Key Takeaways
- CoinMarketCap’s front end was compromised, displaying unauthorized wallet verification pop-ups to users.
- The breach exploited a backend API vulnerability linked to the platform’s doodles feature, prompting an ongoing investigation.
Share this article
CoinMarketCap’s front end was compromised on June 20, with its webpage displaying unauthorized pop-up messages asking visitors to verify their crypto wallets. The malicious pop-up was first flagged by several crypto community members.
The platform’s team confirmed the incident and warned users against connecting their wallets while they investigate and work to resolve the issue.
🚨 Security Alert
We’re aware that a malicious pop-up prompting users to “Verify Wallet” has appeared on our site.
⚠️ Do NOT connect your wallet.
Our team is actively investigating and working to resolve the issue.
— CoinMarketCap (@CoinMarketCap) June 20, 2025
Blockchain security service provider Coinspect Security has uncovered that CoinMarketCap’s backend API is delivering manipulated JSON payloads designed to inject malicious JavaScript through its rotating “doodles” feature.
🚨 CoinMarketCap’s backend API serves manipulated JSON data that injects malicious JavaScript through the rotating “doodles” feature. Not all users see it, since the doodle shown varies per visit. The injected wallet drainer always loads if you visit /doodles/ pic.twitter.com/13o9aB7JlW
— Coinspect Security (@coinspect) June 20, 2025
Yes, CoinMarketCap drainer loaded from a “doodle” JSON file. Lottie is a JSON-based animation file format that enables designers to easily ship animations on any platform. We are investigating this injection vector and other web sites and dApps must consider it. https://t.co/hac2PdFe48
— Coinspect Security (@coinspect) June 20, 2025
Also today, Crypto Briefing noticed signs of a similar security incident on another popular crypto website.
The webpage displayed a pop-up claiming an “exclusive airdrop” opportunity, which was distinct from the CoinMarketCap incident but similarly prompted visitors to connect their wallets through claiming the airdrop.
Crypto Briefing was unable to confirm whether the site’s front-end was compromised, given that the suspicious behavior appeared to last only around five minutes. The site quickly returned to normal, and the pop-up was no longer visible.
The breach follows a cybersecurity report from Cybernews revealing 16 billion exposed passwords in one of the largest data breaches in history, affecting access to major platforms including Facebook, Google, and Apple.
Experts recommend that users update passwords for all major accounts, especially those connected to sensitive services such as work platforms. Users are strongly advised to use a password manager to generate strong, unique passwords for each account.
Extra security measures, including enabling two-factor authentication (2FA) and closely monitoring accounts, should also be considered.
Share this article