CoinMarketCap, a leading crypto price tracker, briefly fell victim to a supply chain attack on June 20, 2025. Visitors to the site unknowingly interacted with a malicious Web3 popup, which prompted them to connect their wallets. Once users complied, a hidden script drained over $43,000 worth of crypto from at least 110 wallets. The attack stemmed from a compromised doodle image on CoinMarketCap’s homepage that injected harmful JavaScript via a tampered API. 

Key Takeaways:

• Date of breach: June 20, 2025
  
• Exploit type: Homepage doodle script injection via API
  
• Stolen funds: $43,266 from 110 wallets
  
• Delivery method: Fake Web3 popup using CMC branding
  
• Source: Malicious script from static.cdnkit[.]io
  
• Nature of attack: Supply chain via third-party resource
  
• Ongoing risk: Wallet drainers stole ~$500M in 2024 alone
  

The malicious script was delivered from a third-party domain, static.cdnkit[.]io, through a JSON payload linked to the doodle. It triggered a fake wallet connection prompt mimicking CoinMarketCap’s design, leading users to believe the prompt was legitimate. The attackers used this trick to access and empty connected wallets.

CoinMarketCap confirmed the breach on X, explaining their security team acted swiftly to remove the compromised content and fix the issue. “All systems are now fully operational, and CoinMarketCap is safe and secure for all users,” their statement read. They’ve since isolated the vulnerability and implemented safeguards to prevent similar incidents.

Cybersecurity firm c/side analyzed the attack and classified it as a supply chain compromise. The attackers didn’t breach CoinMarketCap’s core servers directly. Instead, they manipulated a third-party element the site trusted—making detection significantly harder.

A threat actor known as Rey later shared a screenshot of the attacker’s drainer panel in a Telegram group, where the cybercriminals communicated in French. The panel confirmed the amount stolen and the number of victims.

This incident adds to the growing list of Web3 wallet drainer attacks. Unlike typical phishing scams, wallet drainers often spread through spoofed websites, ads, browser extensions, and fake popups. In 2024 alone, these attacks siphoned nearly $500 million from over 300,000 wallets.

In response to the rising threat, Mozilla has begun scanning browser extensions submitted to the Firefox Add-on store for wallet-draining behavior. While CoinMarketCap has resolved this breach, the episode underscores how vulnerable even well-established platforms can be through third-party assets.