The cryptocurrency industry faced a stark reminder on June 23, 2025, that even the most trusted platforms are not immune to supply chain attacks. CoinMarketCap, the world’s largest crypto price tracking website with millions of monthly visitors, confirmed that a malicious third-party “doodle” image injected JavaScript code that drained 76 connected wallets, stealing $21,624.47 in total.
The Exploit Mechanics
The attack began on June 20, 2025, around 9:00 PM UTC, when visitors to CoinMarketCap’s homepage were greeted with an unfamiliar pop-up urging them to connect their wallets to maintain account access. According to Web3 security firm Blockaid, the threat actors interfered with the API request responsible for loading a decorative “doodle” image on the homepage. Instead of returning standard image metadata, the compromised API served a JSON file containing hidden JavaScript code.
Once executed in the visitor’s browser, the malicious script performed several coordinated actions. It ensured it would only run once per session to avoid detection, hid legitimate elements of the CoinMarketCap interface, and created a realistic full-screen overlay mimicking a legitimate wallet verification prompt. When users clicked “Connect Wallet,” the script attempted to interface with popular browser wallets including MetaMask and Phantom, routing credentials through rogue domains impersonating WalletConnect and Trust Wallet.
The script interacted with a larger JavaScript library provided by Inferno Drainer, a well-known “Drainer-as-a-Service” platform that has been linked to hundreds of millions in losses across the crypto ecosystem. This library automatically detected installed wallets, customized the phishing flow for each victim, and displayed fake error messages to pressure users into retrying with different wallets.
Affected Systems
The attack specifically targeted users who had crypto wallet browser extensions installed and who visited the CoinMarketCap homepage between June 20 and June 22. In total, 76 visitors were tricked into connecting their wallets, resulting in aggregate losses of $21,624.47. Bitcoin was trading at approximately $105,578 at the time, and Ethereum sat near $2,422, meaning even small wallet balances held meaningful value.
On the same weekend, Cointelegraph, one of the largest crypto news outlets, confirmed its banner publishing system was also compromised on June 21. The breach resulted in a malicious advertisement promoting a fake token airdrop. Both incidents were linked to customers of Inferno Drainer, suggesting a coordinated campaign targeting high-traffic crypto media and data platforms.
The Mitigation Strategy
CoinMarketCap responded by removing the compromised doodle element and strengthening its third-party content vetting process. The company confirmed it would reimburse all 76 affected users for their losses. Cointelegraph similarly cleaned its banner system and tightened advertising controls.
Security researchers from c/side, a client-side security startup, noted that this was a textbook supply chain attack. The attackers never breached CoinMarketCap’s servers directly. Instead, they compromised a third-party resource that the frontend trusted, bypassing server-side security tools like firewalls and intrusion detection systems entirely.
Lessons Learned
The incident underscores several critical vulnerabilities in how crypto platforms handle third-party dependencies. Client-side JavaScript execution remains one of the most difficult attack surfaces to defend, as the malicious code runs within the user’s trusted browser context. API endpoints that serve dynamic content must implement integrity checks, and platforms should adopt Subresource Integrity headers to prevent unauthorized script modifications.
For users, the takeaway is straightforward: never connect your wallet to a site through an unexpected pop-up, no matter how legitimate the platform appears. Hardware wallets remain the strongest defense against drainer-style attacks, as they require physical confirmation of transactions.
User Action Required
If you visited CoinMarketCap between June 20 and June 22 and connected your wallet through a pop-up prompt, immediately revoke all token approvals granted during that session using tools like Revoke.cash or Etherscan’s token approval checker. Transfer remaining assets to a fresh wallet address, and consider using a hardware wallet for all future interactions with DeFi platforms and crypto data sites.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals regarding digital asset protection.
The pace of innovation in crypto continues to surprise me
The fundamental value proposition of crypto keeps getting stronger
a doodle image hijack on the biggest crypto data site and you say the value proposition is getting stronger? cope
Interesting perspective — I hadn’t considered that angle before
The best projects are the ones quietly shipping during bear markets
The gap between crypto and TradFi is narrowing fast
76 wallets drained through a doodle script and you think this narrows the gap? if anything it shows how far crypto UX security still has to go
only $21k stolen total across 76 wallets. kinda surprised it wasnt more. the one-time-per-session trick was smart though, avoided mass detection