76 Crypto Wallets Hacked in Shocking CoinMarketCap Frontend Exploit

Crypto data giant's security flaw turns into a free-for-all for hackers.

Subheader: The breach that shouldn't have happened

Seventy-six digital wallets got emptied faster than a Bitcoin maximalist's patience during a bear market. The exploit? A frontend vulnerability in CoinMarketCap—the very platform millions trust for market data.

Subheader: Security theater meets DeFi reality

No fancy smart contract hack here. Attackers bypassed basic web security protocols, proving once again that in crypto, the weakest link isn't the blockchain—it's the interfaces we build around it.

Subheader: The aftermath

While the exact haul remains undisclosed, industry insiders whisper 'eight figures'—chump change for Wall Street, but another black eye for crypto's institutional adoption dreams.

Closing thought: Maybe next time we'll audit the frontends like we audit the smart contracts. (Just kidding—that would cut into the marketing budget.)

“What is immediately noticeable is the heavy use of Scalable Vector Graphic (.SVG) images,” Blalock said of CMC’s site. “SVG is an excellent format for creating performant websites that look great across various display sizes, but recent security vulnerabilities have allowed attackers to embed HTML script tags inside SVG images that contain URLs to an attacker-controlled website, enabling them to execute a FORM of cross-site scripting.”

What can CMC and other sites do to avoid attacks like this in the future?

Blalock said companies should use security tools that test site elements and look for scripts within SVG files. 

“This is relatively easy to do, but it is rarely done,” he said.

C/Side Security Analyst Himanshu Anand also noted that sites need to VET all third-party integrations more carefully.

“They should monitor client-side activity continuously to detect and alert on unusual behaviors like DOM (JavaScript) injections,” Anand said, adding: “Platforms should treat every external asset as a potential entry point for malicious code. Real protection means watching what actually runs in the browser, not just what’s served from your own systems.”

Nic Adams, CEO and cofounder at cybersecurity firm 0rcus, said eliminating all third-party JSON dependencies is another security strategy.

“Browser-in-the-browser style phishing has changed: Bad actors can embed interactive brand-perfect overlays that trick users into approving malicious transactions,” Adams said in a message.

CMC said late Friday night that it had fixed the issue, and vowed to keep its support team available to anyone with concerns.

On Monday, CMC said it will reimburse all 76 accounts that lost funds as a result of the attack, and said that $21,624.47 was lost in total.

But that’s not all — Cointelegraph also experienced a similar incident over the weekend on Saturday. Attackers used the crypto news site’s frontend to inject a malicious phishing pop-up for a fake airdrop.

Cointelegraph said early Monday morning its banner publishing system had been compromised, but it has since removed the unauthorized code. We don’t yet know how many might have been impacted by this incident. 

Binance CEO CZ warned: “Hackers are targeting information web sites now. Be careful when authorizing wallet connect.”

• The Breakdown: Decoding crypto and the markets. Daily.
• Empire: Crypto news and analysis to start your day.
• Forward Guidance: The intersection of crypto, macro and policy.
• 0xResearch: Alpha directly in your inbox.
• Lightspeed: All things Solana.
• The Drop: Apps, games, memes and more.
• Supply Shock: Bitcoin, bitcoin, bitcoin.