2nd January 2026 – (New York) Hundreds of cryptocurrency wallets on EVM‑compatible blockchains are being emptied in an ongoing cross‑chain attack, with losses already surpassing US$107,000 and continuing to mount as investigators race to determine how the exploit is being carried out.
Prominent blockchain investigator ZachXBT drew attention to the incident in the early hours of Friday, warning that the campaign is targeting a large number of wallets for comparatively modest sums, typically below US$2,000 per address. While the pattern of thefts is becoming clearer, the underlying vulnerability or compromise that is enabling the attacker to drain funds remains unknown.
The latest operation comes on the heels of a particularly damaging December for crypto security, during which around US$76 million was stolen in 26 major exploits. That tally included a US$50 million address‑poisoning scam and the Christmas Day Trust Wallet incident, which saw about US$7 million drained from users’ accounts, underscoring the persistent fragility of user security across the sector.
ZachXBT has highlighted a suspicious address, beginning 0xAc2 and ending 9bFB, which appears to be associated with the ongoing thefts across multiple EVM chains. He is compiling a growing list of confirmed victim addresses as more users report losses, and has urged affected individuals to contact him directly via X (formerly Twitter) to assist in mapping the full scope of the operation.
The pattern of activity points to a distributed, coordinated strategy. Rather than focusing on a single high‑value wallet, the attacker or attackers appear to be siphoning smaller sums from a wide array of compromised accounts. This approach can delay detection and response, while still generating substantial aggregate proceeds once hundreds of wallets have been affected.
Security analysts note that the cross‑chain dimension of the attack suggests the use of relatively sophisticated infrastructure, enabling threat actors to operate concurrently across several blockchain networks. By moving quickly and in parallel, they can extract funds before victims or service providers have time to react, freeze assets or revoke compromised credentials.
Although the exact mechanism in this campaign has not been confirmed, the tactics resemble those seen in recent address‑poisoning operations and cases involving private key or seed phrase compromises. In such incidents, attackers typically exploit subtle user‑interface tricks, phishing pages or malicious software to obtain recovery phrases or keys, then quietly drain funds at moments when users are unlikely to notice immediately. Experts point out that the timing, scale and multi‑chain execution of the current wave of thefts indicate a well‑resourced group capable of maintaining persistent infrastructure across different blockchain environments.
The fresh alert also comes as the community continues to grapple with the fallout from the Trust Wallet breach over Christmas. Following that incident, Trust Wallet’s Chrome browser extension was briefly removed from the Chrome Web Store, temporarily delaying access to a key claims verification tool for affected users. Chief executive Eowyn Chen said Google had acknowledged a technical issue encountered during the release of a new version, and stressed that the team was actively working to resolve it.
Trust Wallet later disclosed that 2,520 wallets had been identified as drained in the December attack, with approximately US$8.5 million in assets stolen and moved into 17 attacker‑controlled wallets. Investigators traced the breach to a malicious version 2.68 of the company’s browser extension, which appeared legitimate and passed Chrome’s review process, but contained hidden code designed to exfiltrate users’ recovery phrases.
Those who installed the compromised extension and logged in between 24 and 26 December saw funds rapidly removed from their accounts across several major blockchains, including Ethereum, Bitcoin and Solana. The incident highlighted how a single malicious software update can have multi‑chain consequences, particularly for users who rely on browser‑based wallets.
