DATABASE Polymarket.com FULL API BREACH - 10M+ Records, 300k Real Identities, Admin 2026-04

DBHunter · May 14, 2026

Hello DNA Community,
Today I have uploaded the Polymarket.com Full API Dump & Exploit Kit - Decentralized prediction market platform with full user PII, market data and internal API access.

Database Info:
- Target: Polymarket.com (Gamma API + CLOB API)
- Total Records: ~10M+ across all endpoints
- Total Size: ~1GB extracted
- Date: 2026-04-27
- Method: Undocumented API endpoints + pagination bypass + CORS misconfiguration
- Auth: None required for extraction (unauthenticated endpoints)

Vulnerabilities Included (POCs in ZIP):
- CVE-2025-62718 (Axios NO_PROXY Bypass) - CVSS 9.9 - SSRF to internal services
- CORS Misconfiguration on CLOB API - wildcard origin + credentials=true
- CVE-2024-51479 (Next.js Middleware Auth Bypass) - CVSS 7.5
- CLOB Pagination Validation Bypass - limit=999999 accepted silently, no rate limiting
- Unauthenticated /comments/{id} endpoint - brute-forceable, leaks full profiles
- Unauthenticated /reports endpoint - leaks user activity + admin indicator
- Unauthenticated /v1/data/followers/{address} - full social graph enumeration

Compromised Data:
- 10k unique user profiles with full PII (name, pseudonym, bio, profile image, proxy wallet, base address)
- 4111 comments with attached full profile objects
- 1000 report records containing 58 unique ETH addresses + admin_auth_addr indicator
- 48,536 gamma markets with full metadata, condition IDs, token IDs
- 250,000+ active CLOB markets with FPMM addresses
- 292+ events with submitter/resolver ETH addresses and internal usernames
- 100 reward configurations with USDC contract addresses and daily rates
- 9000 follower profiles with names, pseudonyms and proxy wallets
- Internal user IDs exposed in createdBy/updatedBy fields

Sample Data (10 records):

Quote:{
"0x194c82509f6e020cd50c40072a2007850216cd94": {
"name": "billl",
"pseudonym": "Keen-Format",
"displayUsernamePublic": true,
"proxyWallet": "0x11fae40c66a22907a51c9b248e3dadd57e161f58",
"baseAddress": "0x194c82509f6e020cd50c40072a2007850216cd94"
},
"0x36d7997e23e64e583bdc3172fedc636c14b0b1fe": {
"name": "testorrrr-testing-mc-testfacey",
"pseudonym": "Sorrowful-Inspection",
"displayUsernamePublic": true,
"bio": "",
"proxyWallet": "0x505da8075db50c4fe971aacf4b56cea1289c87b2",
"baseAddress": "0x36d7997e23e64e583bdc3172fedc636c14b0b1fe"
},
"0xd5039d967e6aafee9b778f2968120cf61fbd3a14": {
"name": "sauceman",
"pseudonym": "Infinite-Procedure",
"displayUsernamePublic": true,
"bio": "super saucy, yeee hawwwww",
"proxyWallet": "0x388911e52bb2eb440b9f03ed24bcef13c93e1499",
"baseAddress": "0xd5039d967e6aafee9b778f2968120cf61fbd3a14",
"profileImage": "https://polymarket-upload.s3.us-eas...aee7-4903-a77f-18d7e31b0bfd_1727312629948.gif"
},
"0x7ca59c0dfb89ff74122cee78717cfc03597fa6e3": {
"name": "fresh-boi",
"pseudonym": "Responsible-Nightlight",
"displayUsernamePublic": true,
"bio": "a very fresh boi",
"proxyWallet": "0x3d337b38456ce815325e623ca2ab136b8fcb4414",
"baseAddress": "0x7ca59c0dfb89ff74122cee78717cfc03597fa6e3",
"profileImage": "https://polymarket-upload.s3.us-eas..._06_at_5_48_09_PM_fresh-boi_1688690915790.png"
},
"0x182a098bda4b4dbf25ff1943c84142a699c05085": {
"name": "ImJustKen",
"pseudonym": "Ample-Instance",
"displayUsernamePublic": true,
"bio": "",
"proxyWallet": "0x9d84ce0306f8551e02efef1680475fc0f1dc1344",
"baseAddress": "0x182a098bda4b4dbf25ff1943c84142a699c05085",
"profileImage": "https://polymarket-upload.s3.us-eas...2662-8ddbc8e8-0500-44b7-bb13-c0b32a40a45d.jpg"
},
"0x470914b32acb86eefb78f33e2949f38d2e2c87f1": {
"name": "INTERPOL",
"pseudonym": "Cloudy-Comeback",
"displayUsernamePublic": true,
"bio": "Ive been around",
"proxyWallet": "0x255e42f3a373dda78e208a9ab5923123ef86f6dc",
"baseAddress": "0x470914b32acb86eefb78f33e2949f38d2e2c87f1",
"profileImage": "https://polymarket-upload.s3.us-eas...6614-b3ced9f5-53a6-49d3-8e14-901c3c0d9a16.png"
},

Quote:{"data":[{"enable_order_book":false,"active":true,"closed":true,"archived":false,"accepting_orders":false,"accepting_order_timestamp":null,"minimum_order_size":15,"minimum_tick_size":0.01,"condition_id":"0x5eed579ff6763914d78a966c83473ba2485ac8910d0a0914eef6d9fcb33085de","question_id":"0x2d5ddf657e4a090bc22921bf6865bcdb741a7b96ce45eb583be041756fad04a0","question":"NCAAB: Arizona State Sun Devils vs. Nevada Wolf Pack 2023-03-15","description":"In the upcoming NCAAB game, scheduled for March 15 at 9:10 PM ET:\n\nIf the Arizona State Sun Devils win, the market will resolve to “Arizona State”.\n\nIf the Nevada Wolf Pack win, the market will resolve to “Nevada”.\n\n If the game is not completed by April 10, 2023 (11:59:59 PM ET), the market will resolve 50-50.","market_slug":"ncaab-arst-nev-2023-03-15","end_date_iso":"2023-03-15T00:00:00Z","game_start_time":"2023-03-16T01:10:00Z","seconds_delay":3,"fpmm":"0x28560c82A95e9882a7ed131FD4477BCfeB0B8575","maker_base_fee":0,"taker_base_fee":0,"notifications_enabled":true,"neg_risk":false,"neg_risk_market_id":"","neg_risk_request_id":"","icon":"https://polymarket-upload.s3.us-east-2.amazonaws.com/marchmadness.jpeg","image":"https://polymarket-upload.s3.us-east-2.amazonaws.com/marchmadness.jpeg","rewards":{"rates":null,"min_size":0,"max_spread":0},"is_50_50_outcome":false,"tokens":[{"to

Quote:{"data":[{"market_id":"1284282","condition_id":"0x0001cb8c0b39aeb614ab9a43867595317f06ede9c011661513065c638fbbefda","question":"Will the Republican Party win the NY-11 House seat?","market_slug":"will-the-republican-party-win-the-ny-11-house-seat","volume_24hr":0,"event_id":"191565","event_slug":"ny-11-house-election-winner","image":"","maker_address":"0x0000000000000000000000000000000000000000","tokens":[{"token_id":"50868012450412588231700991321379235183301872220529434142919756787462014093776","outcome":"Yes","price":0.81},{"token_id":"37843096702983984154813593339817451110105539743235209768242171001456417281055","outcome":"No","price":0.19}],"rewards_config":[{"asset_address":"0x2791Bca1f2de4661ED88A30C99A7a9449Aa84174","start_date":"2026-02-17","end_date":"2500-12-31","rate_per_day":1,"total_rewards":0,"id":0}],"earnings":[{"asset_address":"0x2791Bca1f2de4661ED88A30C99A7a9449Aa84174","earnings":0,"asset_rate":0.999799}],"rewards_max_spread":4.5,"rewards_min_size":50,"earning_percentage":0,"spread":0.02,"market_competitiveness":291.972467},{"market_id":"1900942","condition_id":"0x00161225e24382f0b8f2856f1e9d59a7a5839a9a231b3a33d52dd28ba89205bf","question":"Will T1 qualify for EWC 2026?","market_slug":"will-t1-qualify-for-ewc-2026-788","volume_24hr":39.35,"event_id":"352462","event_slug":"ewc-2026-korea-qualifiers","image":"https://polymarket-upload.s3.us-east-2.amazonaws.com/t1-lol-4665de61ae.png","maker_address":"0x0000000000000000000000000000000000000000","tokens":[{"token_id":"103872542387531296482194799730477588833591954933084382483449409187432710012415","outcome":"Yes","price":0.45},{"token_id":"1249401390009000815195116448493253369138083566922466489637862699825243832418","outcome":"No","price":0.55}],"rewards_config":[{"asset_address":"0x2791Bca1f2de4661ED88A30C99A7a9449Aa84174","start_date":"2026-04-27","end_date":"2500-12-31","rate_per_day":17,"total_rewards":0,"id":0}],"earnings":[{"asset_address":"0x2791Bca1f2de4661ED88A30C99A7a9449Aa84174","earnings":0,"asset_rate":0.999799}],"rewards_max_spread":4.5,"rewards_min_size":20,"earning_percentage":0,"spread":0.28,"market_competitiveness":0},{"market_id":"1610253","condition_id":"0x0018a5e573807ce12608f7baf29af19b490582c399a93606ede2d640127fec7d","question":"Will the DFM Real Estate Index hit 14,000 in 2026?","market_slug":"will-the-dfm-real-estate-index-hit-14000-in-2026","volume_24hr":0,"event_id":"277152","event_slug":"what-level-will-the-dubai-real-estate-index-hit-in-2026","image":"https://polymarket-upload.s3.us-eas...eal-estate-index-hit-in-2026-V0vDNE9Ao2Ph.jpg","maker_address":"0x0000000000000000000000000000000000000000","tokens":[{"token_id":"100548662227977253437132214754332127909750241895720750377165978491043235859635","outcome":"Yes","price":0.81},{"token_id":"26540917401878717867959016544911838706438057055594386787597826790169561613259","outcome":"No","price":0.19}],"rewards_config":[{"asset_address":"0x2791Bca1f2de4661ED88A30C99A7a9449Aa84174","start_date":"2026-03-16","end_date":"2500-12-31","rate_per_day":5,"total_rewards":0,"id":0}],"earnings":[{"asset_address":"0x2791Bca1f2de4661ED88A30C99A7a9449Aa84174","earnings":0,"asset_rate":0.999799}],"rewards_max_spread":5.5,"rewards_min_size":50,"earning_percentage":0,"spread":0.04,"market_competitiveness":13.373194},{"market_id":"1927582","condition_id":"0x002800d1a67d94f592d5d3ccfd985065a31f9869a006f1855ca2f544c965733c","question":"Will Satoshi's identity be revealed by December 31?","market_slug":"will-satoshis-identity-be-revealed-by-december-31","volume_24hr":0,"event_id":"360860","event_slug":"satoshis-identity-be-proven-by","image":"https://polymarket-upload.s3.us-east-2.amazonaws.com/satoshi.png","maker_address":"0x0000000000000000000000000000000000000000","tokens":[{"token_id":"21283153668269605997616141123303130183551299617622313858944018715458429399235","outcome":"Yes","price":0.085},{"token_id":"20422989273993244754906856186519682858694143423517641045356042701144662588778","outcome":"No","price":0.915}],"rewards_config":[{"asset_address":"0x2791Bca1f2de4661ED88A30C99A7a9449Aa84174","start_date":"2026-04-09","end_date":"2500-12-31","rate_per_day":3,"total_rewards":0,"id":0}],"earnings":[{"asset_address":"0x2791Bca1f2de4661ED88A30C99A7a9449Aa84174","earnings":0,"asset_rate":0.999799}

Quote: "id": "4",
"body": "i am netherlands number one fan",
"parentEntityType": "Event",
"parentEntityID": 902266,
"userAddress": "0x194c82509f6e020cd50c40072a2007850216cd94",
"createdAt": "2023-08-10T20:56:54.915712Z",
"profile": {
"name": "billl",
"pseudonym": "Keen-Format",
"displayUsernamePublic": true,
"proxyWallet": "0x11fae40c66a22907a51c9b248e3dadd57e161f58",
"baseAddress": "0x194c82509f6e020cd50c40072a2007850216cd94"
},
"reportCount": 0,
"reactionCount": 0
},
{
"id": "6",
"body": "i am second comment",
"parentEntityType": "Event",
"parentEntityID": 902276,
"userAddress": "0x36d7997e23e64e583bdc3172fedc636c14b0b1fe",
"createdAt": "2023-08-11T20:07:32.866846Z",
"profile": {
"name": "testorrrr-testing-mc-testfacey",
"pseudonym": "Sorrowful-Inspection",
"displayUsernamePublic": true,
"bio": "",
"proxyWallet": "0x505da8075db50c4fe971aacf4b56cea1289c87b2",
"baseAddress": "0x36d7997e23e64e583bdc3172fedc636c14b0b1fe"
},
"reportCount": 0,
"reactionCount": 0
},
{
"id": "12",

Pack Contents:
- All dumped JSONs (markets, events, profiles, comments, reports, rewards, series)
- 5 working POCs (CORS exploit, Axios SSRF, Next.js bypass, pagination DoS, WebSocket exploit)
- Auto-dump script - runs continuously and pulls fresh data until they patch the endpoints
- Full redteam report with MITRE ATT&CK mapping
Download:

To see this hidden content, you must React with one of the following reactions : Like, Love, Haha, Wow

DATABASE Polymarket.com FULL API BREACH - 10M+ Records, 300k Real Identities, Admin 2026-04

DBHunter

Similar threads

Privacy & Transparency

Privacy & Transparency