CoinMarketCap and CoinTelegraph Phishing Scandal
What Happened Over the Weekend?
This weekend, CoinMarketCap (CMC) and CoinTelegraph websites were compromised, tricking visitors into connecting their crypto wallets through phishing pop-ups. Both platforms are well-known in the cryptocurrency community, with CoinMarketCap tracking crypto prices and CoinTelegraph providing blockchain news.
The CoinMarketCap Compromise
CoinMarketCap is a go-to website for crypto investors. On June 20, 2025, visitors were surprised by a pop-up on the homepage urging them to connect their wallets to keep their CMC account active.
The malicious pop-up on CMC
Blockaid, a Web3 on‑chain security company, reported that this malicious pop-up began appearing on June 20 at around 9 p.m. UTC/GMT. CoinMarketCap confirmed the compromise and explained that the attack was due to a vulnerability associated with a third-party “doodle” image displayed on their homepage.
“This doodle image contained a link that triggered malicious code through an API call, resulting in an unexpected pop-up for some users when visiting our homepage,” CoinMarketCap explained. By Monday, they confirmed that 76 visitors had been scammed into connecting their wallets, resulting in a loss of $21,624.47, which they promised to reimburse.
How Did This Happen?
According to the US-based startup c/side, the attackers managed to tamper with the API request that loads the doodle image. They made it return a JSON file containing not only metadata about active doodles but also hidden JavaScript code designed to:
- Run in the user’s browser
- Execute only once per session
- Hide legitimate site elements
- Create a realistic, full-screen overlay with the phishing message
“When the user clicks ‘Connect Wallet,’ the script attempts to connect to a crypto wallet like MetaMask or Phantom,” explained c/side. “If connected, the script communicates with rogue domains such as walletconnect.com or trustwallet.com to steal wallet credentials or private keys.”
This pop-up script interacted with a larger JavaScript library, which could detect and connect to popular wallets, customize the phishing process, trick users into signing malicious transactions, and display fake error messages to pressure them into retrying with different wallets.
“This incident is a textbook example of a supply chain attack. Attackers did not breach CoinMarketCap’s servers directly. Instead, they compromised a third-party resource (the doodle image’s JSON file) that CMC’s frontend trusted,” they elaborated.
Client-side attacks, like this one, are particularly dangerous because they bypass typical server-side security tools such as firewalls and intrusion detection systems. They exploit user trust in familiar platforms like CMC and can spread rapidly, as the malicious code is loaded with every page visit.
The CoinTelegraph Compromise
CoinTelegraph, a leading blockchain news outlet, also fell victim to a similar attack. They confirmed that their “banner publishing system was briefly compromised on June 21, leading to a malicious advertisement promoting a fake token airdrop on their website.”
The malicious pop-up on CoinTelegraph (Source: Scam Sniffer)
Connections to Inferno Drainer?
Both attacks seem to be linked to customers of Inferno Drainer, a “Drainer-as-a-Service” operation. This service has facilitated numerous similar attacks over the past few years, resulting in hundreds of millions in losses.
Steps Towards Resolution
Following the incidents, both CoinMarketCap and CoinTelegraph have taken swift action to clean their sites and enhance their security measures. They aim to prevent such attacks from happening again in the future.
These incidents highlight the importance of maintaining robust security protocols and being vigilant about potential threats, especially in the rapidly evolving world of cryptocurrency and blockchain technologies.
For crypto enthusiasts and investors, it’s crucial to stay informed and cautious when navigating these platforms, verifying the authenticity of any prompts to connect wallets or engage in transactions.
Stay Ahead of the Game
To stay updated on the latest breaches, vulnerabilities, and cybersecurity threats, consider subscribing to our breaking news e-mail alert. Stay informed and protect your digital assets from potential threats.
Image Credit: www.helpnetsecurity.com
