Key Insights
- A cross-chain exploit empties funds from numerous wallets across EVM networks.
- ZachXBT connects thefts with a suspicious address and gathers reports from victims.
- December’s adventures highlight a breakdown in operations and the associated risks in the supply chain.
Cross-Chain Exploit Drains Hundreds of Wallets Across EVM Networks as Losses Continue to Rise
Cross-chain exploit activity is unfolding across multiple EVM-compatible blockchains, draining hundreds of cryptocurrency wallets in a coordinated operation that remains active as losses continue to rise.
Blockchain investigator ZachXBT flagged the incident during the early hours of Friday, warning that attackers are systematically extracting relatively small amounts from individual wallets while operating across multiple networks simultaneously.
According to ZachXBT, most affected wallets are losing less than $ 2,000, which is a distribution that suggests a calculated attempt to stay below detection thresholds and progressively add to the total stolen money.
During the investigation, he also flagged a suspicious Ethereum-compatible address, partly known as 0xAc2***9bFB, which is possibly involved in the thefts on various EVM-based networks.
Moreover, ZachXBT has begun compiling a list of verified victim addresses and is urging affected users to contact him directly through X, formerly Twitter, as the investigation continues.
Cross-Chain Exploit Based on Distributed Wallet Drain Strategy.
The cross-chain exploit resembles strategies employed in recent crypto security breaches, where attackers do not focus on a high-value account but instead empty wallets of many smaller ones.
https://twitter.com/ImZiaulHaque/status/2006968127888724127
Additionally, security researchers following the incident have noted that the cross-chain execution enables coordinated infrastructure to run on multiple blockchain environments simultaneously.
By acting across multiple EVM-compatible networks, attackers can move quickly before victims can secure remaining funds or revoke compromised permissions.
While the precise technical method has not been confirmed, the attack shows similarities to known address-poisoning schemes and private-key compromise patterns that have affected the sector in recent months.
December Marked by a Series of Major Crypto Security Incidents
The cross-chain exploit follows a damaging December for crypto security, during which blockchain security firm PeckShield recorded 26 major exploit incidents. The monthly aggregate losses amounted to approximately $76 million, representing a 60% decrease from the $194.2 million recorded in November.
Although the monthly increase in the number of users has decreased, December saw several landmark events that impacted users across various platforms.
One of the worst events was a $50 million loss associated with an address-poisoning scam. Then, in that scenario, one of the victims had falsely copied a fake wallet address, which appeared to be a real address but was not, and a single transfer was made, depleting the available funds.
Another significant event was a leak of a private key related to a multi-signature wallet, resulting in a loss of approximately $27.3 million.
According to PeckShield, address-poisoning attacks and the exposure of private keys contributed significantly to the total losses in December, highlighting the ongoing performance of operational security failures rather than a weakness in deployed smart contracts.
Trust Wallet Breach Adds to Security Pressure
The current cross-chain exploit is unfolding just days after Trust Wallet users faced additional complications tied to a December 25 security breach. Trust Wallet revealed that a malicious 2.68 update of its browser extension was available on the Chrome Web Store.
https://twitter.com/CoinDiaryApp/status/2007072934763127063
The compromised extension was legitimate, having passed the review process of Chrome, and contained concealed code designed to steal users’ recovery phrases. Users who had installed the affected extension and logged in between December 24 and December 26 experienced unintended outflows of funds across several blockchains, including Ethereum, Bitcoin, and Solana.
However, Trust Wallet later identified 2,520 drained wallet addresses connected to approximately $8.5 million in stolen assets held across 17 attacker-controlled wallets.
Furthermore, Trust Wallet CEO Eowyn Chen confirmed that Google acknowledged a technical bug during the release of a new version, contributing to the disruption. Additionally, Trust Wallet attributed the breach to a broader supply-chain attack known as Sha1-Hulud, which emerged in November.
Security Firms Highlight Shift in Attack Techniques.
Commenting on the bigger picture, Immunefi CEO Mitchell Amador said that the crypto industry is experiencing more pressure due to attacks on operational processes and not onchain code.
Amador notes that numerous recent attacks follow the release of a protocol, upgrade, or attempted compromised integration, as opposed to an unassessed smart contract.
The data from December, provided by PeckShield, confirms this evaluation, as it reveals that operational vulnerabilities, social engineering, and key management failures are the primary causes of substantial losses.
Brooklyn resident Ronald Spektor was indicted in one unrelated case for allegedly stealing $16 million in an alleged scheme to defraud around 100 Coinbase users by posing as company personnel, yet another example of the increasing impact of non-technical attack vectors.
