CoinMarketCap Vulnerability
CoinMarketCap, the popular cryptocurrency price tracking site, experienced a website supply chain attack that exposed site visitors to a wallet drainer campaign aiming to steal their crypto assets.
Beginning on Friday evening, January 20, CoinMarketCap visitors started encountering Web3 popups that prompted them to connect their wallets to the site. However, when visitors connected their wallets, a malicious script immediately drained their cryptocurrency.
Later, the company confirmed that threat actors exploited a vulnerability in the site’s homepage “doodle” image to inject malicious JavaScript into the platform.
“On June 20, 2025, our security team identified a vulnerability related to a doodle image displayed on our homepage. This doodle image included a link that triggered malicious code through an API call, resulting in an unexpected popup for some users when they visited our homepage,” stated a message posted on X.
“Upon discovery, we took immediate action to remove the problematic content, identified the root cause, and implemented comprehensive measures to isolate and mitigate the issue.”
“We can confirm all systems are now fully operational, and CoinMarketCap is safe and secure for all users.”
How it works
Meanwhile, cybersecurity firm c/side explained that the attack occurred after the threat actors somehow modified the API the site used to retrieve the doodle image for the homepage. This tampered JSON payload then included a malicious script tag that injected a wallet drainer script into CoinMarketCap from an external site named “static.cdnkit[.]io.”
When someone visited the page, the script would execute and display a fake wallet connect popup using CoinMarketCap branding and mimicking a legitimate Web3 transaction request. However, this script actually functioned as a wallet drainer, designed specifically to steal assets from connected wallets.
“This was a supply chain attack, meaning the breach didn’t target CMC’s own servers but instead compromised a third-party tool or resource used by CMC,” clarified c/side.
“Such attacks are difficult to detect because they exploit trusted elements of a platform.”
Subsequently, more details about the attack emerged from a threat actor known as Rey, who revealed that the attackers behind the CoinMarketCap supply chain attack shared a screenshot of the drainer panel on a Telegram channel.
This panel showed that $43,266 was stolen from 110 victims during this supply chain attack, with the threat actors speaking French in the Telegram chat.
As cryptocurrency’s popularity continues to rise, so does the threat from wallet drainers, which attackers commonly use in similar campaigns.
Unlike traditional phishing, these types of attacks more often gain exposure through social media posts, advertisements, spoofed websites, and malicious browser extensions that embed harmful wallet-draining scripts.
Recent reports indicate that wallet drainers stole nearly $500 million in 2024 by targeting over 300,000 wallet addresses.
In response to the growing threat, Mozilla recently introduced a new system to detect wallet drainers in browser add-ons submitted to the Firefox Add-on repository.
Source: BleepingComputer, Lawrence Abrams
Read more at Impreza News
