By Lawrence Abrams<\/p>\n\n\n\n CoinMarketCap, the popular cryptocurrency price tracking site, suffered a website supply chain attack that exposed site visitors to a wallet drainer campaign to steal visitors’ crypto.<\/p>\n\n\n\n On Friday evening, January 20, CoinMarketCap visitors began seeing Web3 popups<\/a> asking them to connect their wallets to the site. However, when visitors connected their wallets, a malicious script drained cryptocurrency from them.<\/p>\n\n\n\n The company later confirmed threat actors utilized a vulnerability in the site’s homepage “doodle” image to inject malicious JavaScript into the site.<\/p>\n\n\n\n “On June 20, 2025, our security team identified a vulnerability related to a doodle image displayed on our homepage. This doodle image contained a link that triggered malicious code through an API call, resulting in an unexpected popup for some users when visited our homepage,” reads a statement posted on X<\/a>.<\/p>\n\n\n\n “Upon discovery, We acted immediately to remove the problematic content, identified the root cause, and comprehensive measures have been implemented to isolate and mitigate the issue.”<\/p>\n\n\n\n “We can confirm all systems are now fully operational, and CoinMarketCap is safe and secure for all users.”<\/p>\n\n\n\n Cybersecurity firm c\/side explained that the attack worked by the threat actors somehow modifying the API used by the site to retrieve a doodle image to display on the homepage. This tampered JSON payload<\/a> now included a malicious script tag<\/a> that injected a wallet drainer script into CoinMarketCap from an external site named “static.cdnkit[.]io”.<\/p>\n\n\n\n When someone visited the page, the script would execute and display a fake wallet connect popup showing CoinMarketCap branding and mimicking a legitimate Web3 transaction request. However, this script was actually a wallet drainer designed to steal connected wallets’ assets.<\/p>\n\n\n\n “This was a supply chain attack, meaning the breach didn’ target CMC’s own servers but a third-party tool or resource used by CMC,” explains c\/side<\/a>.<\/p>\n\n\n\n “Such attacks are hard to detect because they exploit trusted elements of a platform.”<\/p>\n\n\n\n More details about the attack came later from a threat actor known as Rey<\/a>, who said that the attackers behind the CoinMarketCap supply chain attack shared a screenshot of the drainer panel on a Telegram channel.<\/p>\n\n\n\n This panel indicated that $43,266 was stolen from 110 victims as part of this supply chain attack, with the threat actors speaking in French on the Telegram channel.<\/p>\n\n\n\n As the popularity of cryptocurrency has boomed, so has the threat from wallet drainers, which are commonly used in attacks.<\/p>\n\n\n\n Unlike traditional phishing, these types of attacks are more often promoted through social media posts, advertisements, spoofed sites, and malicious browser extensions that include malicious wallet-draining scripts.<\/p>\n\n\n\n Reports indicate that wallet drainers stole almost $500 million <\/a>in 2024 through attacks targeting more than 300,000 wallet addresses.<\/p>\n\n\n\n![\"Cryptocurrency\"\/](\"https:\/\/www.bleepstatic.com\/content\/hl-images\/2024\/12\/05\/Cryptocurrency.jpg\")
<\/figure>\n\n\n\n![\"Screenshot](\"https:\/\/www.bleepstatic.com\/images\/news\/security\/attacks\/c\/coinmarketcap\/coinmarketcap\/drainer-panel.jpg\")
Source: Rey<\/em><\/figcaption><\/figure>\n\n\n\n