CoinMarketCap and CoinTelegraph Websites Compromised
What Happened Over the Weekend?
This past weekend, two popular crypto websites, CoinMarketCap and CoinTelegraph, were compromised to display phishing pop-ups to visitors. These pop-ups tricked users into connecting their crypto wallets under the guise of verifying their accounts.
The CoinMarketCap Compromise
CoinMarketCap, known as CMC, is a go-to website for crypto enthusiasts. It tracks the prices of cryptocurrencies, their market capitalizations, and trading volumes. But on June 20, 2025, visitors to the site were greeted by an unexpected pop-up, urging them to connect their wallets to continue accessing their CMC accounts.
The Malicious Pop-Up
As reported by Web3 on-chain security company Blockaid, the malicious pop-up began appearing on June 20 at around 9 p.m. UTC/GMT. CoinMarketCap acknowledged the breach the following day and explained that the attack was made possible due to a vulnerability linked to a third-party “doodle” image shown on their homepage.
According to CoinMarketCap, this image contained a link that triggered malicious code via an API call, resulting in the unwanted pop-up for some users. By Monday, they confirmed that 76 visitors had been duped into connecting their wallets, and the attackers made off with a total of $21,624.47, which CoinMarketCap promised to reimburse.
How Did the Attacks Occur?
A US-based startup named c/side explained that the attackers interfered with the API request responsible for loading the doodle image. They manipulated it to return a JSON file containing not just metadata about active doodles, but also hidden JavaScript code. This code was crafted to:
- Run in the user’s browser
- Execute only once per session
- Hide legitimate site elements
- Create a realistic, full-screen overlay with the phishing message
When users clicked “Connect Wallet,” the script tried to connect to a crypto wallet, like MetaMask or Phantom. If successful, it communicated with rogue domains to steal wallet credentials or private keys.
The pop-up script worked with a larger JavaScript library that detected popular wallets, customized the phishing flow, and tricked users into signing malicious transactions. It also displayed fake error messages, pressuring users to retry with different wallets.
Why Was This Attack So Dangerous?
This incident is a classic example of a supply chain attack. Rather than directly breaching CoinMarketCap’s servers, the attackers compromised a third-party resource, the doodle image’s JSON file, trusted by CMC’s frontend.
Client-side attacks like these are particularly dangerous because they bypass server-side security tools and exploit user trust in familiar platforms. They can spread quickly, as the malicious code loads with each page visit.
CoinTelegraph Also Compromised
CoinTelegraph, a news outlet for crypto and blockchain, also confirmed a breach. On June 21, their banner publishing system was briefly compromised, leading to a malicious advertisement that promoted a fake token airdrop on their website.
Who Was Behind These Attacks?
Both attacks appear to be linked to customers of Inferno Drainer, a “Drainer-as-a-Service” outfit. This group has been responsible for numerous similar attacks over the past few years, causing hundreds of millions in losses.
Steps Taken to Address the Breaches
Both CoinMarketCap and CoinTelegraph have now been “cleaned,” and the companies have announced that they’ve strengthened their security measures to prevent future attacks. This includes enhancing their monitoring systems and reviewing third-party integrations more thoroughly.
Stay Informed and Safe
As these incidents show, even trusted platforms can be compromised. It’s essential to remain vigilant and cautious when dealing with online platforms, especially those involving financial transactions like cryptocurrencies.
For the latest updates on breaches, vulnerabilities, and cybersecurity threats, consider subscribing to our breaking news e-mail alerts. Stay informed and protect yourself from future threats.
Image Credit: www.helpnetsecurity.com
