CoinMarketCap suffered a front-end breach involving malicious JavaScript

CoinMarketCap, the cryptocurrency market data platform with over 340 million monthly visits, faced a front-end compromise earlier today.

The breach involved the injection of malicious JavaScript code into the site’s rotating “Doodles” feature, asking users to “verify wallet,” a pop-up meant to steal their funds.

According to an on-chain analyst going by the pseudonym okHOTSHOT on X, the malicious code was delivered through manipulated JSON files served via CoinMarketCap’s own backend API. 

The data was used to load animated “doodles” on the front page. When one doodle titled “CoinmarketCLAP,” was loaded, it silently executed JavaScript that redirected users to a wallet drainer dubbed “Impersonator,” a deceptive interface to trick them into authorizing token transfers.

The attack was not immediately apparent to all users because the site rotated doodles randomly per visit. Yet, visiting the /doodles/ endpoint reportedly triggered the wallet drainer on every occasion. Blockchain investigators identified a known malicious address receiving token approvals: 0x000025b5ab50f8d9f987feb52eee7479e34a0000.

🚨 CoinMarketCap is Hacked 🚨

POV: you are getting drained (don't try this at home) 👇 pic.twitter.com/cgQhmFkATO

— apoorv.eth (@apoorveth) June 20, 2025

Security experts believe the attack may have exploited a vulnerability in the animation engine used to render the doodles, likely Lottie or a similar tool, allowing arbitrary JavaScript execution through the JSON configuration. 

According to analysts at Coinspect, attackers appeared to have backend access and set an expiration time on the exploit, which could have been planned in advance.

CoinMarketCap gave a public statement on the breach through their official X account, saying: “We’ve identified and removed the malicious code from our site. Our team is continuing to investigate and taking steps to strengthen our security.” 

The company added that the affected pop-up has been removed and systems are fully restored.

Although the attack targeted only the front-end interface, security professionals are pleading with investors to be cautious about access to their wallets. CoinMarketCap is a platform many crypto traders and investors visit on a minute-by-minute basis.

“The scale of this scam could be huge, it looks totally legit, no obvious red flags,” one trader reckoned on social media. “You’re just visiting a site you check daily. Take care out there.”

Experts also believe that users who connected their wallets or approved transactions during the breach window may have already been compromised. As a precaution, those who fell for the malicious requests are advised to revoke any recent token approvals and avoid interacting with similar pop-ups across crypto-related platforms.

As reported by Cryptopolitan on Thursday, one of the largest known data breaches in internet history also took place this week. Over 16 billion usernames and passwords were supposedly leaked. 

BitoPro confirms $11M crypto theft by Lazarus Group

In other related news, Taiwanese cryptocurrency exchange BitoPro confirmed a breach resulting in the theft of approximately $11 million in digital assets. The company linked the attack to the North Korean state-backed hacking group Lazarus. 

According to an X thread published on June 19, it cited similarities to previous incidents involving illicit international fund transfers and unauthorized access to crypto exchanges.

The breach occurred on May 8, 2025, during a routine hot wallet system update. Attackers exploited an employee device to bypass multi-factor authentication using stolen AWS session tokens. Malware implanted via a social engineering attack enabled the hackers to execute commands, inject scripts into the wallet system, and simulate legitimate activity while siphoning funds.

Assets were drained across multiple blockchains, including Ethereum, Solana, Polygon, and Tron, and laundered through decentralized exchanges and mixers such as Tornado Cash, Wasabi Wallet, and ThorChain. 

Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now