HackenProof Blog / Industry News / Web3 Projects Got Hit by CoinZilla Ads

Web3 Projects Got Hit by CoinZilla Ads


A malicious script inside CoinZilla ads triggered a phishing attack on crypto websites. CoinZilla ads were published throughout many known projects like CoinGecko & Etherscan. The websites have already disabled the ads to stop the attack.

What happened with Coinzilla Ads

The recent collapse of Terra Luna and UST has caused panic in the market. Both investors and projects have faced a high level of uncertainty. The period of turbulence is a great time for malicious actors to launch social engineering attacks.

On 13 May, a few famous DeFi protocol interfaces were attacked by a widespread phishing scam. Namely, the front-end user interfaces of Etherscan, CoinGecko, DEXTools, Spiritswap, DeFi Pulse, and some other projects prompted users to approve transactions that would enable the transfer of tokens to attackers.

The malicious ad promised users an NFT linked to the domain “nftapes.win”. The ad contained the logo of Bored Ape Yacht Club to look like a legitimate window in the eyes of users. 

Web3 Projects Were Hit by CoinZilla Ads

Coinzilla Ads Exploit Explained

The exploit took place due to the presence of a malicious script in ads by CoinZilla. The ad code was inserted from an external source via an HTML5 banner. Every site that was using this service was at risk of exposing its visitors to the hackers’ malicious attempts. This ad prompted users to make an action in Metamask.

It is important to note that it was not the first attempt to put a blame on BAYC. In April this year the company’s Instagram was hacked and malicious actors made a post about fake airdrop. BAYC immediately notified its users of this incident.

How did the companies react to Coinzilla exploit?

The CoinGecko team issued a security alert to notify its users of scams. Etherscan also commanded its users not to approve any transactions that pop uped on the website. The CoinZilla noted that the piece of malicious code passed the company’s automated security checks. The team stopped it one hour after it had become operative.