A recent cyber-attack on CoinMarketCap, one of the most visited cryptocurrency tracking sites, has briefly exposed users to a fake Web3 wallet prompt that stole funds from connected wallets. The breach was discovered on Friday evening, June 20, and has since been contained.
Visitors to the site were shown a popup that mimicked a standard Web3 connection request, urging them to link their crypto wallets.
Once connected, the prompt triggered a wallet-draining script that transferred assets out of users’ accounts. The source of the vulnerability was traced back to a homepage “doodle” image, which had been compromised through a tampered API call.
CoinMarketCap confirmed the breach in a statement posted to X (formerly Twitter), explaining that attackers had injected malicious JavaScript via a modified JSON payload linked to the doodle image. The payload loaded a script from an external source, static.cdnkit[.]io, which displayed the popup and executed the wallet-draining code.
“Upon discovery, we acted immediately to remove the problematic content, identified the root cause, and comprehensive measures have been implemented to isolate and mitigate the issue,” the company said.
“All systems are now fully operational.”
Read more on the rise of wallet drainer threats in the crypto ecosystem: Scammers Drain $500m from Crypto Wallets in a Year
Cybersecurity firm c/side, which analyzed the breach, described the incident as a supply chain attack. It noted that the attackers did not infiltrate CoinMarketCap’s servers directly but instead compromised a third-party resource used by the platform.
These types of attacks are difficult to detect, as they exploit trusted parts of a site’s infrastructure.
A threat actor known as Rey later shared a screenshot of the attacker’s dashboard on X and Telegram, revealing that 110 wallets were affected and a total of $43,266 was stolen. Messages in the channel indicated the attackers were communicating in French.
In response to the popup, wallet providers MetaMask and Phantom flagged CoinMarketCap as unsafe. Phantom even issued an in-browser warning, urging users not to connect their wallets.
The phishing-style prompt specifically targeted ERC-20 tokens, a common format used across many crypto wallets. Several users on crypto forums quickly shared warnings, helping to limit the scope of the breach.
This incident has reignited concerns about CoinMarketCap’s security posture. In 2021, the platform faced criticism after a breach exposed 3.1 million email addresses. Owned by Binance, CoinMarketCap remains a significant hub in the crypto space, making it an attractive target for attackers.
Image credit: Iryna Budanova / Shutterstock.com