The world’s most visited cryptocurrency price-tracking website fell victim to a sophisticated supply chain attack on June 20, 2025, when malicious JavaScript code injected through a third-party doodle image displayed a phishing popup to thousands of visitors. The incident exposed fundamental vulnerabilities in how even the most trusted crypto platforms handle third-party dependencies.
Bitcoin traded at $103,309 and Ethereum sat at $2,407 at the time of the attack, meaning any compromised wallet connected during the incident could have held substantial value. CoinMarketCap confirmed that 76 visitors were tricked into connecting their wallets, with attackers stealing a total of $21,624.47 before the vulnerability was patched.
The Exploit Mechanics
According to analysis by Web3 security firm Blockaid, the malicious popup began appearing on CoinMarketCap’s homepage around 9:00 PM UTC on June 20. The attack vector was deceptively simple yet technically sophisticated in its execution.
Threat actors managed to interfere with the API request that loads CoinMarketCap’s doodle images, typically playful illustrations displayed on the homepage. Instead of returning standard image metadata, the compromised API served a JSON file containing hidden JavaScript code designed to execute directly in visitors’ browsers.
The malicious script performed several coordinated actions: it ensured execution only once per session to avoid detection, hid legitimate elements of the CoinMarketCap interface, and created a realistic full-screen overlay prompting users to connect their crypto wallets to “maintain account access.” When a user clicked “Connect Wallet,” the script attempted to interface with installed browser wallets such as MetaMask and Phantom, then communicated with rogue domains mimicking legitimate services like WalletConnect and Trust Wallet to harvest credentials and private keys.
The popup interacted with a larger JavaScript library specifically designed to detect popular wallet extensions, customize the phishing flow based on the detected wallet type, trick users into signing malicious transactions, and display fake error messages pressuring victims into retrying with different wallets.
Affected Systems
The attack impacted CoinMarketCap’s homepage visitors between approximately 9:00 PM UTC on June 20 and the early hours of June 21. CoinMarketCap confirmed that 76 users connected their wallets through the malicious popup. The total stolen funds amounted to $21,624.47 across multiple wallet types.
Security researchers linked the attack to Inferno Drainer, a well-known “Drainer-as-a-Service” operation responsible for hundreds of millions in losses across numerous phishing campaigns in recent years. The same threat infrastructure also compromised CoinTelegraph’s banner publishing system on June 21, serving a malicious advertisement promoting a fake token airdrop.
The incident occurred during a period of heightened security concerns in the crypto industry. Just two days earlier, Iranian exchange Nobitex suffered an $82 million breach attributed to the Israeli hacktivist group Gonjeshke Darande. June 2025 saw $114.8 million lost across 11 separate exploits, according to De.Fi’s REKT report.
The Mitigation Strategy
CoinMarketCap responded within hours of detecting the vulnerability. In a public statement, the platform acknowledged that “a doodle image contained a link that triggered malicious code through an API call, resulting in an unexpected pop-up for some users when visiting our homepage.” The company removed the compromised doodle, patched the API vulnerability, and pledged to reimburse the $21,624.47 stolen from affected users.
Security startup c/side conducted a detailed technical analysis classifying the incident as a textbook supply chain attack. “Attackers did not breach CoinMarketCap’s servers directly. Instead, they compromised a third-party resource that CMC’s frontend trusted,” they explained. This distinction is critical because client-side attacks bypass server-side security tools like firewalls and intrusion detection systems entirely.
Both CoinMarketCap and CoinTelegraph stated they have strengthened security controls around third-party content loading and banner publishing systems to prevent similar incidents.
Lessons Learned
The CoinMarketCap compromise demonstrates that trust in a platform does not equal trust in every element that platform loads. Several key security principles emerge from this incident.
First, supply chain attacks targeting client-side resources represent an escalating threat vector that traditional server-side security measures cannot address. Organizations must audit not only their own code but every third-party dependency, API endpoint, and externally loaded resource.
Second, users should never connect wallets in response to unexpected popups, even on trusted websites. Legitimate platforms do not suddenly require wallet reconnection through homepage overlays. Verifying such requests through official communication channels before taking action can prevent devastating losses.
Third, the speed at which Inferno Drainer’s infrastructure was deployed across two major crypto publications suggests a coordinated campaign. The Drainer-as-a-Service model enables threat actors to rapidly target multiple high-traffic platforms simultaneously, making industry-wide vigilance essential.
User Action Required
If you visited CoinMarketCap’s homepage on June 20, 2025 between 9:00 PM UTC and the early hours of June 21 and connected your wallet through a popup, take immediate action. Revoke all token approvals granted during that session using tools like revoke.cash or Etherscan’s token approval checker. Move remaining funds to a fresh wallet generated on a device that was not exposed to the malicious popup. Monitor your wallet addresses for any unauthorized transactions and report losses to CoinMarketCap’s support team for potential reimbursement under their announced compensation program.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals regarding cryptocurrency wallet protection.
a doodle image API was the attack vector on the most visited crypto site. every website with third party scripts is one vendor breach away from a wallet drainer
This is exactly why we need to move away from centralized frontend dependencies. Supply chain attacks on big aggregators like CMC are becoming too common. Always double-check your wallet permissions and never sign anything if a site suddenly asks for a connection out of nowhere.
Alex_Sec_0x a doodle image API was the attack vector. not a wallet, not a smart contract, a decorative image. the attack surface is everywhere
frontend_risk 76 people connected a wallet to a popup on a price tracker. no reason to ever connect a wallet to CMC in the first place. the UX trained people to click approve on anything
frontend_risk a doodle image API. not a zero day, not a bridge exploit, a decorative image. and 76 people still connected their wallets. phishing works because it targets trust
Honestly, I’m starting to get scared even looking at these sites now. If a platform as big as CoinMarketCap can get hit, what’s stopping them from hitting others? I guess I’ll be sticking to my cold storage and triple-checking every single URL from now on.
Crazy stuff man! I was just on CMC earlier today and didn’t notice anything weird, but glad I saw this before connecting any of my burner wallets. It feels like the Wild West out here sometimes lol. Stay safe everyone and watch out for those fake pop-ups!
Thanks for the heads up on this supply chain vulnerability. It’s a great reminder that even the most trusted portals in the space are just websites at the end of the day. Using browser extensions that flag malicious scripts is a must-have in your toolkit these days.
76 users lost $21K total because they trusted a popup on the most visited crypto site. the average loss per person was under $300
Amara Johnson under $300 average loss per victim tells you these were small retail wallets. the real question is what happens when the next attack targets wallets with real funds
Amir H. the average loss being $300 means CMC got lucky. next time the popup targets connected wallets with real balances the number will be 1000x worse