Hundreds of Wallets Drained Across EVM Chains, ZachXBT Warns

Hundreds of crypto wallets across multiple EVM-compatible chains are being quietly drained in what appears to be an active, distributed theft campaign, according to on-chain investigator ZachXBT. The incident stands out less for the size of any single loss & more for the breadth of affected users: victims are reportedly losing small amounts per wallet (typically under $2,000), but cumulative losses have already reached about $107,000 & are still climbing as new cases surface.

While early community chatter has speculated about everything from malicious approvals to compromised wallet tooling, investigators have not yet confirmed a root cause. That uncertainty is precisely what makes the episode alarming: without a clear entry point, the safest assumption is that the attack vector may still be active & could expand to more wallets across chains.

• What Happened
• What Remains Unclear
• Likely Attack Paths Being Considered
• What Users Should Do Right Now

What Happened

ZachXBT issued an alert warning that hundreds of wallets were being drained “on various EVM chains” for relatively small amounts per victim. The total stolen value was estimated at roughly $107K at the time of reporting, with the number expected to rise as more victims identify unauthorized outflows.

The initial warning spread quickly across crypto social channels, echoing a familiar pattern in incident response: on-chain sleuths flag anomalies, the community amplifies them, then security teams & infrastructure providers begin triangulating whether there is a shared common factor such as a malicious contract, a compromised front-end, or a phishing campaign using similar lures.

Public reporting so far converges on three core facts:

1. First, the losses are distributed. Rather than one whale-sized theft, the campaign appears to be hitting many wallets with sub-$2,000 drains per victim.
2. Second, the theft total is already meaningful. Even with small per-wallet drains, the aggregate loss has crossed ~$107,000, which signals either strong automation, broad reach, or both.
3. Third, the root cause is not confirmed. Multiple outlets explicitly note that the cause remains unknown, which limits the ability of users to apply a single “one-click fix.”

The combination of these factors suggests a campaign optimized for scale: keep each theft small enough to reduce immediate panic, but wide enough to produce steady cumulative extraction.

What Remains Unclear

As of now, there is no definitive public attribution for:

• The initial compromise point (wallet approvals vs phishing vs tooling vs infrastructure).
• Whether one drainer cluster is responsible or multiple copycat operators are active simultaneously.
• Whether a specific chain, dApp category, or wallet type is disproportionately affected.

Some reports also mention community discussion around potential phishing narratives (including impersonation-style messages), but these remain unverified as the singular cause behind all drains. In practical terms, “unknown root cause” means user defenses must be layered: permission hygiene, signature hygiene, device hygiene, plus basic operational caution.

Small drains are sometimes dismissed as “noise,” but they can be strategically potent:

1. They delay detection. A $75 or $300 outflow can be missed in a busy wallet that interacts with multiple DeFi apps. For attackers, this buys time.
2. They exploit user psychology. Victims may assume it was a minor fee or a one-off glitch, especially when transaction labeling is unclear in some wallet UIs.

This is why security responders often treat “low-value high-frequency” theft patterns as urgent: they resemble a pipeline that can be tuned to higher values once the operator is confident they won’t be immediately blocked.

🚨 ALERT: ZachXBT reports hundreds of wallets are being drained across multiple EVM chains.

• Small amounts per victim (<$2K)
• ~$107K stolen so far, and rising
• Root cause still unknown

Stay cautious. Revoke permissions and avoid signing unknown transactions. pic.twitter.com/J82jC0oVva

— Crypto India (@CryptooIndia) January 2, 2026

Likely Attack Paths Being Considered

Until investigators confirm a root cause, several common vectors remain plausible in a cross-chain drain scenario:

1. Approval abuse & legacy permissions: Many users carry old, unlimited token approvals granted to contracts they no longer use. If an attacker gains control of a spender contract, exploits an approval loophole, or tricks users into approving a malicious spender, tokens can be pulled without additional prompts.
2. Signature traps (blind signing): Wallet drainers often rely on victims signing messages they do not fully understand especially when interfaces present vague prompts. Once a malicious signature is obtained, attackers can execute transfers or approvals depending on the mechanism.
3. Compromised front-ends or fake dApps: Even when the underlying protocol is safe, a compromised website, spoofed domain, or injected script can redirect users to sign malicious interactions that look legitimate.
4. Ecosystem tooling or extension risk: Because the campaign spans multiple EVM chains, analysts also watch for shared tooling links such as browser extensions, injected scripts, or common SDKs that could create correlated exposure across chains.

The key point: “multi-chain” does not necessarily imply “multi-protocol exploit.” EVM compatibility means a single malicious flow can be replicated across chains with minimal changes.

What Users Should Do Right Now

With an unknown root cause, user actions should prioritize reducing attack surface rather than chasing one theory.

1. Revoke token approvals you do not need: This is the most universally useful step because it shrinks the number of contracts that can move funds on your behalf. Focus especially on unlimited approvals issued long ago or to apps you no longer use.
2. Avoid signing anything you did not initiate: If your wallet prompts you to sign a transaction or message you did not expect, treat it as hostile by default. Small drains often begin with one “harmless” signature.
3. Review recent activity across chains: Check for approvals, unusual transfers, or repeated interactions with unfamiliar contracts. Even if the loss per wallet is small, the presence of a suspicious approval can be a warning that larger balances are at risk.
4. Consider isolating funds: If you suspect exposure, move assets to a fresh wallet that has never interacted with high-risk dApps. Keep the “hot” wallet for day-to-day interactions & the “cold” wallet for storage.

ZachXBT’s alert itself emphasized practical caution: revoke permissions & avoid signing unknown transactions until more clarity emerges.

What to Watch Next

In the next 24–72 hours, the most useful updates will likely be:

• Identification of common denominators among victims (same dApp, same approval spender, same phishing lure).
• Clusters of attacker addresses & whether funds converge into known laundering routes.
• Statements from wallet providers or security firms if a tooling-side issue is suspected.
• Updated loss estimates as more victims reconcile balances across chains.

Security research over the past few years has documented how “drainers” (also called sweepers or drainware) leverage social engineering, malicious contracts, spoofed interfaces, or compromised distribution channels to harvest signatures & approvals at scale.

If you find any issues in this blog or notice any missing information, please feel free to reach out at yash@etherworld.co for clarifications or updates.

Related Articles

1. Trust Wallet Browser Extension Security Incident
2. Polymarket Resolves Security Issue Linked to Third Party Authentication Provider
3. Ethereum's 'Institutional-Grade' Security Is Paying Off
4. Not Just Servers: Vitalik Defends Base & Security of L2s
5. Starknet Can Now Make Secure App Development Smoother with Garaga SDK