On-chain researchers noted that multiple Ethereum wallets were emptied after up to seven years of inactivity. The exploit resulted in losses of up to $800,000, with proceeds being moved and mixed through ThorChain.
In a post on X (formerly Twitter), user @WazzCrypto revealed that funds were leaked from hundreds of wallets. Wallet drains are not a new type of attack, but one thing that stands out this time around is that the affected wallets were dormant for up to seven years. Apart from on-chain records, over the past 24 hours there have been reports regarding X by some users confirming that their wallets have been depleted.
Hundreds of wallets, many of which have not been active for over seven years, were compromised by the same address. $ETH main net
Looks like a new live exploit. Worth reporting https://t.co/QiKU1b86Uv pic.twitter.com/o1uU85CLPT
— Wazz (@WazzCrypto) April 30, 2026
According to on-chain data, the ongoing attack primarily affected wallets that are between four and eight years old. The oldest wallets barely moved funds 14 years. Even for advanced and experienced users cryptocurrency user Reported that the wallet was empty after no known interaction with any smart contract or protocol.
The most concerning aspect of this attack is the unknown vector of compromising the wallet’s private keys. Users can prevent losses by preemptively moving funds to new storage using a securely generated private key.
Ethereum attack wipes out hundreds of wallets
The attackers were wiped out 500 or more wallet, collection 2 $ETH Switch to XMR for privacy. Not only the wallet it was in, $ETHbut Other assets Some tasks may also have been done manually, as pointed out by on-chain researchers @tayvano. Some of the wallets have not been fully ejected, and researchers are still looking for signs of wallet filtering or clustering.
Following the initial asset sweep, the attackers moved on to a mix of coins and tokens, similar to other recent DeFi hacks. The act was similar to other attempts by North Korean hackers to disguise funds.
Total 324.741 $ETH bridged as a wrapped asset onto the Bitcoin network using saw chain. Approximately $32,000 $ETH was kept in another location wallet. Some of the funds were exchanged 9.56BTC.
Wallets can be exposed through trading bots, contracts, or npm attacks
One possible explanation is that the private key database launched years later to claim the coins was leaked. Another hypothesis is that the use of the Electrum wallet is flawed and associated with a tainted version. Some of the old addresses may have been present in the database of compromised keys.
As reported by Cryptopolitan, a similar attack occurred in connection with the LastPass breach. One theory is that another batch of wallets and passwords were leaked.
The most recent wallet exfiltration attack occurred a few days after the incident. bit warden However, other npm supply chain attacks have shown that it is possible to steal cryptocurrencies from hot wallets.
Another possible explanation is the use of trading bots that require users to enter their private keys.
The recent wave of attacks has led to a decline in trust in DeFi protocols and continues to argue against efforts to make Ethereum and other chains suitable for large-scale financial activity.
