Crypto data aggregator CoinMarketCap has confirmed the removal of malicious code that was recently injected into its website, which prompted users with a fraudulent popup asking them to "verify" their wallets. The incident has raised new concerns over security vulnerabilities on high-traffic crypto platforms.
The issue, first acknowledged by CoinMarketCap on Friday via its official X account, involved a phishing-style popup that reportedly targeted unsuspecting visitors with a fake wallet verification message.
The company announced it had swiftly taken down the malicious code, though investigations are still ongoing to determine the full scope and origin of the breach.
"We’ve identified and removed the malicious code from our site," the company stated, adding that "our team is continuing to investigate and taking steps to strengthen our security."
The update came just three hours after CoinMarketCap initially acknowledged the suspicious popup. That initial response followed growing speculation and user warnings circulating on social media, particularly on X, as users noticed and flagged the suspicious behavior on the site.
Phishing Popup Triggers Immediate Alarm
The malicious popup prompted users to connect their crypto wallets under the guise of a security verification process. Several crypto users, including prominent on-chain watchers, warned that the scam was phishing for wallet credentials and token permissions.
Crypto user Auri posted a screenshot of the popup and warned that it requested users to connect their wallet and approve access to ERC-20 tokens - a tactic commonly used in wallet-draining schemes. Once token approvals are granted, malicious actors can transfer assets without further user interaction.
This kind of scam is not new but has become increasingly sophisticated, exploiting both social engineering and trust in major platforms to trick users into compromising their wallets. The scam was quickly identified by leading wallet providers. MetaMask and Phantom were both reported to have flagged the CoinMarketCap domain as unsafe during the attack window.
Crypto user Jet shared that Phantom, a popular wallet for Solana and Ethereum-based assets, had issued a browser warning labeling CoinMarketCap as "unsafe to use." This automatic red-flagging by wallets is designed to prevent users from engaging with potentially compromised domains.
As of the time of writing, security teams from multiple browser-based wallets continue to monitor the situation to prevent additional phishing damage. CoinMarketCap has reiterated that users should avoid connecting their wallets to any popups or prompts that do not originate from verified and trusted wallet interfaces.
Ongoing Investigation into Attack Vector
While CoinMarketCap claims to have removed the malicious code, the attack vector used to inject it remains unclear. The company has not yet confirmed whether the site itself was compromised or if the attack originated via third-party integrations, such as advertising scripts, which have historically been exploited on high-traffic platforms.
The firm has emphasized that a full investigation is still underway and that additional security measures are being implemented. CoinMarketCap has not disclosed whether any users were affected or how long the malicious code was active before discovery and removal.
The latest incident brings renewed attention to a previous breach suffered by CoinMarketCap in October 2021, when more than 3.1 million user email addresses were leaked. At the time, the breach was confirmed after the stolen data appeared on hacking forums and was indexed by data breach notification service Have I Been Pwned.
Although no passwords or personal data were reportedly compromised in the 2021 breach, the appearance of another security incident on CoinMarketCap's platform has renewed concerns about the site's ability to safeguard its infrastructure and users.
Given CoinMarketCap's prominence as a go-to data source for cryptocurrency prices, market caps, and token tracking, any security lapse on its platform has wide-reaching implications across the industry. Phishing popups on such platforms can lead to significant asset losses due to the level of trust users place in them.
The Rising Trend of Targeted Crypto Phishing
The CoinMarketCap incident is part of a broader trend of increasingly sophisticated phishing scams targeting crypto users. According to Chainalysis, phishing and social engineering attacks accounted for over $1 billion in crypto losses in 2023, a figure expected to rise further in 2025 as attackers exploit weaknesses in trusted platforms.
Web3 security experts note that these attacks often begin by compromising content delivery networks, plugins, or advertising layers on legitimate websites. Once injected, malicious scripts can execute actions such as displaying wallet connection prompts, injecting rogue approval requests, or redirecting users to fake interfaces.
In light of this incident, CoinMarketCap users are being urged to remain vigilant and to verify any wallet prompts they encounter online. Security experts recommend only using official wallet applications, disabling automatic token approvals, and leveraging tools like revoke.cash to review active permissions on a wallet.
MetaMask and other wallets have also begun ramping up warning systems, browser flags, and AI-powered detection to proactively catch and block these attacks.
Meanwhile, the crypto industry continues to push for better security standards and responsible disclosure mechanisms among data platforms. CoinMarketCap, owned by Binance since 2020, faces increased scrutiny to ensure its infrastructure is up to par with its status as the most visited crypto data platform globally.
Industry Reactions
The incident has sparked conversation across the crypto community, with many calling for better transparency from CoinMarketCap regarding how the attack occurred and what preventative measures will be taken in the future.
Security researchers have also emphasized the importance of industry-wide collaboration to share intelligence on emerging threats. In a decentralized ecosystem, the responsibility for safety falls not just on users, but on platforms and infrastructure providers to detect, communicate, and contain threats in real time.
Some industry watchers also pointed out the reputational risks that high-profile attacks pose to the broader crypto industry, especially at a time when mainstream adoption and regulatory scrutiny are increasing.
CoinMarketCap’s quick removal of the phishing popup demonstrates responsiveness, but the attack highlights ongoing vulnerabilities in the crypto industry's web infrastructure. As the investigation continues, users and platforms alike are reminded of the importance of proactive security, rapid response protocols, and user education to prevent asset loss and maintain trust.