228/68 Tuesday, June 24, 2025
On June 20, 2025, cryptocurrency price tracking platform CoinMarketCap experienced a supply chain attack that led to the injection of a malicious wallet drainer script into its homepage. During the incident, users who visited the site encountered a fake Web3 popup that mimicked a “Connect Wallet” prompt. Upon connecting, the malicious script immediately drained victims’ cryptocurrency wallets.
CoinMarketCap later explained in a post on X (formerly Twitter) that the attack was triggered by a vulnerability in a doodle image featured on the homepage. The image contained a hidden link that made an API call to a JSON payload, which included a malicious script tag loading JavaScript from an external domain: static.cdnkit[.]io. This resulted in a realistic-looking Web3 popup branded with CoinMarketCap’s design. The company confirmed it had swiftly removed the malicious content, identified the root cause, and strengthened its security measures. It also assured users that “all systems have been restored and the site is now safe to use.”
Cybersecurity firm c/side analyzed the incident and confirmed it as a supply chain attack, noting that the attackers didn’t breach CoinMarketCap’s core servers directly but exploited third-party resources integrated into the site. A Telegram user named “Rey” shared evidence that attackers had used a wallet drainer control panel to steal approximately $43,266 from 110 victims, with internal communications written in French. Wallet drainers have become a growing threat in the crypto space, differing from traditional phishing tactics that rely on fake ads, social media posts, or malicious plugins. In 2024 alone, such malware reportedly stole over $500 million from more than 300,000 wallets, prompting Mozilla to develop dedicated detection features in Firefox Add-ons to combat these threats
