Hacker Attack on Cointelegraph: Fake Token Steals Wallet
Cointelegraph suffered a hacker attack that displayed a fake CTG pop-up inducing users to link wallets, causing funds to be stolen.
The well-known cryptocurrency news source Cointelegraph has confirmed a security breach of the front-end that exposed its users to a scam on 22 June that could empty their digital wallets.
Users were tricked into linking their digital wallets via an attack that consisted of a fake 'Cointelegraph Token (CTG)' pop-up promoting a counterfeit Initial Coin Offering (ICO).
The incident was first detected by the blockchain security tool Scam Sniffer, which revealed how the attackers were attempting to gain illicit access to the wallets. Once connected, the wallets could be quickly emptied of funds.
- Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) June 23, 2025
The attack was generated by a dangerous JavaScript payload delivered via the website's advertising system. The suspicious code appeared to originate from a domain similar to AdButler. However, the domain had recently been registered and was linked to a malicious script hidden within a banner ad.
Cointelegraph quickly intervened by warning users not to interact with any pop-ups advertising CTG tokens or claiming to be part of an ICO airdrop. The platform highlighted the problem in a public statement, stressing that an active investigation was underway and that steps were being taken to remove the malicious code.
Cointelegraph also advised users not to enter personal information or link wallets in response to any pop-ups or invitations that appeared on the site.
A Similar Attack Also Hits CoinMarketCap
Two days before this attack, a hack that was almost identical to CoinMarketCap. The front-end breach suffered by the crypto data aggregator on 20 June led to the appearance of a fake pop-up asking users to link their wallet on the homepage.
CoinMarketCap noted that the problem was caused by a 'doodle' image that contained illegal JavaScript code capable of temporarily altering the site's interface. Although the distribution methods were slightly different, both attacks used JavaScript-based exploits from misleading advertisements and pop-ups, suggesting a possible coordinated campaign targeting high-traffic crypto platforms.
"On 20 June 2025, our security team identified a vulnerability related to a doodle image displayed on our homepage. This image contained a link that activated malicious code via an API call, generating an unexpected pop-up for some users visiting our homepage," the CoinMarketCap officials explained.
On June 20, 2025, our security team identified a vulnerability related to a doodle image displayed on our homepage. This doodle image contained a link that triggered malicious code through an API call, resulting in an unexpected pop-up for some users when they visited our homepage....
Changpeng Zhao, former CEO of Binance, commented on the attack on CoinMarketCap stating that 39 users were affected and lost a total of $18,570. Zhao warned that these incidents highlight a growing risk posed by fraudsters exploiting trusted crypto platforms.
"Avoid linking wallets to unknown dApps and check your wallet activity regularly to stay safe," Zhao advised users, urging them to remain vigilant.
2 days ago CMC, now CT. Hackers are targeting information web sites now. Be careful when authorising wallet connect.
For CMC, based on initial on-chain analysis, there are 39 victims with a combined loss of $18,570. @CoinMarketCap will cover all losses. https://t.co/egkekyjAYQ
Eleven Drainer, a new phishing-as-a-service, is expanding its business. Despite the sophistication of the attacks, human error remains the main weakness. The defence lies in user discipline.
North Korean hackers intensify crypto fraud: GhostCall and GhostHire campaigns use AI and the impersonation of Web3 executives to distribute malware, an evolution of the Lazarus Group.
According to Cisco Talos and Google, the North Korean groups Famous Chollima and UNC5342 are employing new strains of decentralised malware (such as EtherHiding and the BeaverTail/OtterCookie pair)
The DeFi Abracadabra protocol was hit by its third major exploit since the beginning of 2024, with attackers draining around $1.7 million by circumventing a smart contract credit check.
The well-known cryptocurrency news source Cointelegraph has confirmed a security breach of the front-end that exposed its users to a scam on 22 June that could empty their digital wallets.
Users were tricked into linking their digital wallets via an attack that consisted of a fake 'Cointelegraph Token (CTG)' pop-up promoting a counterfeit Initial Coin Offering (ICO).
The incident was first detected by the blockchain security tool Scam Sniffer, which revealed how the attackers were attempting to gain illicit access to the wallets. Once connected, the wallets could be quickly emptied of funds.
Scam Sniffer stated on X:
The attack was generated by a dangerous JavaScript payload delivered via the website's advertising system. The suspicious code appeared to originate from a domain similar to AdButler. However, the domain had recently been registered and was linked to a malicious script hidden within a banner ad.
Cointelegraph quickly intervened by warning users not to interact with any pop-ups advertising CTG tokens or claiming to be part of an ICO airdrop. The platform highlighted the problem in a public statement, stressing that an active investigation was underway and that steps were being taken to remove the malicious code.
Cointelegraph also advised users not to enter personal information or link wallets in response to any pop-ups or invitations that appeared on the site.
A Similar Attack Also Hits CoinMarketCap
Two days before this attack, a hack that was almost identical to CoinMarketCap. The front-end breach suffered by the crypto data aggregator on 20 June led to the appearance of a fake pop-up asking users to link their wallet on the homepage.
CoinMarketCap noted that the problem was caused by a 'doodle' image that contained illegal JavaScript code capable of temporarily altering the site's interface. Although the distribution methods were slightly different, both attacks used JavaScript-based exploits from misleading advertisements and pop-ups, suggesting a possible coordinated campaign targeting high-traffic crypto platforms.
"On 20 June 2025, our security team identified a vulnerability related to a doodle image displayed on our homepage. This image contained a link that activated malicious code via an API call, generating an unexpected pop-up for some users visiting our homepage," the CoinMarketCap officials explained.
Changpeng Zhao, former CEO of Binance, commented on the attack on CoinMarketCap stating that 39 users were affected and lost a total of $18,570. Zhao warned that these incidents highlight a growing risk posed by fraudsters exploiting trusted crypto platforms.
Both platforms are working to strengthen ad-related security systems and prevent similar attacks in the future, while investigations continue.
Read Next
New Eleven Drainer attack: threat to crypto wallets
Eleven Drainer, a new phishing-as-a-service, is expanding its business. Despite the sophistication of the attacks, human error remains the main weakness. The defence lies in user discipline.
Evolved North Korean Hackers: New Danger Level for the Crypto Sector
North Korean hackers intensify crypto fraud: GhostCall and GhostHire campaigns use AI and the impersonation of Web3 executives to distribute malware, an evolution of the Lazarus Group.
North Korea: The Ultimate Cyber-Attack? Evasive Malware and Blockchain in the Crosshairs.
According to Cisco Talos and Google, the North Korean groups Famous Chollima and UNC5342 are employing new strains of decentralised malware (such as EtherHiding and the BeaverTail/OtterCookie pair)
Abracadabra Hit by Third Exploit in Two Years, Losing $1.7M
The DeFi Abracadabra protocol was hit by its third major exploit since the beginning of 2024, with attackers draining around $1.7 million by circumventing a smart contract credit check.