The recent cyber-attack on CoinMarketCap, a popular cryptocurrency tracking site, has raised concerns about the security of users’ funds. The breach, which occurred on June 20, exposed users to a fake Web3 wallet prompt that led to the theft of funds from connected wallets. Although the breach has been contained, it serves as a reminder of the vulnerabilities that exist in the crypto ecosystem.
Visitors to CoinMarketCap were shown a popup that appeared to be a standard Web3 connection request, prompting them to link their crypto wallets. However, once connected, a wallet-draining script was triggered, transferring assets out of users’ accounts. The source of the vulnerability was traced back to a compromised homepage “doodle” image, which had been tampered with through a malicious API call.
CoinMarketCap confirmed the breach in a statement posted on social media, explaining that attackers had injected malicious JavaScript via a modified JSON payload linked to the doodle image. The payload loaded a script from an external source, static.cdnkit[.]io, which displayed the popup and executed the wallet-draining code. The company took immediate action to remove the malicious content, identify the root cause, and implement measures to isolate and mitigate the issue.
Cybersecurity firm c/side analyzed the breach and described it as a supply chain attack, as the attackers compromised a third-party resource used by CoinMarketCap rather than infiltrating the platform’s servers directly. These types of attacks are challenging to detect, as they exploit trusted parts of a site’s infrastructure.
The attackers were able to steal a total of $43,266 from 110 wallets, as revealed in a screenshot shared by a threat actor known as Rey. Messages in the attacker’s communication channel indicated that they were communicating in French. In response to the breach, wallet providers MetaMask and Phantom flagged CoinMarketCap as unsafe, warning users not to connect their wallets.
The phishing-style prompt specifically targeted ERC-20 tokens, a common format used across many crypto wallets. Users on crypto forums quickly shared warnings to limit the scope of the breach. This incident has reignited concerns about CoinMarketCap’s security posture, especially following a previous breach in 2021 that exposed 3.1 million email addresses. As a significant hub in the crypto space owned by Binance, CoinMarketCap remains an attractive target for attackers.
As the crypto ecosystem continues to evolve, it is essential for users to remain vigilant and take steps to protect their assets. By staying informed about potential threats and exercising caution when connecting wallets to third-party sites, users can minimize the risk of falling victim to cyber-attacks.