Users targeted by phishing attack via apparent malicious ad code on crypto data sites

UPDATE (6:15 p.m. ET): In a follow-up message, CoinGecko said that its investigation pointed to crypto ad platform Coinzilla as the source of the phishing attack code, saying:

"The situation is caused by a malicious ad script by Coinzilla, a crypto ad network - we have disabled it now but there may be some delay due to CDN caching. We are monitoring the situation further. Do stay on alert and don't connect your Metamask on CoinGecko."

The headline of this report has been updated.


Word emerged late Friday afternoon about an apparent phishing attack targeting users of popular crypto data sites like Etherscan and CoinGecko.

Affected users received prompts to connect their MetaMask wallets to a website called “nftapes.win”.

In a tweet, CoinGecko said: “If you are on the CoinGecko website and you are being prompted by your Metamask to connect to this site, this is a SCAM. Don't connect it. We are investigating the root cause of this issue.”

Etherscan said in a tweet on the matter: We’ve received reports of phishing popups via a 3rd party integration and are currently investigating. Please be careful not to confirm any transactions that pop up on the website.”

"Interim we've taken immediate action to disable the said 3rd party integration on Etherscan," the site said in a subsequent tweet. 

Though the precise cause has not been confirmed, initial indications suggest that malicious code via ads on the affected sites is the vector for the phishing attack.

DexTools, another crypto-focused app site, is also affected. In its tweet, DexTools appeared to blame a crypto ad platform known as Coinzilla. 

"We are disabling all ads until the situation is clarified by @adsbycoinzilla. Please be aware and don't sign suspicious requests at your wallet. DEXTools does not automatically request any permissions."

This is a breaking news story and will be updated as more information becomes available.