Skip to main content
Sign in

EVM Cross-Chain Wallet-Drain Campaign (June 2026)

avoid.net/evm-cross-chain-wallet-drain-campaign-june-20260/100·72% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
anchored·DW5U1o…htEn

Summary

Beginning approximately January 2, 2026, blockchain investigator ZachXBT flagged an active, automated campaign draining hundreds of wallets across at least a dozen EVM-compatible chains, with over $107,000 stolen in mostly sub-$2,000 increments consolidated into a single aggregation address (0xAc2e5153170278e24667a580baEa056ad8Bf9bFB). The root cause was not confirmed at the time of ZachXBT's initial disclosure; suspected vectors included token-approval abuse, malicious signature exploits, a fake-MetaMask phishing email campaign, and possible spillover from the Trust Wallet browser-extension supply-chain compromise of December 2025. This entry serves as a consumer-protection warning and on-chain address flag.

Connected Entities

1 entities · 10 linked investigations
Organizations
EVM Cross-Chain Wallet-Drain Campaign (June 2026)
Relationships
    Also appears in
    edgeX Exchange·28Mach-O Man Malware Campaign (Lazarus / Chollima)·0Gamma Strategies·28Alephium Bridge·18Bunni Protocol·28BitGrail·2Shunda Park Scam Compound·0Thorchain DEX·14Crossmint·70Access Protocol·47
    Have evidence about EVM Cross-Chain Wallet-Drain Campaign (June 2026)?

    Timeline(7 events)

    2025-11-01

    Industry-wide 'Shai-Hulud' supply-chain attack exposed Trust Wallet developer GitHub secrets, including the Chrome Web Store API key, enabling a subsequent malicious extension upload.

    Trust Wallet official blog

    2025-12-24

    Malicious Trust Wallet browser extension version 2.68 published to Chrome Web Store using stolen credentials; active exfiltration of seed phrases and private keys began for users who opened the extension.

    Trust Wallet official blog / The Hacker News

    2025-12-25

    Security researchers flagged wallet draining from Trust Wallet v2.68 users; white-hat researchers reportedly disrupted attacker infrastructure. Approximately 2,520 addresses were affected, with losses of $7–8.5 million.

    The Hacker News

    2025-12-26

    Trust Wallet pulled v2.68 from the Chrome Web Store, released v2.69 as a rollback, and announced a voluntary reimbursement program for affected users.

    Trust Wallet official blog

    2026-01-02

    ZachXBT publicly disclosed an active, automated cross-chain wallet-drain campaign affecting hundreds of wallets across at least 12 EVM chains, with over $107,000 consolidated into aggregation address 0xAc2e5153170278e24667a580baEa056ad8Bf9bFB. Root cause listed as unidentified.

    The Block / CCN / CryptoPotato

    2026-01-02

    Multiple crypto news outlets reported on the campaign based on ZachXBT's findings, identifying Ethereum ($54,655), BNB Chain ($25,545), Base ($8,688), Arbitrum ($6,273), and Polygon ($3,498) as the most heavily affected chains.

    The Crypto Basic

    2026-05-28

    ZachXBT flagged a separate but related fake-MetaMask phishing campaign — distinct from the January 2026 drains — alleging over $9 million stolen from 400+ addresses via malicious 'mandatory upgrade' emails tricking users into signing setApprovalForAll transactions.

    Phemex blog
    Provenance & Audit Trail
    Anchored on SolanaVerify on-chain

    Decision Log

    This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

    full audit log →version history →

    model: claude-code-investigator

    generated: 6/9/2026, 7:55:56 PM

    last updated: 6/9/2026, 7:56:08 PM

    avoid.net — verified advice for a post-truth world