CoinMarketCap Suffers Security Breach: Fraudulent Web3 Popups Drain Crypto Wallets

By Lawrence Abrams
June 22, 2025 – 05:47 PM

CoinMarketCap, a leading cryptocurrency price tracking platform, experienced a significant cybersecurity incident on January 20, 2025, during which malicious actors exploited a vulnerability in the website to execute a wallet draining scheme. The attack involved deceptive Web3 popups that prompted users to connect their cryptocurrency wallets, leading to extensive financial losses for several victims.

Attack Overview

The incident began on the evening of January 20 when visitors to CoinMarketCap encountered unsolicited popups urging them to link their wallets to the site. Unbeknownst to users, these popups delivered by a hidden script were designed to extract funds from their crypto wallets once connected. The threat was linked to a flaw in the site’s "doodle" image displayed on the homepage, which was manipulated to inject malicious JavaScript into the platform.

According to a statement from CoinMarketCap’s security team, upon discovering the breach, they promptly identified the vulnerability associated with the doodle image. They explained that the image linked to a flawed API call, which triggered an unexpected popup for some users. “We acted immediately to remove the problematic content and comprehensive measures have been implemented to isolate and mitigate the issue,” the company stated, affirming that their systems were restored and secure for user transactions.

Technical Details

Cybersecurity firm c/side provided further insights into the mechanics of the attack. The attackers had altered the API used by CoinMarketCap to retrieve the doodle image, effectively implementing a tampered JSON payload. This payload incorporated a malicious script tag sourced from an external site, leading to the erroneous popup, branded similarly to CoinMarketCap’s legitimate Web3 transaction requests.

The script deceived users into believing they were engaged in a genuine wallet connection request while it siphoned off their cryptocurrency assets. “This was a supply chain attack, meaning the breach didn’t target CoinMarketCap’s own servers but a third-party tool or resource utilized by the site,” c/side noted. Such attacks are notoriously difficult to detect as they take advantage of inherently trustworthy elements of a platform.

Impact and Financial Losses

Additional information regarding the breach indicated that the attackers, operating under the moniker Rey, disclosed details in a Telegram channel, including a screenshot of the drainer panel. Reports from this source revealed that approximately $43,266 was extracted from a total of 110 victims as a direct result of the incident, highlighting the effectiveness of the scheme.

The rise in cryptocurrency’s popularity correlates directly with the increasing prevalence of wallet draining attacks. Unlike traditional phishing attacks, which may be more straightforward, wallet drainers are often propagated through social media, deceptive advertisements, and forged websites. In 2024 alone, wallet drainers are reported to have stolen nearly $500 million, affecting over 300,000 wallet addresses.

Response to the Threat

In response to the burgeoning threat landscape, organizations such as Mozilla are taking proactive measures. The corporate technology giant has introduced a detection system aimed at identifying wallet drainers in browser extensions uploaded to the Firefox Add-on repository, showcasing the urgent need for augmented security tools in the digital landscape.

As cyber threats evolve, both organizations and individual users are required to remain vigilant and proactive in their cybersecurity practices. The CoinMarketCap incident serves as a cautionary tale about the potential vulnerabilities that can exist within popular platforms and the far-reaching impacts of supply chain attacks in the cryptocurrency domain.

Conclusion

While CoinMarketCap has taken steps to fortify its defenses following this breach, the incident underscores the importance of cybersecurity in the digital currency space. Users are urged to exercise caution when connecting their wallets and to stay informed about potential threats and security measures that can help safeguard their assets.

Related Articles

• Mozilla launches new system to detect Firefox crypto drainer add-ons
• US recovers $225 million of crypto stolen in investment scams
• BitoPro exchange links Lazarus hackers to $11 million crypto heist

Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com, specializing in cybersecurity, computer forensics, and malware analysis.