CoinMarketCap Hacked in Supply Chain Attack: Wallet Drainer Popup Compromises User Security

By Lawrence Abrams
June 22, 2025 | 05:47 PM

CoinMarketCap, one of the most popular cryptocurrency price tracking platforms, experienced a serious security breach on January 20, 2025, during which a supply chain attack exposed users to a fraudulent wallet drainer campaign. This incident highlights the ongoing cyber threats that have increasingly targeted the cryptocurrency space.

Details of the Attack

On the evening of the attack, visitors to CoinMarketCap’s homepage were presented with suspicious Web3 popups prompting them to connect their cryptocurrency wallets. Unfortunately, for those who complied, a malicious script was triggered that resulted in the draining of their crypto assets.

In a statement released shortly after the incident, CoinMarketCap confirmed that cybercriminals exploited a vulnerability associated with an image used in the site’s homepage "doodle." The company reported, “On June 20, 2025, our security team identified a vulnerability related to a doodle image displayed on our homepage. This doodle image contained a link that triggered malicious code through an API call, resulting in an unexpected popup for some users when visited our homepage."

To mitigate the damage, the company acted swiftly to remove the malicious content and implemented measures to prevent similar attacks in the future. “We can confirm all systems are now fully operational, and CoinMarketCap is safe and secure for all users,” they assured.

Method of the Attack

Cybersecurity firm c/side provided insights into how the attack unfolded. It was revealed that the attackers manipulated an API utilized by CoinMarketCap to retrieve the doodle image. This manipulation included injecting a malicious script tag within the JSON payload, which triggered the wallet drainer script hosted on an external site.

As visitors accessed the compromised homepage, the script executed, displaying a fake wallet connect popup that imitated legitimate Web3 transaction requests. In reality, this deceptive interface was designed to steal assets from users’ connected wallets.

"This was a supply chain attack, meaning the breach didn’t target CMC’s own servers but a third-party tool or resource used by CMC," explained c/side. Such supply chain attacks are particularly challenging to detect because they exploit trusted components of a platform.

Impact on Users

According to information later disclosed by a threat actor known as Rey, more than 110 victims fell prey to this wallet-draining scheme, resulting in losses totaling approximately $43,266. The attackers discussed the operation in a Telegram channel and shared screenshots of the drainer panel, providing further evidence of the attack’s reach.

With the increasing popularity of cryptocurrency, wallet drainers have become a prevalent threat, with reports indicating that such attacks collectively stole almost $500 million from over 300,000 wallet addresses in 2024. This trend has prompted organizations like Mozilla to implement systems aimed at detecting wallet drainers within browser add-ons.

Conclusion

The CoinMarketCap incident underscores the need for constant vigilance in cybersecurity, particularly as the cryptocurrency sector continues to grow. Users are urged to remain cautious and verify the legitimacy of interactions involving their wallets. It serves as a critical reminder of the sophistication of cyber threats today and the importance of robust security measures in protecting digital assets.

As the cryptocurrency landscape evolves, both platforms and users must be proactive in safeguarding against potential attacks that could jeopardize their investments and sensitive information.