CoinMarketCap, the cryptocurrency market data platform with over 340 million monthly visits, faced a data breach incident early today.
The breach involves injecting malicious JavaScript code into the site's rotating 'Doodles' feature, prompting users to 'verify wallet,' a pop-up aimed at stealing their funds.
According to an on-chain analyst with the pseudonym okHOTSHOT on X, the malware was disseminated through manipulated JSON files provided via CoinMarketCap's back-end API.
The data used to load animated 'doodles' onto the homepage. When a doodle titled 'CoinmarketCLAP' is loaded, it silently executes JavaScript that redirects users to a wallet withdrawal interface named 'Impersonator,' a phishing interface designed to trick them into authorizing token transfers.
The attack is not always apparent to all users as the site rotates random doodles for each visit. However, accessing the /doodles/ endpoint has reportedly triggered the wallet withdrawal process every time. Blockchain investigators have identified a known malicious address that is receiving token approvals: 0x000025b5ab50f8d9f987feb52eee7479e34a0000.
Security experts believe the attack may have exploited a vulnerability in the animation tool used to display the doodles, potentially Lottie or a similar tool, allowing arbitrary JavaScript execution via JSON configuration.
According to analysts at Coinspect, the attacker seems to have had access to the back-end and set a timeout for the vulnerability, which may have been pre-planned.
CoinMarketCap issued a public statement regarding the breach through their official X account, stating: 'We have identified and removed the malware from our website. Our team is continuing to investigate and taking steps to enhance security.'
The company further stated that the affected pop-up has been removed and the system has been fully restored.
Although the attack targeted only the front-end interface, security experts are urging investors to be cautious when accessing their wallets. CoinMarketCap is a platform that many traders and cryptocurrency investors visit every minute.
'The scale of this fraud could be immense, appearing completely legitimate, with no clear warning signs,' a trader calculated on social media. 'You are just accessing a website you check daily. Be careful out there.'
Experts also believe that users who connected wallets or approved transactions during the breach may have been compromised. As a precaution, those who fell victim to the malicious trap are advised to revoke any recent token approvals and avoid interacting with similar pop-ups on cryptocurrency-related platforms.
According to a report by Cryptopolitan on Thursday, one of the largest data breaches known in internet history also occurred this week. More than 16 billion usernames and passwords are believed to have been leaked.
BitoPro confirms $11 million cryptocurrency theft by Lazarus Group
In other related news, the Taiwanese cryptocurrency exchange BitoPro confirmed a breach that resulted in the theft of approximately $11 million in digital assets. The company linked the attack to the state-sponsored hacking group Lazarus.
According to a thread on X published on June 19, the thread cited similarities with previous incidents involving illegal international money transfers and unauthorized access to cryptocurrency exchanges.
The breach occurred on May 8, 2025, during the routine update of the hot wallet system. The attacker exploited an employee's device to bypass multi-factor authentication using a stolen AWS session token. Malware was implanted through a social engineering attack that allowed the hacker to execute commands, inject scripts into the wallet system, and simulate legitimate activity while withdrawing funds.
Assets have been transferred across various blockchains, including Ethereum, Solana, Polygon, and Tron, and laundered through decentralized exchanges and mixers like Tornado Cash, Wasabi Wallet, and ThorChain.