ZachXBT Warnings Silent Wallet Drains Across EVM Chains
- ZachXBT traced wallet drains across EVM networks, with losses staying small per address.
- A single Ethereum address keeps receiving funds, which signals activity across chains.
- Analysts study approvals, signatures, and extensions, yet the exploit method is unknown.
Blockchain investigator ZachXBT has warned the crypto community about an unexplained wallet-draining activity affecting multiple EVM-compatible blockchains. The activity has already led to more than $107,000 in losses. Individual wallets typically lose less than $2,000. Still, the number of affected addresses continues to grow. The source of the drains remains unidentified.
On-chain tracking has linked the stolen funds to a single Ethereum address that repeatedly receives transfers from unrelated victims. The address, 0xAc2e5153170278e24667a580baEa056ad8Bf9bFB, has appeared across multiple transactions tied to the activity. Funds continue to move into the address, indicating the draining has not stopped.
Rather than large, isolated thefts, the activity relies on small withdrawals spread across many wallets. This pattern appears to delay detection. As a result, losses build quietly while victims remain unaware until balances drop.
Cross-Chain Pattern Draws Attention
Reports show the activity spans several EVM-based networks. According to BitPinas, affected wallets appear on Ethereum, BNB Chain, Base, Arbitrum, Polygon, Optimism, and other EVM ecosystems. The breadth of networks involved has raised questions about a shared point of failure.
Because EVM chains rely on similar wallet standards and signing flows, investigators suspect the exploit does not target one protocol. Instead, it may involve common wallet logic or permission handling. Many wallets share similar approval processes and user prompts.
Despite growing data, no confirmed cause has emerged. Analysts continue to examine token approval abuse, deceptive signature requests, and possible supply chain issues affecting wallet software. Some research also focuses on browser extensions. None of these theories has been confirmed so far.
Related: ZachXBT Exposes Hidden BlockDAG Co-Founder and Missing Millions
December Exploits Provide Wider Context
The wallet drains follow a month marked by several major crypto security incidents. PeckShield reported 26 significant exploits in December. A small number of cases accounted for most of the losses. The largest involved a single user who lost $50 million in an address poisoning scam.
In address poisoning attacks, threat actors send small transactions from addresses that closely resemble legitimate ones. Victims later copy the wrong address from transaction history during a transfer. Funds then move irreversibly to the attacker. These scams rely on visual similarity rather than technical flaws.
PeckShield also documented another December incident involving a private key leak tied to a multi-signature wallet. That breach resulted in losses of about $27.3 million. The case showed that even wallets requiring multiple approvals remain vulnerable when key security fails.
Browser Wallets Remain Exposed
Browser-based wallets always get the most attackers, mainly because they are continuously connected to the Internet. PeckShield was named one of the Christmas Day exploits that drained approximately $7 million from the browser extension of Trust Wallet. The other incident in December targeted the Flow protocol with an approximate loss of $3.9 million.
The occurrences of these incidents are a clear indication of the risks that are still present in online wallet environments. Most security researchers mention hardware wallets, which maintain the private keys offline, as the safest option for long-term storage.
Regarding the current EVM wallet draining, the security teams have suggested that users revoke the unused approvals, check the connected applications, and reduce the signing activity. Many of them also recommend transferring assets to new wallets with new seed phrases while the monitoring is ongoing.
