CoinMarketCap Hacked: “Doodle” Graphic Delivers Wallet Drainer, $43K+ Stolen
One of the world’s leading cryptocurrency tracking platforms, CoinMarketCap, has fallen victim to a sophisticated cyberattack. Visitors to the site were unexpectedly confronted with intrusive Web3 pop-ups, seemingly inviting them to connect their wallets. However, by consenting, users unknowingly granted attackers the ability to siphon off their digital assets.
The company confirmed that threat actors had exploited a vulnerability embedded within the homepage. The flaw resided in a visual element—specifically, an interactive “doodle”—that adorned the site. According to CoinMarketCap’s technical team, the image contained a link that triggered malicious code via an API request. As a result, some users were suddenly met with a prompt encouraging them to link their crypto wallets.
Upon discovery of the incident, the platform’s team acted swiftly to remove the malicious component and trace the origin of the breach. CoinMarketCap has since assured users that all systems have been restored to normal functionality and the site is once again safe to visit.
Yet, the ensuing investigation unearthed troubling details. Analysts at c/side revealed that the breach was a textbook example of a supply chain attack. Rather than compromising CoinMarketCap’s servers directly, the attackers targeted an external resource or tool integrated into the site.
Somehow, the adversaries had tampered with the API used to fetch the homepage doodle. The altered JSON payload contained a malicious script tag that injected a wallet-draining script into CoinMarketCap via a third-party domain, “static.cdnkit[.]io.”
When users accessed the homepage, the script was executed automatically, displaying a fake pop-up styled to match the site’s aesthetic—meticulously mimicking an authentic Web3 wallet connection request. In truth, it was a Wallet Drainer—a piece of malware designed to covertly empty any wallets that users connected.
Further insight into the attack came from a hacker known as Rey, who disclosed that the perpetrators had shared a screenshot of the drainer panel on a Telegram channel. According to this post, the attackers managed to steal $43,266 worth of cryptocurrency from 110 victims during the incident. Notably, the discussions in the Telegram group were conducted in French, subtly suggesting the geographical origin of the criminal group.
Such attacks have become a scourge within the cryptocurrency ecosystem. Unlike conventional phishing schemes that lure victims to fraudulent websites, wallet drainers often spread through social media, fake browser extensions, deceptive ads, and even embedded scripts on reputable platforms. In 2024 alone, losses from these tactics neared half a billion dollars, with over 300,000 wallets drained.
The threat has grown so severe that even Mozilla was compelled to implement new vetting procedures for browser extensions listed in the Firefox add-ons repository. Notably, the company introduced an automated detection system designed to identify and block malicious wallet drainers among submitted extensions.
