21.06.2025 06:17

CoinMarketCap, a prominent cryptocurrency data platform boasting over 340 million monthly users, experienced a significant security breach earlier today. The attack involved the cunning insertion of malicious JavaScript code into the platform's dynamic "Doodles" feature, a seemingly innocuous element of the site's design. This malicious code, disguised within the rotating doodles, deceptively prompted users to "verify their wallets," a classic phishing tactic designed to pilfer cryptocurrency.

Analysis by an on-chain analyst, known as okHOTSHOT on X, revealed a sophisticated method of attack. Manipulated JSON files, sourced from CoinMarketCap's own backend API, delivered the malicious code. Specifically, a doodle titled "CoinmarketCLAP" triggered the execution of JavaScript, silently redirecting victims to a fraudulent wallet interface, ominously dubbed "Impersonator," which facilitated unauthorized token transfers. The random nature of the doodle rotation meant not all users encountered the malicious code, though accessing the `/doodles/` endpoint consistently triggered the attack. Blockchain forensics pinpointed a specific malicious address, 0x000025b5ab50f8d9f987feb52eee7479e34a0000, as the recipient of the stolen funds.

Security experts suspect the attackers leveraged a vulnerability within the animation engine responsible for rendering the doodles, potentially Lottie or a similar technology. This vulnerability allowed the execution of arbitrary JavaScript through manipulated JSON configurations. Further investigation by Coinspect analysts indicates a possible pre-planned attack, evidenced by the attackers' apparent backend access and the setting of an expiration time for the malicious code.

CoinMarketCap acknowledged the breach via their official X account, confirming the removal of the malicious code and assuring users of ongoing investigations and enhanced security measures. They reported the removal of the compromised pop-up and the full restoration of their systems. Despite the attack's limitation to the front-end, security professionals are continuing to assess the full extent of the breach and the potential for further vulnerabilities. The incident underscores the persistent threat of sophisticated attacks targeting even major cryptocurrency platforms.