Popular cryptocurrency tracking site CoinMarketCap has confirmed it suffered a website supply chain attack that exposed its users to a malicious wallet drainer campaign, resulting in the theft of over $43,000 in crypto.
The attack began on the evening of Friday, January 20, when visitors to CoinMarketCap noticed unexpected Web3 popups urging them to connect their wallets. Once connected, users unknowingly authorized a malicious script that siphoned cryptocurrency from their wallets.
CoinMarketCap explained that the attackers exploited a vulnerability in a “doodle” image displayed on the site's homepage.
“On June 20, 2025, our security team identified a vulnerability related to a doodle image displayed on our homepage. This doodle image contained a link that triggered malicious code through an API call,” the company said.
The malicious code injected into the site came from a tampered JSON payload that included a script tag linked to an external domain, static.cdnkit[.]io, according to cybersecurity firm c/side. The code mimicked a legitimate CoinMarketCap-branded wallet connection request but instead stole funds upon approval.
“This was a supply chain attack, meaning the breach didn’t target CMC’s own servers but a third-party tool or resource used by CMC. Such attacks are hard to detect because they exploit trusted elements of a platform,”c/side explained.
The attackers reportedly used a drainer panel to track stolen funds, and a screenshot of a French-speaking Telegram channel shared on X showed that $43,266 was drained from 110 victims.
CoinMarketCap has since removed the malicious content and secured its systems.
Earlier this month, the Taiwanese cryptocurrency exchange BitoPro linked the May 2025 cyberattack that saw $11,000,000 worth of cryptocurrency to North Korean hacking group Lazarus. The connection was made based on the fact that “the attack methodology bears resemblance to patterns observed in multiple past international major incidents, including illicit transfers from global bank SWIFT systems and asset theft incidents from major international cryptocurrency exchanges.”