‘Hundreds’ of EVM wallets drained in mysterious attack: ZachXBT

A new wave of small but widespread wallet drains across Ethereum Virtual Machine (EVM) chains is making headlines in crypto news, with onchain sleuth ZachXBT reporting that “hundreds” of wallets have been hit in a still-unexplained exploit. The pattern points to a broad, automated attack targeting blockchain users across multiple networks, and may be linked to December’s high‑profile Trust Wallet hack, according to early security analysis.

Mysterious multi-chain wallet drains

Onchain investigator ZachXBT reported that an unknown attacker has siphoned funds from “hundreds” of wallets deployed on several EVM-compatible networks, rather than a single blockchain or dApp. Each affected address has reportedly lost less than about $2,000, suggesting a low-value but high-volume attack strategy aimed at flying under the radar instead of executing one large heist.

Cybersecurity researcher Vladimir S. pointed to a likely phishing component, highlighting reports of a fraudulent email masquerading as official communication from Web3 wallet provider MetaMask. This fake outreach may have tricked users into signing malicious transactions or granting overly broad approvals, which the attacker then automated across many wallets.

Security firm Hackless characterized the pattern as “automated, wide-net exploitation” and urged users to immediately revoke unnecessary smart contract approvals, review connected dApps, and closely monitor their addresses for unusual activity. For crypto pur users who interact frequently with DeFi, this incident is a reminder that even small permissions can be weaponized.

Possible link to December’s Trust Wallet hack

Vladimir S. and other researchers have suggested that the EVM wallet drains could be related to the Trust Wallet browser extension hack that struck on Dec. 25 and drained roughly $7 million in crypto from about 2,596 wallets. In that case, a sophisticated supply chain compromise, dubbed the “Sha1‑Hulud” attack, is believed to have tainted npm packages used by multiple crypto projects.

According to Trust Wallet’s incident report, leaked developer “secrets” from the project’s GitHub repository enabled an attacker to access the browser extension source code. The attacker then uploaded a trojanized version of the extension to the Chrome Web Store, disguised as the legitimate product. Users who installed or updated to the malicious build unknowingly exposed their wallets to compromise.

Intergovernmental blockchain adviser Anndy Lian argued that the level of access and code familiarity hinted at possible insider involvement, a view echoed by Binance co-founder Changpeng “CZ” Zhao. Since Binance owns Trust Wallet, CZ publicly agreed that the exploit was “most likely” carried out by someone with deep knowledge of the extension’s internals. Importantly, Trust Wallet’s mobile app remained unaffected, and Binance committed to fully reimbursing users hit in the Christmas exploit.

What users should do now

For everyday users active in DeFi and EVM ecosystems, these incidents underscore how critical operational security is, even when blockchain technology itself remains robust. Practical steps include:

• Treat every email or message claiming to be from wallet providers (MetaMask, Trust Wallet, etc.) as suspicious until verified via official channels.
• Regularly audit connected dApps and revoke stale or unnecessary approvals using trusted onchain tools.
• Avoid installing browser extensions or updates from unofficial links; always navigate directly to verified stores or project websites.
• Consider using hardware wallets and segregated accounts for high‑value holdings versus daily spending.

While crypto news tends to focus on big dollar figures, broad, low‑value attacks like this can be just as damaging over time. For the crypto pur community, they highlight that security now depends less on smart contract bugs alone and more on defending the broader wallet, browser, and supply-chain surface where attackers increasingly operate.