21.06.2025 13:13

CoinMarketCap swiftly addressed a significant security breach involving a malicious "Verify Wallet" popup that appeared on its website. This popup, designed to steal user funds, was identified and removed within hours of its emergence. The prompt deceptively requested wallet connections and ERC-20 token approvals, a classic phishing technique.

The deceptive popup was flagged as risky by prominent wallet providers such as MetaMask and Phantom, prompting immediate warnings to their users. These warnings, coupled with rapid dissemination of screenshots across social media platforms, amplified the urgency of the situation and alerted the broader cryptocurrency community. Phantom even categorized CoinMarketCap as "unsafe to use" due to the active threat.

Investigations revealed that the compromised animations, specifically the site's rotating "Doodles" feature, served as the entry point for the malicious code. Security researchers determined that compromised JSON files, loaded through CoinMarketCap's API, triggered the fraudulent popup when specific doodles, including one named "CoinmarketCLAP," were displayed. This sophisticated attack leveraged a vulnerability in the animation engine, potentially Lottie, allowing attackers to inject harmful scripts disguised within seemingly innocuous image files. The malicious code linked to a known wallet-draining contract, highlighting the attackers' intent to directly exploit user funds.

Following the incident, CoinMarketCap immediately announced the removal of the malicious code on X (formerly Twitter) and initiated a comprehensive investigation to strengthen website security and prevent future breaches. The rapid response, coupled with the proactive warnings from wallet providers, likely minimized the impact of this sophisticated phishing campaign. The incident underscores the evolving nature of online security threats in the cryptocurrency space and the importance of vigilance among both users and platform providers.