Crypto phishing blitz hits CoinMarketCap, Cointelegraph, and Trezor
A fresh wave of phishing attacks has engulfed the crypto community this weekend, with scammers deploying both broad brush and precision tactics.
Popular websites CoinMarketCap and Cointelegraph were compromised to serve wallet drainers via malicious pop-ups, while Trezor’s contact form was hacked to send out spoofed emails.
Don’t check the charts
CoinMarketCap, one of the best-known sites for checking crypto prices and other token metrics, alerted users to a fake wallet verification pop-up close to midnight on Friday.
Read more: Curve Finance warns users after website and X account hacks
Two and a half hours later, an update informed users that it had “identified and removed the malicious code.” Security firm Coinspect identified the vulnerability as a JavaScript injection via the animation file format “Lottie.”
CoinMarketCap followed up earlier today, stating that “76 accounts were affected, with losses amounting to $21,624.47” and that all affected users will be fully reimbursed.
Making the news in more ways than one
Popular crypto news outlet Cointelegraph was also compromised, with the malicious pop-up this time promoting a fictitious airdrop as a tempting lure.
Read more: Nearly $580K drained with Cointelegraph, Wallet Connect fake airdrop
Crypto scam watchdog ScamSniffer proposed that malicious code had been injected via the site’s advertising components. A later update confirmed that the site’s “banner publishing system was briefly compromised.”
Security firm Blockaid identified an address within the drainer’s code, though the portfolio tracker Debank shows no activity.
Phishing attacks disguised as customer service
The attack on hardware wallet provider Trezor was somewhat more sophisticated, allowing the hackers to target specific email addresses with spoofed bait.
Read more: If you filled in a form from Trezor, you may have to change your wallet
Following assumptions that Trezor’s email system had been breached, a post to X clarified that the emails came from a compromised auto-reply feature of its contact forms.
Presumably using a leaked email list, scammers used the contact forms to prompt the seemingly legitimate automated response. Trezor now reassures that “the issue has been contained. Security is a continuous process. Stay vigilant.”
Such targeted attacks are made possible by leaked customer information, such as the large-scale data breach disclosed by Coinbase last month.
These leaks are a goldmine for crypto scammers, like the individual exposed earlier today by ZachXBT, who are able to target high-value marks more efficiently.
Read more: Coinbase leak prompts KYC criticism from crypto execs
The wider-net approach used on CoinMarketCap and Cointelegraph shows an escalation scale of front-end attacks, not uncommon on the websites of decentralized finance (DeFi) platforms.
Scammers now appear to be targeting the generally crypto-curious, via news and market info, rather than a more specific DeFi-active crowd.
Illustrating the ease with which an unsuspecting user could fall for the trap, one developer posted a “POV: you are getting drained” video to X, showing how few steps it takes to lose it all.
Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.