Hundreds of crypto wallets across multiple EVM-compatible chains are being quietly drained in what appears to be an active, distributed theft campaign, according to on-chain investigator ZachXBT. The incident stands out less for the size of any single loss & more for the breadth of affected users: victims are reportedly losing small amounts per wallet (typically under $2,000), but cumulative losses have already reached about $107,000 & are still climbing as new cases surface.

While early community chatter has speculated about everything from malicious approvals to compromised wallet tooling, investigators have not yet confirmed a root cause. That uncertainty is precisely what makes the episode alarming: without a clear entry point, the safest assumption is that the attack vector may still be active & could expand to more wallets across chains.

• What Happened
• What Remains Unclear
• Likely Attack Paths Being Considered
• What Users Should Do Right Now

What Happened

ZachXBT issued an alert warning that hundreds of wallets were being drained “on various EVM chains” for relatively small amounts per victim. The total stolen value was estimated at roughly $107K at the time of reporting, with the number expected to rise as more victims identify unauthorized outflows.

The initial warning spread quickly across crypto social channels, echoing a familiar pattern in incident response: on-chain sleuths flag anomalies, the community amplifies them, then security teams & infrastructure providers begin triangulating whether there is a shared common factor such as a malicious contract, a compromised front-end, or a phishing campaign using similar lures.

Public reporting so far converges on three core facts:

1. First, the losses are distributed. Rather than one whale-sized theft, the campaign appears to be hitting many wallets with sub-$2,000 drains per victim.
2. Second, the theft total is already meaningful. Even with small per-wallet drains, the aggregate loss has crossed ~$107,000, which signals either strong automation, broad reach, or both.
3. Third, the root cause is not confirmed. Multiple outlets explicitly note that the cause remains unknown, which limits the ability of users to apply a single “one-click fix.”

The combination of these factors suggests a campaign optimized for scale: keep each theft small enough to reduce immediate panic, but wide enough to produce steady cumulative extraction.

What Remains Unclear

As of now, there is no definitive public attribution for:

• The initial compromise point (wallet approvals vs phishing vs tooling vs infrastructure).
• Whether one drainer cluster is responsible or multiple copycat operators are active simultaneously.
• Whether a specific chain, dApp category, or wallet type is disproportionately affected.

Some reports also mention community discussion around potential phishing narratives (including impersonation-style messages), but these remain unverified as the singular cause behind all drains. In practical terms, “unknown root cause” means user defenses must be layered: permission hygiene, signature hygiene, device hygiene, plus basic operational caution.

Small drains are sometimes dismissed as “noise,” but they can be strategically potent:

1. They delay detection. A $75 or $300 outflow can be missed in a busy wallet that interacts with multiple DeFi apps. For attackers, this buys time.
2. They exploit user psychology. Victims may assume it was a minor fee or a one-off glitch, especially when transaction labeling is unclear in some wallet UIs.

This is why security responders often treat “low-value high-frequency” theft patterns as urgent: they resemble a pipeline that can be tuned to higher values once the operator is confident they won’t be immediately blocked.

🚨 ALERT: ZachXBT reports hundreds of wallets are being drained across multiple EVM chains.

• Small amounts per victim (<$2K)
• ~$107K stolen so far, and rising
• Root cause still unknown

Stay cautious. Revoke permissions and avoid signing unknown transactions. pic.twitter.com/J82jC0oVva— Crypto India (@CryptooIndia) January 2, 2026