Cointelegraph Hacked Users Lose Funds in Fake Airdrop Scam

Crypto publishing giant Cointelegraph was recently targeted in a significant security breach, where hackers infiltrated its site by embedding malicious code. This code redirected users to a fake airdrop pop-up, ultimately draining the wallets of unsuspecting users. The attack, which occurred on June 23, 2025, highlights the increasing sophistication of wallet-draining scams and the urgent need for enhanced security protocols within the Web3 publishing sector.

The exploit began when hackers breached Cointelegraph's advertisement system, injecting malicious JavaScript code into the front-end of the website. Unlike traditional phishing attempts via email or social media, this attack leveraged a trusted news portal, presenting a convincing pop-up directly on Cointelegraph.com. The pop-up informed users that they had been "randomly selected" to participate in a new token giveaway, offering 50,000 "CTG" tokens worth over $5,000 as part of a "fair launch initiative." The interface was designed to mimic real airdrop campaigns, complete with Cointelegraph branding, a countdown timer, and requests to connect a crypto wallet.

To further legitimize the scam, the attackers quoted an imaginary CertiK audit and fabricated token price metrics. The malicious code was delivered through Cointelegraph's ad partner, making it nearly impossible for visitors to distinguish the scam from a genuine promotion. Once a visitor connected their wallet, the script could automatically trigger approvals and transfers, allowing hackers to rapidly and quietly drain funds.

Blockchain security firms like Scam Sniffer and SlowMist quickly identified the attack, made public announcements, and examined the injected code. While the full extent of the damages is still being assessed, on-chain inspections confirm that several wallets were drained within minutes of the attack going live. There is no CTG token on any major blockchain or exchange, and no official Cointelegraph airdrop has been announced.

The attack mirrored a similar assault on CoinMarketCap just days prior, where malicious JavaScript was injected via a front-end promotional box. In both cases, attackers targeted the ad delivery infrastructure of the platforms, bypassing critical security measures and exploiting users' trust in leading crypto news websites.

This incident underscores a new generation of threats: attackers are now hijacking the very sources users rely on for crypto news and information. Ad-based attacks are particularly dangerous because they are seamlessly integrated into the user experience, exposing even experienced readers to risk. Cointelegraph has since removed the malicious code, issued warnings on X, and committed to strengthening its security controls. However, this attack should serve as a wake-up call to all Web3 publishers, highlighting the vulnerability of third-party ad systems and analytics scripts, even on the most trusted sites.

To prevent such attacks, crypto publishers must implement several security measures. These include testing all third-party ad and analytics code for vulnerabilities, imposing real-time tracking and alerts on unauthorized script changes, using rigorous content security policies to block untrusted scripts, running frequent penetration tests simulating ad-based and front-end attacks, and educating users never to connect wallets or insert keys on pop-ups, regardless of the site's trustworthiness.

For users, caution is paramount. It is crucial never to associate wallets or enter seed phrases in response to pop-ups, even on trusted websites. Always verify the legitimacy of airdrops via official project sources and cross-verify token contract addresses. Using browser extensions like Scam Sniffer and MetaMask's phishing warning can help flag malicious sites and scripts.

The Cointelegraph hack serves as a stark reminder that even the safest crypto platforms can become attack vectors. As wallet-draining scams become more advanced, publishers and users must adopt new security habits to avoid becoming the next victim in the evolving Web3 threat landscape.