An attacker has stolen funds from hundreds of cryptocurrency wallets across multiple blockchain networks in what security experts describe as a coordinated phishing campaign. The attack predominantly targeted wallets compatible with the Ethereum Virtual Machine (EVM) standard.
Blockchain investigator ZachXBT first reported the breach, noting that the attacker drained small amounts from each compromised wallet. On average, individual victims lost under $2,000, but collectively, over $107,000 has been stolen across the affected addresses.
The attack impacted wallets across several EVM-compatible blockchain networks, indicating that the attacker deliberately cast a “wide net” to extract smaller amounts from numerous victims rather than target high-value wallets.
Cybersecurity firm Hackless warned that the attack appears to be automated. They have urged users to promptly revoke smart contract approvals and monitor their wallet activity for any suspicious transactions.
Phishing Email May Have Enabled Wallet Compromise
Security researcher Vladimir S. has identified a potential attack vector involving fake emails. These phishing emails impersonated official MetaMask communications, tricking users into approving malicious transactions.
Screenshots shared on social media depict an email closely mimicking MetaMask’s official branding. Such spoofing is designed to reduce user suspicion and enhance the chances of a successful compromise.
The attackers likely utilized these fraudulent emails to convince users to grant wallet approvals. Once granted, these approvals allowed the attacker to transfer funds from victims’ wallets.
Experts recommend that crypto users regularly review and revoke unnecessary approvals for smart contracts. They also advise verifying the authenticity of any wallet-related emails before clicking links or taking any actions.
Possible Connection to Trust Wallet Breach
The wallet drains may be linked to a separate incident involving Trust Wallet. On Christmas Day, Trust Wallet reported a hefty $7 million hack affecting approximately 2,596 wallets.
This breach was attributed to a supply-chain attack, known as “Sha1-Hulud,” that exploited npm packages widely used by cryptocurrency developers. Trust Wallet’s incident report revealed that leaked developer credentials from GitHub enabled the attacker to alter the wallet’s browser extension—this malicious version eventually made its way onto the Chrome Web Store.
Changpeng Zhao, co-founder of Binance, suggested that the Trust Wallet attack likely required insider knowledge of the wallet’s source code, while blockchain adviser Anndy Lian described the circumstances as “not natural.” Binance later confirmed that the mobile app was not compromised in the breach and pledged to reimburse all affected users.
While security experts have yet to confirm a direct connection between the two incidents, they share common tactics, including browser extension exploitation, phishing techniques, and the manipulation of wallet approvals.
