Hackers exploited CoinMarketCap and Cointelegraph with malicious ads to steal crypto via fake wallet connect prompts.
Crypto scams are evolving. After previously targeting crypto exchanges and trading platforms, hackers are now focusing on popular information sites like CoinMarketCap and Cointelegraph to reach daily visitors.
Binance founder Changpeng Zhao has also highlighted this shift, urging users to remain vigilant and cautious when approving wallet connection requests.
The recent development comes soon after the $82 million hack last week of Iranian crypto exchange Nobitex.
2 days ago CMC, now CT. Hackers are targeting information web sites now. Be careful when authorizing wallet connect.
For CMC, based on initial on-chain analysis, there are 39 victims with a combined loss of $18,570. @CoinMarketCap will cover all losses. https://t.co/egkekyjAYQ
— CZ 🔶 BNB (@cz_binance) June 23, 2025
CoinMarketCap Faces Exploit in Latest Crypto Scam
CoinMarketCap faced a massive exploit on June 20. The crypto data provider faced a front-end breach that caused a fake wallet prompt to appear on its homepage.
The vulnerability was traced to an unauthorized JavaScript embedded within a doodle image, which temporarily disrupted the platform’s interface. The platform promptly acknowledged the issue and responded swiftly, stating:
“Our security team identified a vulnerability related to a doodle image displayed on our homepage. This doodle image contained a link that triggered malicious code through an API call, resulting in an unexpected pop-up for some users when visiting our homepage.”
On June 20, 2025, our security team identified a vulnerability related to a doodle image displayed on our homepage. This doodle image contained a link that triggered malicious code through an API call, resulting in an unexpected pop-up for some users when visited our homepage.…
— CoinMarketCap (@CoinMarketCap) June 21, 2025
In a similar exploit on Sunday, June 22, popular crypto news publication Cointelegraph confirmed a front-end security breach wherein users were exposed to a malicious pop-up which requested on connecting their crypto wallets.
🚨 ALERT: We are aware of a fraudulent pop-up falsely claiming to offer “CoinTelegraph ICO Airdrops” or “CTG tokens” that are appearing on our site.
DO NOT:
– Click on these pop-ups
– Connect your wallets
– Enter any personal informationWe are actively working on a fix.
— Cointelegraph (@Cointelegraph) June 23, 2025
On June 22, scammers launched a fraudulent campaign promoting a fake Cointelegraph token (CTG) and a counterfeit initial coin offering (ICO).
The breach was first flagged by blockchain security platform Scam Sniffer, which revealed that the attackers sought to trick users into granting wallet access. Once connected, the attackers could drain assets from the compromised wallets.
🚨 CoinTelegraph's frontend has been compromised. Please be cautious. pic.twitter.com/sH025Zek8p
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) June 23, 2025
Exploiting JavaScript Codes
Scam Sniffer identified the exploit as originating from a malicious JavaScript payload embedded through the site’s advertising infrastructure.
The code was traced to a domain mimicking AdButler, which had been recently registered and used to deliver a hidden malicious script within a banner advertisement.
Although the messages on each site varied, both incidents employed a nearly identical delivery method: a deceptive pop-up masquerading as a legitimate platform feature.
This seems like a coordinated campaign leveraging ad-based JavaScript exploits to target high-traffic cryptocurrency websites.
next