As reported by Coindesk and the block crypto, sites including etherscan, coingecko, and dextools all warned users they were aware of suspicious popups appearing for visitors.
This one appeared to promise a link to the bored ape yacht club project. It prompted users to connect their metamask wallets to the site. Since it was appearing on domains that many people trust and use every day, they may have fallen for it and given it access.
The situation is caused by a malicious ad script by coinzilla. We have disabled it now but there may be some delay due to CDN caching.
In February, a phishing attack stole $ 1.7 million worth of nfts from opensea users. A more recent attempt via discord only snagged $ 18,000 worth of tokens.
A Tweet from coingecko identified the source of the malicious popup as coinzilla. It said it could deliver over 1 billion impressions per month across more than 600 sites popular with crypto enthusiasts.