ZachXBT flags EVM wallet draining attack as losses top $107,000
A growing EVM wallet-draining attack is actively targeting users across multiple EVM-compatible chains, according to blockchain investigator ZachXBT. The exploit appears to leverage malicious transactions or compromised signing flows that trick users into unknowingly approving asset transfers. Although most affected wallets lose under $2,000 individually, the pattern shows consistent siphoning activity occurring in real time, indicating a coordinated campaign rather than isolated incidents. Security researchers are monitoring the exploit’s behavior to understand how attackers are identifying victims and executing approvals so efficiently.
Despite the relatively small losses per wallet, the collective impact has become significant, with total stolen funds rising to nearly $107,000 and still climbing as more cases surface. Analysts warn that the attacker may be expanding to additional chains, putting more users at risk. Ongoing investigations aim to trace the infrastructure behind the operation and determine whether compromised keys, phishing sites, or malicious signing requests are the root cause.
What we know so far
Scope
Hundreds of wallets impacted across several EVM chains (e.g., Ethereum-compatible networks)
Tactics
Many small withdrawals per wallet; cumulative impact is mounting.
Losses
~US$107,000 as of the latest updates, with the tally increasing.
Attribution/entry point
Undetermined; investigators have not confirmed the root cause.
Related security backdrop
December saw ~$76 million lost across ~26 major crypto incidents down ~60% from November’s ~$194.27M highlighting that, even amid fewer large hacks, opportunistic campaigns persist.
Recent Trust Wallet incident for context
Trust Wallet disclosed a separate late-December incident tied to its browser extension (~$7M; ~2,596 wallets affected) and began verifying claims and compensations. While noteworthy, this is not confirmed as the cause of today’s drains.
Indicators and addresses
ZachXBT has highlighted a suspicious address reportedly linked to ongoing drains: 0xAc2e5153170278e24667a580baEa056ad8Bf9bFB (attribution per his channel). Independent confirmation is pending.
What victims are seeing
Small-value outflows across EVM chains
Rapid, multi-wallet sweep behavior
No clear trigger like a single dApp approval or known phishing domain yet SignalPlus
EVM wallet draining attack
Revoke risky approvals on all EVM chains you use. Tools such as Etherscan’s Token Approvals or similar can help.
Rotate private keys/seed phrases for exposed wallets; migrate assets to fresh addresses.
Use hardware wallets and verify addresses on-device before signing.
Update extensions and clients to the latest versions; remove unused extensions.
Monitor addresses via explorers/alerts for unauthorized activity. (General best practices; not a confirmed fix for this event.)
Ongoing investigation into the EVM wallet draining attack
Researchers have not identified a single exploit vector. Users impacted span multiple chains, complicating attribution and remediation. SignalPlus
Community alerts on the EVM wallet draining attack
Crypto media and community channels continue to issue advisories as losses inch upward. Keep receipts, transaction hashes, and timestamps if you plan to file claims with providers.
Context & Analysis
The campaign’s “many small drains” profile suggests automated sweeps leveraging pre-existing approvals, compromised keys, or supply-chain contamination (e.g., malicious extension versions). Without a confirmed root cause, blanket guidance centers on revoking approvals, moving funds, and minimizing hot-wallet exposure. Correlation with other recent exploits (like Trust Wallet’s extension incident) remains unproven at time of writing.
Concluding Remarks
The cross-chain draining campaign is still active, steadily increasing total losses even though individual incidents remain relatively small. Investigators have yet to determine the underlying exploit method, and the pattern of activity suggests the attacker may still be refining their tactics. As more cases appear across multiple networks, security teams emphasize the importance of heightened caution for all EVM users during this period of uncertainty.
Until a confirmed root cause emerges, users are urged to apply strict operational security. This includes revoking unnecessary approvals, rotating to fresh wallets, and prioritizing hardware-based signing flows. Taking proactive steps now can significantly reduce exposure to evolving threats.
FAQs
Q1 : What is the current status of the EVM wallet draining attack?
A : It’s ongoing, with losses around $107,000 and rising.
Q2 : How are victims being targeted?
A : Small, coordinated withdrawals across many EVM wallets; the precise entry vector remains unknown.
Q3 : What immediate steps should I take?
A : Revoke approvals, migrate funds to a fresh wallet, update extensions, and use hardware wallets.
Q4 : Is this linked to the recent Trust Wallet incident?
A : No confirmed link at this time.
Q5 : Who reported the campaign?
A : On-chain investigator ZachXBT and multiple crypto outlets.
Q6 : Does the EVM wallet draining attack affect non-EVM chains?
A : Reports center on EVM-compatible networks; non-EVM impact hasn’t been established.
Q7 : What losses per victim are typical?
A : Usually under $2,000 per wallet.
Facts
Event
Coordinated cross-chain draining of EVM walletsDate/Time
2026-01-02T18:30:00+05:00Entities
ZachXBT (on-chain investigator); multiple EVM chains; Trust Wallet (separate, prior incident)Figures
~US$107,000 total losses; typical <$2,000 per victim (ongoing)Quotes
“Hundreds of wallets are currently being drained … with the total theft presently estimated at $107,000 and rising.” Summary of alerts attributed to ZachXBT via media coverage SignalPlusSources
Cryptopolitan (report), Coinpedia (report), The Hacker News (Trust Wallet), BleepingComputer (Trust Wallet)