Hackers drain EVM wallets across Ethereum and BNB Chain

Ethereum Virtual Machine-compatible crypto wallets have been drained through an attack that has siphoned more than $107,000, according to blockchain investigator ZachXBT.

The crypto security investigator has traced malicious attacks that began in late December, where a hacker has made away with small thefts of under $2,000 per victim.

“It appears hundreds of wallets are currently being drained on various EVM chains for small amounts (<$2k total per victim) with a root cause not yet unidentified,” ZachXBT wrote on his Investigations Telegram channel.

Source: Investigations by ZachXBT on Telegram.

The wallets are being funneled into the address identified as 0xAc2e…ad8Bf9bFB, which on-chain data shows is holding assets from nearly 20 different blockchains.

Ethereum, BNB, Avalanche, Arbitrum among EVM chains affected

According to blockchain information from Debank, shared by the 2D investigator on Telegram, the attacker’s accumulated assets include about $54,655 worth of assets on Ethereum, accounting for 51% of its total balance. The BNB Chain follows with approximately $25,545, or 24%.

At the time of this reporting, smaller but still notable balances were also recorded from layer-2 and alternative chains like Base ($8,688), Arbitrum ($6,273), Polygon ($3,498), Optimism ($1,480), Zora ($994), Linea ($909), and Avalanche ($386).

EVM Hacker’s portfolio. Source: Debank.io

Investors on Crypto Twitter suggest that the hacker may have used fake MetaMask emails sent during the holidays to trick traders to hand them their wallet seed phrases.

However, per an analysis from Nansen, the address has been confirmed as one of the attacker wallets connected to the Trust Wallet Chrome Extension “Shai- Hulud” Supply Chain Attack, the security incident that began over the Christmas period.

As reported by Cryptopolitan on Christmas Eve, a malicious code compromised Trust Wallet’s browser extension version 2.68, resulting in an estimated $7 million in losses.

“Our Developer GitHub secrets were exposed in the attack, which gave the attacker access to our browser extension source code and the Chrome Web Store (CWS) API key,” Trust Wallet explained in a post-mortem published last Tuesday. “The attacker obtained full CWS API access via the leaked key, allowing builds to be uploaded directly without Trust Wallet’s standard release process, which requires internal approval/manual review.”

They used that access to register the domain “metrics-trustwallet[.]com” and distributed a trojanized version of the extension, with a backdoor that could harvest users’ wallet mnemonic phrases and transmit them to “api.metrics-trustwallet[.]com.”

Trust Wallet said about one million users of its Chrome extension were asked to update to version 2.69 after the compromised update was pushed to the browser’s extension marketplace on December 24.

“Sha1-Hulud was an industry-wide software supply chain attack that affected companies in several sectors, including but not limited to crypto,” the company said. The disclosure brought light to Shai-Hulud 3.0, a newer iteration of the malware that researchers believe is a stealth version of the original code.

“The primary difference lies in string obfuscation, error handling, and Windows compatibility, all aimed at increasing campaign longevity rather than introducing novel exploitation techniques,” Upwind researchers Guy Gilad and Moshe Hassan said.

Nansen expects the stolen tokens to be routed through Tornado Cash, eXch, Railgun, THORChain, Debridge, and TRON OTC venues.

Holiday email scams takeover Christmas in record 2025

At the start of December, the FBI’s Internet Crime Complaint Center sent warnings to Americans about fraudulent and phishing emails, saying citizens had lost more than $785 million annually to non-payment and non-delivery scams during holidays, with credit card fraud adding another $199 million.

Moreover, blockchain-monitoring firms Chainalysis and TRM Labs estimate that cybercriminals stole $2.7 billion in crypto last year, the highest annual total on record. The largest by far was the breach of Dubai-based exchange Bybit, where attackers stole about $1.4 billion.

That attack surpassed previous record-setting crypto heists, including the $624 million Ronin Network breach and the $611 million Poly Network hack in 2022.

North Korean state-linked hackers were the perpetrators of most crypto theft incidents, stealing at least $2 billion during the year, according to Chainalysis and Elliptic. Since 2017, those groups are estimated to have taken around $6 billion in crypto supposedly used to fund the country’s sanctioned nuclear weapons program.