Hackers took advantage of a weakness in the CoinMarketCap front-end system, using a seemingly harmless doodle image to inject a malicious code that triggered fake verification of pop-ups throughout the site.
The violation, confirmed by CoinMarketCap, used the Backend API to deliver a JSON manipulated Payload that was embedded in JavaScript on the homepage according to Blockchain Security Firm Coinspect Security.
On June 20, 2025, our security team recognized a weakness related to a doodle image shown in our homepage. This Doodle image contains a link that triggers malicious code through an API call, resulting in an unexpected pop-up for some users when visiting our homepage.
– CoinMarketCap (@coinmarketcap) June 21, 2025
The script has led to an unauthorized prompt that teaches users to “verify the purse,” a phishing tactic aimed at tricking visitors to provide access to their crypto holders.
The blockchain security firm tracked Attacking the platform’s “doodles” feature, allowing attacks to redeem the malicious code without changing the site’s basic infrastructure.
The pop-up is live for a short time before the CoinMarketCap team has removed.
“In the discovery, we immediately acted to remove the problematic content,” Coinmarketcap said in a statement posted on social media. “Comprehensive steps are implemented to exclude and reduce the issue.”
CoinMarketCap does not disclose how many users have encountered a pop-up or if any wallets are compromised.
