Verify a decision

{"actor":"system:backfill","investigation_id":"be71032d-f1c5-4c90-b3b8-dbe91cc05339","kind":"publish","page_slug":"evm-cross-chain-wallet-drain-campaign-june-2026","published_at":"2026-06-09T19:56:08.878Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"EVM Cross-Chain Wallet-Drain Campaign (June 2026)","sections":[{"content":"On January 2, 2026, blockchain investigator ZachXBT publicly warned via his Telegram investigation channel that 'hundreds of wallets are currently being drained on various EVM chains for small amounts (<$2k total per victim).' The campaign was automated and cross-chain in character, with funds from multiple EVM networks being consolidated into a single aggregation address. Total confirmed losses stood at approximately $107,000 at the time of ZachXBT's initial disclosure, with the figure expected to climb as the attack was still active. The pattern — many victims, small per-wallet amounts, rapid multi-chain aggregation — is consistent with a broad-sweep automated drainer rather than a targeted exploit of a single protocol or high-value wallet.","heading":"Campaign Overview","severity":"critical","sources":[{"credibility":2,"name":"Hundreds of crypto wallets drained across EVM chains, root cause still unidentified: ZachXBT | The Block","type":"news_article","url":"https://www.theblock.co/post/384118/crypto-wallets-drained-zachxbt"},{"credibility":2,"name":"Hundreds of Wallets Drained on EVM Chains With No Root Cause, ZachXBT Warns — $107K Lost So Far and Counting | CCN","type":"news_article","url":"https://www.ccn.com/news/crypto/hundreds-of-wallets-drained-on-evm-chains-with-no-root-cause-zachxbt-warns-107k-lost-so-far-and-counting/"},{"credibility":2,"name":"$107K Lost in Low-Value Wallet Drains Spanning EVM Chains, ZachXBT Reports | The Crypto Basic","type":"news_article","url":"https://thecryptobasic.com/2026/01/02/107k-lost-in-low-value-wallet-drains-spanning-evm-chains-zachxbt-reports/"}]},{"content":"The wallet address 0xAc2e5153170278e24667a580baEa056ad8Bf9bFB was publicly flagged by ZachXBT as the central aggregation point for stolen funds in this campaign. Multiple independent reporting outlets corroborated that funds drained from victim wallets on approximately 20 EVM-compatible blockchains were consolidated into this address in small increments consistent with the sub-$2,000 per-victim theft pattern. Users who have interacted with or sent funds to this address should treat their wallets as potentially compromised and review transaction history on Etherscan or the relevant block explorer for each affected chain. The address was active and receiving funds at the time of ZachXBT's disclosure. No further on-chain forensic update has been publicly confirmed as of the publication of this entry.","heading":"Flagged Aggregation Address","severity":"critical","sources":[{"credibility":2,"name":"Wallets across EVM chains being drained for under $2K each, $107K stolen so far | Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/wallets-across-evm-chains-eth-bnb-drained/"},{"credibility":2,"name":"ZachXBT Reports Hundreds Of Wallets Drained For Under $2000 Each Across Multiple Chains | Yellow","type":"news_article","url":"https://yellow.com/news/zachxbt-reports-hundreds-of-wallets-drained-for-under-dollar2000-each-across-multiple-chains"},{"credibility":2,"name":"EVM Users Hit by Coordinated Wallet Drains - $107K Stolen So Far | BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/01/02/evm-users-hit-by-coordinated-wallet-drains-107k-stolen-so-far/"}]},{"content":"Reported chain-level data attributed the largest share of losses to Ethereum ($54,655, approximately 51% of the total), followed by BNB Chain ($25,545, approximately 24%), Base ($8,688), Arbitrum ($6,273), Polygon ($3,498), Optimism ($1,480), Zora ($994), Linea ($909), and Avalanche ($386). Smaller but nonzero losses were also reported on Manta Pacific ($784), zkSync Era ($691), Ink ($565), Blast, Gnosis Chain, and Ronin. The multi-chain distribution, with funds arriving from approximately 20 networks into a single address, strongly suggests an automated, script-driven drainer rather than a manual attacker or a protocol-specific vulnerability. These figures represent a snapshot at the time of ZachXBT's initial disclosure; the actual total is likely higher.","heading":"Chains Affected and Loss Distribution","severity":"high","sources":[{"credibility":2,"name":"$107K Lost in Low-Value Wallet Drains Spanning EVM Chains, ZachXBT Reports | The Crypto Basic","type":"news_article","url":"https://thecryptobasic.com/2026/01/02/107k-lost-in-low-value-wallet-drains-spanning-evm-chains-zachxbt-reports/"},{"credibility":2,"name":"Wallets across EVM chains being drained for under $2K each, $107K stolen so far | Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/wallets-across-evm-chains-eth-bnb-drained/"},{"credibility":2,"name":"Security Alert: Mystery Exploit Hits EVM Chains | CoinGape","type":"news_article","url":"https://coingape.com/security-alert-mystery-exploit-hits-evm-chains-with-hundreds-of-wallets-drained-in-massive-attack/"}]},{"content":"As of ZachXBT's initial public disclosure on January 2, 2026, the root cause of the wallet drains had not been identified. Multiple hypotheses were circulating in the security research community, none confirmed at that time. The four primary theories are: (1) Token-approval abuse — victims may have previously granted broad ERC-20 approval or setApprovalForAll permissions to a malicious contract, enabling the drainer to sweep balances without further user interaction; (2) Malicious signature exploits — victims may have unknowingly signed permit or off-chain authorization messages that delegated token movement to the attacker; (3) Supply-chain compromise of wallet software — the December 24–26, 2025 Trust Wallet browser-extension incident (version 2.68) exposed seed phrases and private key material for approximately 2,520 wallets, and some reporting noted that the timing and victim profile overlapped with the ZachXBT-flagged campaign, though no direct technical link was publicly confirmed; (4) Fake-MetaMask phishing emails — reports described fraudulent emails impersonating MetaMask and claiming a mandatory security upgrade was required, which when followed led victims to sign malicious approval transactions. None of these vectors had been conclusively ruled in or out as the single cause of the January 2026 campaign at the time sources were published.","heading":"Suspected Attack Vectors (Root Cause Unconfirmed)","severity":"high","sources":[{"credibility":2,"name":"Hundreds of Wallets Drained on EVM Chains With No Root Cause, ZachXBT Warns | Finance Magnates","type":"news_article","url":"https://www.financemagnates.com/trending/hackers-drain-hundreds-of-crypto-wallets-targeting-accounts-under-2000-report/"},{"credibility":2,"name":"ZachXBT Warns of Active Exploit Draining Crypto Wallets | BeInCrypto","type":"news_article","url":"https://beincrypto.com/multi-chain-crypto-wallet-drain-phishing-exploit/"},{"credibility":1,"name":"Trust Wallet Browser Extension v2.68 Incident: An Update to Our Community | Trust Wallet (Official)","type":"official","url":"https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update"},{"credibility":1,"name":"Trust Wallet Chrome Extension Hack Drains $8.5M via Shai-Hulud Supply Chain Attack | The Hacker News","type":"news_article","url":"https://thehackernews.com/2025/12/trust-wallet-chrome-extension-hack.html"}]},{"content":"A separate but potentially related incident provides important context. On December 24, 2025, a malicious version of the Trust Wallet browser extension (v2.68) was published to the Chrome Web Store. The compromise traced to the industry-wide 'Shai-Hulud' supply-chain attack of November 2025, in which Trust Wallet's developer GitHub secrets — including the Chrome Web Store API key — were exposed. The attacker used these credentials to upload a tampered build that exfiltrated seed phrases and private keys from all wallets opened in the extension during December 24–26, 2025. Trust Wallet confirmed approximately 2,520 wallet addresses were drained, with total impact estimated between $7 million and $8.5 million. Trust Wallet issued version 2.69 as a rollback, initiated a voluntary reimbursement program, and disabled compromised API credentials. Some reporters and analysts noted temporal and victim-profile overlap between this incident and the broader ZachXBT-flagged EVM drain campaign, but Trust Wallet's own post-incident disclosure did not establish a direct technical link to the wider $107,000 campaign flagged on January 2, 2026. Users of Trust Wallet browser extension v2.68 who logged in during the December 24–26 window should treat all wallets accessible from that extension as compromised regardless of whether individual losses have been confirmed.","heading":"Connection to Trust Wallet v2.68 Supply-Chain Incident","severity":"critical","sources":[{"credibility":1,"name":"Trust Wallet Browser Extension v2.68 Incident: An Update to Our Community | Trust Wallet (Official)","type":"official","url":"https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update"},{"credibility":1,"name":"Trust Wallet Chrome Extension Hack Drains $8.5M via Shai-Hulud Supply Chain Attack | The Hacker News","type":"news_article","url":"https://thehackernews.com/2025/12/trust-wallet-chrome-extension-hack.html"},{"credibility":1,"name":"Trust Wallet Chrome Extension Breach Caused $7 Million Crypto Loss via Malicious Code | The Hacker News","type":"news_article","url":"https://thehackernews.com/2025/12/trust-wallet-chrome-extension-bug.html"}]},{"content":"ZachXBT's initial data indicated that most individual victims lost less than $2,000 each. This low-per-victim, high-breadth pattern is a deliberate tactical choice: small individual losses reduce the likelihood of any single victim immediately noticing and filing a report, allowing the campaign to persist longer and accumulate a larger aggregate total before detection. The automated nature of the draining — evidenced by the simultaneous activity across approximately 20 chains funneling into one address — suggests the attacker held private keys or broad token approvals for many wallets before triggering a coordinated sweep. Chainalysis data cited in contemporaneous reporting noted that 2025 saw approximately 158,000 wallet breaches affecting more than 80,000 unique victims, with victim counts roughly doubling over three years, providing broader context for the frequency of such campaigns.","heading":"Victim Profile and Attack Methodology","severity":"high","sources":[{"credibility":2,"name":"ZachXBT Reports Hundreds Of Wallets Drained For Under $2000 Each Across Multiple Chains | Yellow","type":"news_article","url":"https://yellow.com/news/zachxbt-reports-hundreds-of-wallets-drained-for-under-dollar2000-each-across-multiple-chains"},{"credibility":2,"name":"Hundreds of EVM Wallets Quietly Drained as Unknown Exploit Steals Over $107K | CryptoPotato","type":"news_article","url":"https://cryptopotato.com/hundreds-of-evm-wallets-quietly-drained-as-unknown-exploit-steals-over-107k/"}]},{"content":"Given the unconfirmed root cause and the multiple suspected vectors, users holding assets on any EVM-compatible chain are advised to take the following precautionary steps. First, revoke outstanding token approvals: use Revoke.cash (https://revoke.cash) or Etherscan's Token Approval Checker (https://etherscan.io/tokenapprovalchecker) to review and revoke any ERC-20 or NFT approvals granted to unfamiliar or untrusted contracts. Revoke.cash supports over 100 networks. Each revocation requires a small on-chain gas fee. Second, verify wallet software integrity: download wallet software exclusively from official sources (e.g., metamask.io, the official MetaMask GitHub, or the publisher-verified Chrome Web Store listing). If running Trust Wallet browser extension, confirm the installed version is 2.69 or later; if version 2.68 was used during December 24–26, 2025, treat all associated wallets as compromised. Third, treat unsolicited 'upgrade' notifications as phishing by default: MetaMask and other wallet providers do not send mandatory upgrade emails requiring on-chain 'validation.' Any email or push notification claiming a wallet will stop working unless a link is clicked and a signature is provided should be disregarded and reported. Fourth, inspect signature requests before signing: before approving any transaction, review the full data being signed, particularly for permit, setApprovalForAll, or delegate calls that grant third-party control over token balances. Fifth, monitor transaction history: check wallet activity on Etherscan, BscScan, or the relevant block explorer for each chain where assets are held. Any interaction with or funds transferred to 0xAc2e5153170278e24667a580baEa056ad8Bf9bFB should be treated as a confirmed-compromise indicator. Sixth, consider migrating to a hardware wallet for holdings above trivial amounts.","heading":"Consumer-Protection Recommendations","severity":"medium","sources":[{"credibility":2,"name":"Revoke Your Token Approvals on Over 100 Networks | Revoke.cash","type":"other","url":"https://revoke.cash/"},{"credibility":2,"name":"Token Approvals Checker | Etherscan","type":"other","url":"https://etherscan.io/tokenapprovalchecker"},{"credibility":1,"name":"How to Revoke Smart Contract Allowances / Token Approvals | MetaMask Help Center","type":"official","url":"https://support.metamask.io/more-web3/learn/how-to-revoke-smart-contract-allowances-token-approvals/"},{"credibility":2,"name":"Fake MetaMask Update Drains EVM Wallets | Phishing Campaign 2026 | Phemex","type":"news_article","url":"https://phemex.com/blogs/evm-wallets-drained-fake-metamask-update-phishing"}]},{"content":"The January 2026 campaign documented by ZachXBT is one of several overlapping EVM wallet-drain incidents in the late 2025 to mid-2026 period. The Trust Wallet v2.68 supply-chain compromise (December 2025, $7–8.5 million lost) and a separate fake-MetaMask phishing campaign documented in May 2026 (alleged losses exceeding $9 million across 400+ addresses) indicate that automated, multi-chain wallet drainers targeting retail users with small balances have become a sustained threat category rather than isolated events. The common thread across these incidents is the abuse of EVM's permission model: once an attacker obtains a seed phrase, private key, or sufficiently broad token approval, they can drain all reachable assets across every EVM-compatible chain from a single set of credentials. The January 2026 ZachXBT-flagged campaign had not, as of the latest available reporting, been attributed to a single confirmed root cause.","heading":"Broader Context: Rising EVM Wallet-Drain Threat","severity":"medium","sources":[{"credibility":2,"name":"Ongoing Crypto Wallet Drains Reportedly Hit EVM Chains As Major Security Concerns Persist | Crowdfund Insider","type":"news_article","url":"https://www.crowdfundinsider.com/2026/01/257032-ongoing-crypto-wallet-drains-reportedly-hit-evm-chains-as-major-security-concerns-persist/"},{"credibility":2,"name":"Hundreds of crypto wallets drained across EVM chains, root cause still unidentified: ZachXBT | The Block","type":"news_article","url":"https://www.theblock.co/post/384118/crypto-wallets-drained-zachxbt"},{"credibility":2,"name":"Fake MetaMask Update Drains EVM Wallets | Phishing Campaign 2026 | Phemex","type":"news_article","url":"https://phemex.com/blogs/evm-wallets-drained-fake-metamask-update-phishing"}]}],"sources_used":[{"credibility":2,"name":"Hundreds of crypto wallets drained across EVM chains, root cause still unidentified: ZachXBT | The Block","type":"news_article","url":"https://www.theblock.co/post/384118/crypto-wallets-drained-zachxbt"},{"credibility":2,"name":"Hundreds of Wallets Drained on EVM Chains With No Root Cause, ZachXBT Warns — $107K Lost So Far | CCN","type":"news_article","url":"https://www.ccn.com/news/crypto/hundreds-of-wallets-drained-on-evm-chains-with-no-root-cause-zachxbt-warns-107k-lost-so-far-and-counting/"},{"credibility":2,"name":"Hundreds of EVM Wallets Quietly Drained as Unknown Exploit Steals Over $107K | CryptoPotato","type":"news_article","url":"https://cryptopotato.com/hundreds-of-evm-wallets-quietly-drained-as-unknown-exploit-steals-over-107k/"},{"credibility":2,"name":"Security Alert: Mystery Exploit Hits EVM Chains | CoinGape","type":"news_article","url":"https://coingape.com/security-alert-mystery-exploit-hits-evm-chains-with-hundreds-of-wallets-drained-in-massive-attack/"},{"credibility":2,"name":"$107K Lost in Low-Value Wallet Drains Spanning EVM Chains, ZachXBT Reports | The Crypto Basic","type":"news_article","url":"https://thecryptobasic.com/2026/01/02/107k-lost-in-low-value-wallet-drains-spanning-evm-chains-zachxbt-reports/"},{"credibility":2,"name":"Wallets across EVM chains being drained for under $2K each, $107K stolen so far | Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/wallets-across-evm-chains-eth-bnb-drained/"},{"credibility":2,"name":"ZachXBT Reports Hundreds Of Wallets Drained For Under $2000 Each Across Multiple Chains | Yellow","type":"news_article","url":"https://yellow.com/news/zachxbt-reports-hundreds-of-wallets-drained-for-under-dollar2000-each-across-multiple-chains"},{"credibility":2,"name":"EVM Users Hit by Coordinated Wallet Drains - $107K Stolen So Far | BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/01/02/evm-users-hit-by-coordinated-wallet-drains-107k-stolen-so-far/"},{"credibility":2,"name":"Hundreds of Wallets Drained on EVM Chains With No Root Cause, ZachXBT Warns | Finance Magnates","type":"news_article","url":"https://www.financemagnates.com/trending/hackers-drain-hundreds-of-crypto-wallets-targeting-accounts-under-2000-report/"},{"credibility":2,"name":"Ongoing Crypto Wallet Drains Reportedly Hit EVM Chains As Major Security Concerns Persist | Crowdfund Insider","type":"news_article","url":"https://www.crowdfundinsider.com/2026/01/257032-ongoing-crypto-wallet-drains-reportedly-hit-evm-chains-as-major-security-concerns-persist/"},{"credibility":1,"name":"Trust Wallet Browser Extension v2.68 Incident: An Update to Our Community | Trust Wallet (Official)","type":"official","url":"https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update"},{"credibility":1,"name":"Trust Wallet Chrome Extension Hack Drains $8.5M via Shai-Hulud Supply Chain Attack | The Hacker News","type":"news_article","url":"https://thehackernews.com/2025/12/trust-wallet-chrome-extension-hack.html"},{"credibility":1,"name":"Trust Wallet Chrome Extension Breach Caused $7 Million Crypto Loss via Malicious Code | The Hacker News","type":"news_article","url":"https://thehackernews.com/2025/12/trust-wallet-chrome-extension-bug.html"},{"credibility":2,"name":"Fake MetaMask Update Drains EVM Wallets | Phishing Campaign 2026 | Phemex","type":"news_article","url":"https://phemex.com/blogs/evm-wallets-drained-fake-metamask-update-phishing"},{"credibility":2,"name":"Hundreds of MetaMask wallets drained: What to check before you update | CryptoSlate","type":"news_article","url":"https://cryptoslate.com/hundreds-of-evm-wallets-drained-what-to-check-before-you-update/"},{"credibility":2,"name":"Revoke Your Token Approvals on Over 100 Networks | Revoke.cash","type":"other","url":"https://revoke.cash/"},{"credibility":2,"name":"Token Approvals Checker | Etherscan","type":"other","url":"https://etherscan.io/tokenapprovalchecker"},{"credibility":1,"name":"How to Revoke Smart Contract Allowances / Token Approvals | MetaMask Help Center","type":"official","url":"https://support.metamask.io/more-web3/learn/how-to-revoke-smart-contract-allowances-token-approvals/"}],"summary":"Beginning approximately January 2, 2026, blockchain investigator ZachXBT flagged an active, automated campaign draining hundreds of wallets across at least a dozen EVM-compatible chains, with over $107,000 stolen in mostly sub-$2,000 increments consolidated into a single aggregation address (0xAc2e5153170278e24667a580baEa056ad8Bf9bFB). The root cause was not confirmed at the time of ZachXBT's initial disclosure; suspected vectors included token-approval abuse, malicious signature exploits, a fake-MetaMask phishing email campaign, and possible spillover from the Trust Wallet browser-extension supply-chain compromise of December 2025. This entry serves as a consumer-protection warning and on-chain address flag.","timeline":[{"date":"2025-11-01","event":"Industry-wide 'Shai-Hulud' supply-chain attack exposed Trust Wallet developer GitHub secrets, including the Chrome Web Store API key, enabling a subsequent malicious extension upload.","source":"Trust Wallet official blog","source_url":"https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update"},{"date":"2025-12-24","event":"Malicious Trust Wallet browser extension version 2.68 published to Chrome Web Store using stolen credentials; active exfiltration of seed phrases and private keys began for users who opened the extension.","source":"Trust Wallet official blog / The Hacker News","source_url":"https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update"},{"date":"2025-12-25","event":"Security researchers flagged wallet draining from Trust Wallet v2.68 users; white-hat researchers reportedly disrupted attacker infrastructure. Approximately 2,520 addresses were affected, with losses of $7–8.5 million.","source":"The Hacker News","source_url":"https://thehackernews.com/2025/12/trust-wallet-chrome-extension-hack.html"},{"date":"2025-12-26","event":"Trust Wallet pulled v2.68 from the Chrome Web Store, released v2.69 as a rollback, and announced a voluntary reimbursement program for affected users.","source":"Trust Wallet official blog","source_url":"https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update"},{"date":"2026-01-02","event":"ZachXBT publicly disclosed an active, automated cross-chain wallet-drain campaign affecting hundreds of wallets across at least 12 EVM chains, with over $107,000 consolidated into aggregation address 0xAc2e5153170278e24667a580baEa056ad8Bf9bFB. Root cause listed as unidentified.","source":"The Block / CCN / CryptoPotato","source_url":"https://www.theblock.co/post/384118/crypto-wallets-drained-zachxbt"},{"date":"2026-01-02","event":"Multiple crypto news outlets reported on the campaign based on ZachXBT's findings, identifying Ethereum ($54,655), BNB Chain ($25,545), Base ($8,688), Arbitrum ($6,273), and Polygon ($3,498) as the most heavily affected chains.","source":"The Crypto Basic","source_url":"https://thecryptobasic.com/2026/01/02/107k-lost-in-low-value-wallet-drains-spanning-evm-chains-zachxbt-reports/"},{"date":"2026-05-28","event":"ZachXBT flagged a separate but related fake-MetaMask phishing campaign — distinct from the January 2026 drains — alleging over $9 million stolen from 400+ addresses via malicious 'mandatory upgrade' emails tricking users into signing setApprovalForAll transactions.","source":"Phemex blog","source_url":"https://phemex.com/blogs/evm-wallets-drained-fake-metamask-update-phishing"}]},"v":1}