Visitors to Cointelegraph were caught off guard on Sunday when a slick pop-up claimed they’d won 50,000 “CTG” tokens worth over $5,000.
By the time the fake offer disappeared, unsuspecting visitors had already clicked through, risking their funds.
DO NOT: – Click on these pop-ups – Connect your wallets – Enter any personal information
We are actively working on a fix.
According to Scam Sniffer, the bogus pop-up included a countdown timer and buttons that felt just like a standard token drop. It even showed a reward worth $5,490 and labeled the process “secure,” “instant,” and “verified.”
Security experts traced the malicious JavaScript back to Cointelegraph’s ad partner rather than its core website code.
Cointelegraph later confirmed that the breach came through its advertising system and not a flaw in its main infrastructure.
Once a user clicked “connect,” the hidden code could trigger wallet approvals and transfers without clear consent.
As these ad-based attacks become increasingly prevalent, crypto platforms come under pressure to lock down all third-party integrations.
Experts recommend more rigorous audits of ad code, sandboxing of third-party scripts, and real-time monitoring of site activity. On the end-user side, installing ad blockers or script-blocking add-ons would preclude these stealth threats.
Based on what transpired this weekend, it’s apparent that attackers have changed their modus operandi from email cons to front-end hacks on prominent sites. Cointelegraph and CoinMarketCap are only the latest victims.
Featured image from Unsplash, chart from TradingView
