CoinMarketCap, Cointelegraph compromised to serve pop-ups to drain crypto wallets

The CoinMarketCap and CoinTelegraph websites have been compromised over the weekend to serve clever phishing pop-ups to visitors, asking them to verify/connect their crypto wallets.

The CoinMarketCap compromise

CoinMarketCap (aka CMC) is a website popular with crypto investors as it tracks cryptocurrency prices, market capitalizations, and trading volumes.

On June 20, 2025, visitors to the site’s homepage were faced with a pop-up that urged them to connect their wallets to maintain access to their CMC account.

The malicious pop-up on CMC

According to Web3 on‑chain security company Blockaid, the malicious pop-up on the site started appearing on June 20 (Friday), around 9 p.m. UTC/GMT.

CoinMarketCap confirmed the compromise on Saturday and said that the “vulnerability” that made the attack possible was related to a (third-party) “doodle” image dispayed on the homepage.

“This doodle image contained a link that triggered malicious code through an API call, resulting in an unexpected pop-up for some users when visited our homepage,” they said.

On Monday, they confirmed that 76 visitors had been tricked into connecting their wallet and that the attackers stole a total of $21,624.47, which they promised to reimburse.

How did this happen?

US-based startup c/side says that the threat actors managed to interfere with the API request that loads the doodle image and make it return a JSON file that not only contained metadata about active doodles, but also hidden JavaScript code designed to:

• Run/execute in the user’s browser
• Make sure it will run only once per session
• Hide legitimate elements of the site
• Create and serve a realistic, full-screen overlay with the malicious message

“When the user clicks ‘Connect Wallet,’ the script attempts to connect to a crypto wallet (e.g., MetaMask, Phantom),” they explained. “If connected, the script communicates with rogue domains (e.g., walletconnect.com, trustwallet.com) to steal wallet credentials or private keys.”

The pop-up script interacted with a larger JavaScript library, they added, which detects and connects to popular wallets, customizes the phishing flow, tricks the user into signing malicious transactions, and displays fake error messages to pressure users into retrying with different wallets.

“This incident is a textbook example of a supply chain attack. Attackers did not breach CoinMarketCap’s servers directly. Instead, they compromised a third-party resource (the doodle image’s JSON file) that CMC’s frontend trusted,” they explained.

“Client-side attacks (code running in the user’s browser) are particularly dangerous because they bypass server-side security tools (e.g., firewalls, intrusion detection systems), they exploit user trust in a familiar platform (CMC), and they can spread quickly, as the malicious code is loaded with every page visit.”

Crypto and blockchain news outlet CoinTelegraph also confirmed today that its “banner publishing system was briefly compromised on June 21, resulting in a malicious advertisement promoting a fake token airdrop on [their] website.”

The malicious pop-up on CoinTelegraph (Source: Scam Sniffer)

Both attacks seem to be connected to customers of Inferno Drainer, a “Drainer-as-a-Service” outfit, which made possible many similar attacks in the last few years, causing hundred of millions of losses.

Both sites have been “cleaned” and the companies said they’ve strengthened their security controls to prevent similar attacks in the future.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!