Mysterious Wallet-Draining Attack Spreads Across EVM Chains

A silent and unfamiliar attack pattern is moving through Ethereum-compatible blockchains, alarming researchers who say it does not resemble standard phishing scams or smart contract exploits.

Instead of one clear breach, wallets are being drained in small amounts across multiple networks, often without victims realizing what went wrong until funds are already gone.

The activity was first highlighted by on-chain investigator ZachXBT, who identified clusters of unexplained wallet losses. While most individual cases involve relatively small sums, typically under $2,000, the combined losses have already climbed above $107,000 and may grow as more affected wallets are uncovered.

No clear exploit leaves users and analysts guessing

What makes this incident particularly troubling is the absence of a confirmed entry point. Analysts have not linked the drainings to malicious contract approvals, compromised smart contracts, or widespread phishing links. This has shifted suspicion toward deeper infrastructure issues, possibly involving wallet software or browser-based components rather than direct user mistakes.

The lack of clarity has made defensive measures harder, as users do not yet know which specific actions may expose them to risk.

Stolen funds scattered across multiple blockchains

On-chain tracking shows that the attacker is deliberately fragmenting the stolen assets. The largest share remains on Ethereum, with a significant portion bridged to BNB Chain. Smaller balances have appeared across Base, Arbitrum, Polygon, Optimism, as well as Avalanche, Linea, and Zora.

This dispersion suggests an effort to slow down forensic analysis rather than immediately cash out the funds.

Possible overlap with earlier Trust Wallet incident

Researchers have also pointed to a potential connection with a previous browser extension issue involving Trust Wallet. During the holiday period, a compromised update briefly exposed users after injected code entered a specific extension version, an incident later linked to losses estimated around $7 million.

Trust Wallet CEO Eowyn Chen confirmed that the affected extension was removed from the Chrome Web Store and replaced with a version offering improved ownership verification and refund tools. While a direct link to the current wallet drainings has not been confirmed, at least one overlapping address has raised fresh questions.

December adds to an already grim security picture

The timing of this incident adds to a bleak month for crypto security. According to PeckShield, December alone saw roughly 26 major exploits, with total losses nearing $76 million.

Beyond this latest case, address poisoning scams drained about $50 million, while a leaked private key tied to a multi-signature wallet resulted in more than $27 million disappearing almost instantly. Over the full year, crypto-related theft is estimated at around $2.7 billion, with the massive Bybit breach standing out as the single largest incident.

A significant portion of these attacks has been linked to state-backed groups, with actors connected to North Korea frequently cited as the most active and damaging.

As investigators continue to piece together the mechanics of this EVM-wide wallet draining, the lack of a confirmed exploit remains the biggest concern. Until more is known, security experts are urging heightened caution, especially around wallet extensions, transaction approvals, and cross-chain interactions.

The information provided in this article is for educational purposes only and does not constitute financial, investment, or trading advice. Coindoo.com does not endorse or recommend any specific investment strategy or cryptocurrency. Always conduct your own research and consult with a licensed financial advisor before making any investment decisions.

Related stories

Next article