News
CoinMarketCap Supply Chain Attack Leaves Crypto Users Reeling After $43,000 Wallet Drain
A malicious script hidden in a homepage image triggered a wallet-draining popup that stole thousands from unsuspecting visitors.
On the evening of June 20, 2025, visitors to CoinMarketCap weren’t expecting anything unusual. It looked like a typical day on the world’s most visited cryptocurrency pricing site. But what appeared to be a harmless homepage doodle ended up being the digital Trojan horse that siphoned crypto from user wallets.
Within hours, a wave of complaints and concerns started trickling through social media and crypto forums. Popups asking users to connect their Web3 wallets? On CoinMarketCap? Something was off.
A Wallet Popup No One Asked For
Things started to go sideways when users began encountering strange Web3 wallet connection prompts.
Most users thought it was a new feature or maybe an update. Instead, the moment they clicked “Connect,” their crypto was gone.
Just like that.
In a statement posted on X, CoinMarketCap confirmed that threat actors had slipped malicious JavaScript into their homepage through a seemingly innocent doodle image.
How a Doodle Image Became the Smoking Gun
So how did an image become a backdoor?
Well, it wasn’t the image itself. It was the JSON payload linked to it. According to cybersecurity firm c/side, attackers had tampered with the API CoinMarketCap used to serve that doodle.
Once that JSON was loaded, it quietly inserted a script tag referencing static.cdnkit[.]io—an external server controlled by attackers.
And that’s where the damage began.
The script ran on the user’s browser
A fake Web3 wallet popup appeared using real CoinMarketCap branding
Unsuspecting users clicked “connect,” thinking it was safe
Their wallet contents were drained silently
This wasn’t a direct breach of CoinMarketCap’s servers. It was something trickier: a supply chain attack. One that worked by compromising a third-party component CoinMarketCap relied on.
Supply Chain Attacks: Silent, Slippery, and Devastating
Supply chain attacks are nasty because they don’t go after the big fish directly. Instead, they poison the fish’s food.
That’s basically what happened here. CMC trusted an external source to display a fun little graphic. That trust was exploited.
In their analysis, c/side wrote: “Such attacks are hard to detect because they exploit trusted elements of a platform.”
They’re not wrong. From SolarWinds to 3CX, supply chain breaches have made headlines for exactly this reason—they sneak in through the back door everyone forgot to lock.
A Glimpse Into the Drainer Panel
The attackers weren’t exactly shy either.
More technical details started emerging after a threat actor named Rey posted a screenshot of the drainer control panel on Telegram. The panel confirmed some disturbing stats:
Total stolen: $43,266
Total victims: 110
Language used by attackers: French
Here’s a snapshot of what the attackers were tracking:
| Metric | Value |
|---|---|
| Total Wallets Affected | 110 |
| Total Funds Drained | $43,266 |
| Channel Language | French |
| Host Site | static.cdnkit[.]io |
| Popup Spoof | CoinMarketCap Web3 Wallet Connect |
While $43K might not sound like a fortune in crypto terms, that’s not the real point. The point is how it was done—stealthy, smart, and practically invisible until it was too late.
The Bigger Picture: Wallet Drainers Are on the Rise
Unfortunately, this isn’t a one-off.
Wallet drainers have been getting more creative by the month. Gone are the days of old-school phishing emails. Now, you’ll find them embedded in Twitter ads, disguised as browser extensions, or hiding in cloned versions of popular websites.
By some estimates, wallet drainers alone siphoned nearly $500 million in 2024. That’s half a billion gone in less than a year, spread across 300,000+ victims.
Scary numbers.
Mozilla’s even rolled out new measures to spot these scripts in Firefox add-ons. That tells you how real the threat has become.
CoinMarketCap Responds, Users Left Picking Up the Pieces
CoinMarketCap says the hole is patched. Their post on X was quick to reassure users: “We acted immediately… identified the root cause… CoinMarketCap is safe and secure.”
But for the 110 victims, it’s little comfort.
There’s no customer support line for stolen Ethereum. No chargeback button for lost NFTs.
In crypto, self-custody means self-responsibility—and self-risk.
One user wrote on Reddit, “I only had $300 in there, but it still hurts. I’ve been checking that site for years without a second thought.”
That’s exactly what made the attack work.
How to Bulk Remove Media File Links from WordPress Images
Microsoft to Drop Microsoft Account Requirement for iOS Authenticator Backups
Ether’s Second Wind: Why Ethereum’s Native Token Still Has Serious Upside
Christian Adoptions Put Faith into Action as Believers Uphold Sanctity of Life
Bitcoin’s Quiet Bid for Reserve Status Is Gaining Ground
Selena Gomez Shares Tearful Birthday Tribute to Sister Gracie, Reveals Her Adorable Taylor Swift Obsession
Selena Gomez Shares Sweet Video With Benny Blanco as Couple Sparks Hopes of Future Family
Quantum Clock Ticking: 25% of Bitcoin Supply May Be Vulnerable
Mexico’s Safety Divide: What Tourists Really Need to Know
