CoinMarketCap Supply Chain Attack Exposes 110 Users to Wallet-Draining Phishing Campaign

The cryptocurrency market’s most trusted price-tracking platform became the attack vector on June 21, 2025, when CoinMarketCap suffered a supply chain compromise that exposed users to a sophisticated wallet-draining phishing campaign. The breach, which affected 110 victims and resulted in approximately $43,266 in stolen digital assets, underscores the growing sophistication of Web3 social engineering attacks.

The Exploit Mechanics

The attack began when threat actors identified and exploited a vulnerability in CoinMarketCap’s homepage “doodle” feature — a decorative image element displayed to site visitors. By compromising a backend API that delivered JSON payloads through this doodles feature, the attackers injected malicious JavaScript from the domain static.cdnkit[.]io directly into the CoinMarketCap frontend.

This injected script deployed the Inferno Drainer toolkit, a well-known wallet-draining phishing framework that has been linked to numerous cryptocurrency thefts throughout 2024 and 2025. The malicious code generated unauthorized pop-up prompts instructing users to “Verify Wallet” — a deceptive message designed to mimic legitimate Web3 wallet connection interfaces. When users clicked through the prompt, they unknowingly approved ERC-20 token transfer transactions that drained their wallets of digital assets.

Security researchers at Coinspect traced the attack chain from the compromised third-party service through to the final wallet-draining payload. The use of a legitimate platform’s infrastructure to deliver malware represents a textbook supply chain attack — one that bypasses traditional security perimeters by exploiting trust relationships between platforms and their third-party dependencies.

Affected Systems

The primary target was CoinMarketCap’s web frontend, specifically the content delivery pipeline for homepage doodle images. The malicious payload was served to visitors of the CoinMarketCap website during the active period of the compromise. All users who visited the site and interacted with the unauthorized wallet verification popup were at risk.

The attack occurred alongside a similar compromise of Cointelegraph, a major cryptocurrency news publication, suggesting a coordinated campaign targeting high-traffic crypto media and data platforms. With Bitcoin trading near $102,257 and Ethereum at $2,300 on the day of the attack, the potential for larger losses was significant.

The incident followed a broader trend of escalating crypto-related crime in 2025, with over $240 million lost to various hacks and exploits in May alone, and $114.8 million stolen across 11 incidents during June 2025 according to De.Fi’s REKT report.

The Mitigation Strategy

CoinMarketCap confirmed the breach on June 21, 2025, stating via social media: “We’ve identified and removed the malicious code from our site. Our team is continuing to investigate and taking steps to strengthen our security.” The company patched the exploited vulnerability and removed the injected scripts from its frontend.

For users, the mitigation requires several immediate steps. Anyone who visited CoinMarketCap on June 20-21 and connected a wallet should revoke all pending token approvals immediately using tools like Revoke.cash or Etherscan’s token approval checker. Hardware wallet users who did not physically sign transactions on their devices remain protected, as the attack required active wallet interaction.

The broader industry response should include enhanced supply chain auditing for third-party scripts and dependencies, implementation of Content Security Policy headers that restrict unauthorized script execution, and regular penetration testing of all customer-facing frontend components.

Lessons Learned

This incident reinforces several critical security principles for the cryptocurrency ecosystem. First, even the most established and trusted platforms can serve as attack vectors. Users should exercise extreme caution when prompted to connect wallets on any website, regardless of the site’s reputation. Second, supply chain attacks targeting frontend dependencies represent an evolving threat model that platform operators must address through rigorous third-party vendor security assessments.

Third, the use of hardware wallets provides essential protection against phishing-based wallet drainers, as these devices require physical confirmation of transactions. The 110 victims who lost funds likely used software wallets that could be compromised through browser-based attacks.

CertiK and other blockchain security firms have noted a significant shift toward social engineering attacks in 2025, as smart contract vulnerabilities become harder to exploit due to improving audit standards. The CoinMarketCap incident exemplifies this trend, where the weakest link was not a protocol’s code but its content delivery infrastructure.

User Action Required

All CoinMarketCap users who visited the site on June 20-21, 2025 should check their wallet approval histories and revoke any suspicious token approvals. Users should enable browser extensions that detect known phishing domains and drainer toolkits. Most importantly, never approve wallet connection prompts that appear unexpectedly on any website, and always verify the URL of wallet connection interfaces before signing any transaction.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals regarding digital asset protection.