76 wallets drained in CoinMarketCap frontend exploit
Cybersecurity experts explain how the attack could have been prevented
Pencil_man17/Shutterstock and Adobe modified by Blockworks
This is a segment from The Drop newsletter. To read full editions, subscribe.
A security flaw on CoinMarketCap’s website let an attacker briefly add a malicious pop-up onto the homepage that resulted in victims losing thousands of dollars.
The MetaMask team warned users on Friday evening against connecting their wallets to CoinMarketCap’s website because the coin tracker’s frontend had been compromised to push a wallet drainer scam.
About an hour later, CoinMarketCap confirmed that visitors to its site should not connect their wallets when prompted.
Later that evening, CMC explained that a vulnerability in a “doodle image” on its homepage “contained a link that triggered malicious code through an API call, resulting in an unexpected pop-up for some users.”
Crypto cybersecurity firm Coinspect Security said it was able to recreate the JavaScript injection vulnerability that facilitated the CMC wallet drainer attack via an exploit in Lottie animation JSON files.
Three cybersecurity experts from other firms separately confirmed to me over the weekend that Coinspect’s assessment of the incident is accurate.
Trey Blalock, founder of cybersecurity firm Verification Labs, told me he was able to retrieve copies of CoinMarketCap’s source code using the Internet Archive’s Wayback Machine to examine the incident.
Image of the malicious pop-up on CoinMarketCap’s site.
“What is immediately noticeable is the heavy use of Scalable Vector Graphic (.SVG) images,” Blalock said of CMC’s site. “SVG is an excellent format for creating performant websites that look great across various display sizes, but recent security vulnerabilities have allowed attackers to embed HTML script tags inside SVG images that contain URLs to an attacker-controlled website, enabling them to execute a form of cross-site scripting.”
What can CMC and other sites do to avoid attacks like this in the future?
Blalock said companies should use security tools that test site elements and look for scripts within SVG files.
“This is relatively easy to do, but it is rarely done,” he said.
C/Side Security Analyst Himanshu Anand also noted that sites need to vet all third-party integrations more carefully.
“They should monitor client-side activity continuously to detect and alert on unusual behaviors like DOM (JavaScript) injections,” Anand said, adding: “Platforms should treat every external asset as a potential entry point for malicious code. Real protection means watching what actually runs in the browser, not just what’s served from your own systems.”
Nic Adams, CEO and cofounder at cybersecurity firm 0rcus, said eliminating all third-party JSON dependencies is another security strategy.
“Browser-in-the-browser style phishing has changed: Bad actors can embed interactive brand-perfect overlays that trick users into approving malicious transactions,” Adams said in a message.
CMC said late Friday night that it had fixed the issue, and vowed to keep its support team available to anyone with concerns.
On Monday, CMC said it will reimburse all 76 accounts that lost funds as a result of the attack, and said that $21,624.47 was lost in total.
But that’s not all — Cointelegraph also experienced a similar incident over the weekend on Saturday. Attackers used the crypto news site’s frontend to inject a malicious phishing pop-up for a fake airdrop.
Cointelegraph said early Monday morning its banner publishing system had been compromised, but it has since removed the unauthorized code. We don’t yet know how many might have been impacted by this incident.
Binance CEO CZ warned: “Hackers are targeting information web sites now. Be careful when authorizing wallet connect.”
Get the news in your inbox. Explore Blockworks newsletters:
- The Breakdown: Decoding crypto and the markets. Daily.
- Empire: Crypto news and analysis to start your day.
- Forward Guidance: The intersection of crypto, macro and policy.
- 0xResearch: Alpha directly in your inbox.
- Lightspeed: All things Solana.
- The Drop: Apps, games, memes and more.
- Supply Shock: Bitcoin, bitcoin, bitcoin.
