snnnnny

UPDATE: ~$700k exploited • Suspected withdrawals have stopped • Polymarket said the incident was isolated and user funds are safe The stolen funds were split across 16 addresses and routed through CEXs and other services Exploiter addresses: 0xe696cAdcE07B6Be114D19B98c1E8D423C741A7EA 0xcA310141C53edA70E8FBb15371f8000971087222 0xc49531Cd02Ab5a04b813b0467400461837a6F3B4 0xe03Fd8672d017C97c0d83957532E81979570c3d4 0xA1F095be77BbD6457e275d9F061478eD467A189B 0x47B7c11bc90Bd767c0F464082236119b9d8a7518 0x4b20080924b4b999676cf85748Fe564A6137EDD2 0xd3Cfcd214Eb51B70627C3D78e0c22E1479880e9E 0xbe311a69CdFB515a116e5DCe13eAdF21c4B3Fd53 0xD7d6a0e2b92D2ac2168b807d3A5436B3006e4C63 0xfc7Ab92AFb03cAb54c1587f68296689CE5c20453 0x74D1cBD70fDb3B8f60BF56353C94deaA5cf30Be6 0x6d1f3eEA4F5f2B37239608486877ca4e582f2974 0xC9BE3dDC780e622d640bb770a1FD8834d8F269C8 0x8C4d25d0cF9ce62053bbB6D04fB8bD7812E23ed5 0xbCBBa9672F362f49635efB8D756c19d181A1837E Identified deposits: Changenow (most likely): 0xF2020cbfC13fd5d4cb2DA0fF8aE2D2C093C1c423 0x6976d8025229Db5F54Bc899DD3Dbc9285423896B HTX deposit: 0x41ee2264c92EcA7064b6420adBeB25E1FC3AfC34 Kucoin deposit: 0xA285a44016F028F70D36fDdEc5AD6e6F9B258E6a

Happy Friday! We've reset everyone's 5-hour and weekly rate limits.

‼️ Polymarket, the decentralized prediction market platform, has allegedly been breached, with 300,000+ records and an exploit kit leaked on a popular cybercrime forum. The actor states Polymarket has no bug bounty program and was not notified. ⠀ ‣ Threat Actor: xorcat ‣ Category: Data Leak / Exploit Kit ‣ Victim: Polymarket ‣ Industry: Cryptocurrency / Prediction Markets ⠀ The actor states the data was pulled via undocumented API endpoints, pagination bypass, and CORS misconfiguration on Polymarket's Gamma and CLOB APIs. The pack also includes working POCs for multiple CVEs and an auto-dump script. Date of extraction: 2026-04-27. ⠀ What's in it: ⠀ ▪️ 300,000+ total records ▪️ ~750 MB extracted / ~8.3 MB compressed JSONs ▪️ 10,000 unique user profiles with full PII (name, pseudonym, bio, profile image, proxy wallet, base address) ▪️ 4,111 comments with attached profile objects ▪️ 1,000 report records containing 58 unique ETH addresses + admin_auth_addr indicator ▪️ 48,536 gamma markets with full metadata, condition IDs, token IDs ▪️ 250,000+ active CLOB markets with FPMM addresses ▪️ 292+ events with submitter/resolver ETH addresses and internal usernames ▪️ 100 reward configurations with USDC contract addresses and daily rates ▪️ 9,000 follower profiles with names, pseudonyms, proxy wallets ▪️ Internal user IDs exposed in createdBy/updatedBy fields ⠀ Vulnerabilities included (POCs in ZIP): ⠀ ▪️ CVE-2025-62718: Axios NO_PROXY Bypass (CVSS 9.9, SSRF to internal services) ▪️ CORS Misconfiguration on CLOB API (wildcard origin + credentials=true) ▪️ CVE-2024-51479: Next.js Middleware Auth Bypass (CVSS 7.5) ▪️ CLOB Pagination Validation Bypass (limit=999999 accepted, no rate limiting) ▪️ Unauthenticated /comments/{id} endpoint (brute-forceable, leaks full profiles) ▪️ Unauthenticated /reports endpoint (leaks user activity + admin indicator) ▪️ Unauthenticated /v1/data/followers/{address} (full social graph enumeration) ⠀ Pack contents: ⠀ ▪️ All dumped JSONs (markets, events, profiles, comments, reports, rewards, series) ▪️ 5 working POCs (CORS exploit, Axios SSRF, Next.js bypass, pagination DoS, WebSocket exploit) ▪️ Auto-dump script (continuously pulls fresh data until endpoints are patched) ▪️ Full redteam report with MITRE ATT&CK mapping ▪️ Additional 350MB data dump