A major security breach at CoinMarketCap, a top cryptocurrency data platform, has exposed millions of users to a wallet-draining scam, raising fresh concerns about safety in the crypto industry. Attackers infiltrated the site with fake wallet verification pop-ups, tricking users into connecting their wallets and potentially losing their funds.
This incident, hitting one of the most trusted names in crypto, highlights the escalating risks as digital assets grow in popularity and cybercriminals sharpen their tactics.
The breach came to light on June 20, 2025, when a user on X (Auri (@Auri_0x) flagged suspicious activity and shared a screenshot warning, “!!! @coinmarketcap IS HACKED,” showing a deceptive “Verify Wallet” pop-up.
!!! @coinmarketcap IS HACKED
— Auri (@Auri_0x) June 20, 2025
When you browse, it asks to connect wallet and then asks for approvals to erc20 tokens pic.twitter.com/1tRzfpa6db
As the news spread, CoinMarketCap reacted quickly, posting a security warning on X: “We’re aware that a malicious pop-up prompting users to ‘Verify Wallet’ has appeared on our site. Do NOT connect your wallet.”
Later on, the platform confirmed the malicious code was removed, though their investigation remains ongoing.
Update: We've identified and removed the malicious code from our site.
— CoinMarketCap (@CoinMarketCap) June 21, 2025
Our team is continuing to investigate and taking steps to strengthen our security.
Here’s how it went down
According to the technical analysis provided by Coinspect Security, a blockchain security firm, attackers exploited a vulnerability in CoinMarketCap’s backend API, specifically within the "doodles" feature—a component of the site that rotates visual elements.
This flaw allowed attackers to inject malicious JavaScript into the site’s front-end through manipulated JSON payloads. As a result, users encountered fake wallet verification pop-ups designed to trick them into connecting their wallets and approving transactions, potentially leading to the loss of funds.
Easy to reproduce: pic.twitter.com/CrGSi5KuO0
— Coinspect Security (@coinspect) June 21, 2025
Attackers exploited a flaw in CoinMarketCap’s backend API and injected malicious JavaScript into the site’s front-end, triggering fake pop-ups that mimicked legitimate wallet prompts. Approving these could drain ERC-20 tokens (a common type of cryptocurrency) from users’ wallets—think of it as a digital pickpocket slipping into a trusted app.
This breach isn’t a one-off. The crypto world has seen a surge in attacks, from Bybit’s $1.4 billion Ethereum heist to CoinStats’ compromise of 1,590 wallets.
At the time of publication, users with a Phantom wallet browser extension are shown a warning that the website is “unsafe to use". MetaMask on June 21, 2025, posted the warning "Exercise extreme caution. ", “These types of wallet ‘verifications’ are essentially always scams/drainers.”
Protect yourself with these steps:
- Don’t connect your wallet to unexpected prompts.
- Double-check URLs for HTTPS and authenticity.
- Use a hardware wallet (a physical device for storing crypto offline).
- Revoke suspicious permissions via Etherscan’s token approval checker.
Coinspect Security’s detailed technical analysis provides the most comprehensive explanation of how the attackers exploited the backend API, making it the primary source of the statement.
With hackers eyeing crypto’s rise, staying vigilant is non-negotiable.