‼️ Polymarket, the decentralized prediction market platform, has allegedly been breached, with 300,000+ records and an exploit kit leaked on a popular cybercrime forum. The actor states Polymarket has no bug bounty program and was not notified. ⠀ ‣ Threat Actor: xorcat ‣ Category: Data Leak / Exploit Kit ‣ Victim: Polymarket ‣ Industry: Cryptocurrency / Prediction Markets ⠀ The actor states the data was pulled via undocumented API endpoints, pagination bypass, and CORS misconfiguration on Polymarket's Gamma and CLOB APIs. The pack also includes working POCs for multiple CVEs and an auto-dump script. Date of extraction: 2026-04-27. ⠀ What's in it: ⠀ ▪️ 300,000+ total records ▪️ ~750 MB extracted / ~8.3 MB compressed JSONs ▪️ 10,000 unique user profiles with full PII (name, pseudonym, bio, profile image, proxy wallet, base address) ▪️ 4,111 comments with attached profile objects ▪️ 1,000 report records containing 58 unique ETH addresses + admin_auth_addr indicator ▪️ 48,536 gamma markets with full metadata, condition IDs, token IDs ▪️ 250,000+ active CLOB markets with FPMM addresses ▪️ 292+ events with submitter/resolver ETH addresses and internal usernames ▪️ 100 reward configurations with USDC contract addresses and daily rates ▪️ 9,000 follower profiles with names, pseudonyms, proxy wallets ▪️ Internal user IDs exposed in createdBy/updatedBy fields ⠀ Vulnerabilities included (POCs in ZIP): ⠀ ▪️ CVE-2025-62718: Axios NO_PROXY Bypass (CVSS 9.9, SSRF to internal services) ▪️ CORS Misconfiguration on CLOB API (wildcard origin + credentials=true) ▪️ CVE-2024-51479: Next.js Middleware Auth Bypass (CVSS 7.5) ▪️ CLOB Pagination Validation Bypass (limit=999999 accepted, no rate limiting) ▪️ Unauthenticated /comments/{id} endpoint (brute-forceable, leaks full profiles) ▪️ Unauthenticated /reports endpoint (leaks user activity + admin indicator) ▪️ Unauthenticated /v1/data/followers/{address} (full social graph enumeration) ⠀ Pack contents: ⠀ ▪️ All dumped JSONs (markets, events, profiles, comments, reports, rewards, series) ▪️ 5 working POCs (CORS exploit, Axios SSRF, Next.js bypass, pagination DoS, WebSocket exploit) ▪️ Auto-dump script (continuously pulls fresh data until endpoints are patched) ▪️ Full redteam report with MITRE ATT&CK mapping ▪️ Additional 350MB data dump