On-chain investigators noted multiple Ethereum wallets drained after up to seven years of no activity. The exploit caused up to $800K in losses, with the proceeds moved and mixed through ThorChain.Â
In a post on X (formerly Twitter), user @WazzCrypto disclosed that hundreds of wallets have had their funds drained. While wallet-draining is not a new type of attack, one thing that stood out this time was that the affected wallets were dormant for up to 7 years. Aside from the on-chain record, over the past 24 hours, there have been reports on X by some users confirming their wallets had been drained.
Hundreds of wallets (many of which haven't been active in 7+ years) just got drained by the same address on ETH mainnet
Seems like a new live exploit, worth flagging https://t.co/QiKU1b86Uv pic.twitter.com/o1uU85CLPT
— Wazz (@WazzCrypto) April 30, 2026
The ongoing attack mostly affected wallets aged 4 to 8 years, according to on-chain data. The oldest wallet had not moved funds in nearly 14 years. Even advanced and experienced crypto users reported having their wallets drained after no known interactions with smart contracts or protocols.Â
The most worrying part of the attack is the unknown vector for compromising the wallet’s private keys. Users may prevent losses by preemptively moving funds to new storage with a safely generated private key.
Ethereum attack sweeps hundreds of wallets
The attacker swept over 500 wallets, collecting 2 ETH to swap into XMR for privacy. The wallets contained not only ETH, but other assets as well, and some of the tasks may have been done manually, as noted by on-chain researcher @tayvano. Some of the wallets were not fully drained, and researchers are still searching for signs of wallet filtering or clustering.Â
Following the initial asset sweep, the attackers moved to mixing the coins and tokens, similar to other recent DeFi hacks. The actions were similar to other attempts to disguise funds performed by DPRK hackers.Â
A total of 324.741 ETH was bridged as wrapped assets on the Bitcoin network using ThorChain. Around $32,000 in ETH were stored in another wallet. Some of the funds were swapped into 9.56 BTC.
Wallets may be exposed through trading bots, contracts, or npm attacks
One possible explanation includes leaked private key databases, activated after years to claim coins. Other hypotheses include flawed Electrum wallet usage, which has been linked to contaminated versions. It is possible that some of the old addresses were in a database of compromised keys.Â
As Cryptopolitan reported, similar attacks have happened in connection with the LastPass breach. One of the hypotheses is that another batch of wallets and passwords was exposed.Â
The recent wallet-draining attacks happened just days after the Bitwarden hack, but other npm supply chain attacks have shown it is possible to steal crypto from hot wallets.
The other possible explanation is the usage of trading bots, which often require the user to input a private key.Â
The recent wave of attacks has led to a decline in trust in DeFi protocols, and continues to make the argument against efforts to present Ethereum and other chains as suitable for large-scale financial activity.
