can still be leveraged to build extensive intelligence datasets.
As decentralized platforms continue to expand, organizations must prioritize API security, metadata minimization, behavioral monitoring, and anomaly detection to reduce the risk of large-scale information aggregation and exposure.
