Cointelegraph Hacked 50,000 CTG Tokens Stolen in Wallet-Draining Scam

On June 23, 2025, Cointelegraph, a prominent crypto publishing platform, fell victim to a significant security breach. Hackers infiltrated the site by injecting malicious JavaScript code into the front-end, redirecting users to a fake airdrop pop-up. This sophisticated attack drained the wallets of unsuspecting users, highlighting the increasing complexity of wallet-draining scams and the urgent need for enhanced security protocols in the Web3 publishing sector.

The exploit began when hackers breached Cointelegraph's advertisement system, embedding malicious code that presented users with a compelling pop-up directly on the website. Unlike traditional phishing attempts via email or social media, this attack leveraged the trust users place in a reputable news portal. The pop-up claimed that users had been randomly selected to participate in a new token giveaway, offering 50,000 "CTG" tokens worth over $5,000 as part of a "fair launch initiative." The interface mimicked genuine airdrop campaigns, featuring Cointelegraph branding, a countdown timer, and requests to connect a crypto wallet. To further deceive users, the scam included a fabricated CertiK audit and fake token price metrics.

The malicious code was delivered through Cointelegraph's ad partner, making it nearly impossible for visitors to distinguish the scam from a legitimate promotion. Once a user connected their wallet, the script automatically triggered approvals and transfers, allowing hackers to rapidly and quietly drain funds. Blockchain security firms like Scam Sniffer and SlowMist quickly identified the attack, made public announcements, and examined the injected code. While the full extent of the damages is still being assessed, on-chain inspections confirmed that several wallets were drained within minutes of the attack going live. There is no CTG token on any major blockchain or exchange, and no official Cointelegraph airdrop was announced.

This attack mirrored a similar assault on CoinMarketCap just days prior, where malicious JavaScript was injected via a front-end promotional box. In both instances, attackers targeted the ad delivery infrastructure of the platforms, bypassing critical security measures and exploiting users' trust in leading crypto news websites. This incident underscores a new generation of threats, where attackers hijack the very sources users rely on for crypto news and information. Ad-based attacks are particularly dangerous because they are seamlessly integrated into the user experience, exposing even experienced readers to risk.

Cointelegraph has since removed the malicious code, issued warnings on X, and committed to strengthening its security controls. However, this attack serves as a wake-up call for all Web3 publishers. Third-party ad systems and analytics scripts are valuable targets, and even the most trusted sites can be compromised. To prevent such attacks, crypto publishers must test all third-party ad and analytics code for vulnerabilities, impose real-time tracking and alerts on unauthorized script changes, use rigorous content security policies to block untrusted scripts, run frequent penetration tests simulating ad-based and front-end attacks, and educate users never to connect wallets or insert keys on pop-ups, regardless of the site's trustworthiness.

For users, caution is paramount. Never associate your wallet or enter seed phrases in response to pop-ups, even on trusted websites. Always verify the legitimacy of airdrops via official project sources and cross-verify token contract addresses. Use browser extensions like Scam Sniffer and MetaMask's phishing warning to flag malicious sites and scripts. The Cointelegraph hack serves as a stark reminder that even the safest crypto platforms can become attack vectors. As wallet-draining scams grow more advanced, publishers and users must implement new security habits to avoid becoming the next victim in an evolving Web3 threat landscape.