TLDR
- An attacker drained hundreds of EVM wallets across multiple blockchain networks, taking typically under $2,000 per wallet in what appears to be an automated attack
- Security firms believe the exploit involved phishing emails that spoofed MetaMask branding to trick users into granting malicious approvals
- The attack may be linked to a separate $7 million Trust Wallet hack on Christmas Day that compromised 2,596 wallets through a supply-chain attack
- Crypto exploit losses dropped 60% in December to $76 million, down from $194.2 million in November
- ZachXBT reports the total stolen in this specific EVM wallet attack exceeded $107,000
An attacker has stolen funds from hundreds of cryptocurrency wallets across multiple blockchain networks in what security experts describe as a coordinated phishing campaign. The attack targeted wallets compatible with the Ethereum Virtual Machine (EVM) standard.
SECURITY ALERT (EVM): ZachXBT reports a coordinated wallet-draining event across multiple EVM chains.
Hundreds of Wallets hit
<$2K per Victim (low-noise strategy)
~$107K Stolen so far, Still Rising
Root Cause UnknownSuspicious Address:… pic.twitter.com/gY7ZmetY6N
— Crypto Patel (@CryptoPatel) January 2, 2026
Blockchain investigator ZachXBT first reported the breach, noting that the attacker drained small amounts from each compromised wallet. Most individual victims lost under $2,000, but the total amount stolen exceeded $107,000 across all affected addresses.
The attack affected wallets across multiple EVM-compatible blockchain networks. Security experts say this suggests the attacker deliberately cast a “wide net” to capture smaller amounts from many victims rather than targeting high-value wallets.
Cybersecurity firm Hackless warned that the attack appears to be automated. The firm urged users to immediately revoke smart contract approvals and monitor their wallet activity for suspicious transactions.
Phishing Email May Have Enabled Wallet Compromise
Security researcher Vladimir S. identified a potential attack vector involving fake emails. The phishing emails reportedly impersonated official MetaMask communications to trick users into approving malicious transactions.
Screenshots shared on social media showed an email that closely mimicked MetaMask’s official branding. This type of spoofing is designed to reduce user suspicion and increase the likelihood of successful compromise.
The attackers likely used these fake emails to convince users to grant wallet approvals. Once granted, these approvals gave the attacker permission to transfer funds from the victim’s wallet.
Security experts recommend that crypto users regularly review and revoke unnecessary smart contract approvals. They also advise verifying the authenticity of any wallet-related emails before clicking links or taking action.
Possible Connection to Trust Wallet Breach
The wallet drains may be linked to a separate security incident involving Trust Wallet. On Christmas Day, Trust Wallet reported a $7 million hack that affected approximately 2,596 wallets.
That breach was later attributed to a supply-chain attack called “Sha1-Hulud.” The attack targeted npm packages commonly used by cryptocurrency developers.
Trust Wallet’s incident report explained that leaked developer credentials from GitHub allowed the attacker to modify the wallet’s browser extension. The malicious version was then uploaded to the Chrome Web Store.
Binance co-founder Changpeng Zhao suggested the Trust Wallet attack required insider knowledge of the wallet’s source code. Blockchain adviser Anndy Lian described the circumstances as “not natural.”
Binance, which owns Trust Wallet, confirmed that the mobile app was not affected by the breach. The company also committed to reimbursing all impacted users.
Security experts have not confirmed whether the two incidents are directly connected. However, both attacks share common tactics including browser extension exploitation, phishing techniques, and abuse of wallet approvals.
