- ZachXBT links many small wallet drains across about 20 EVM chains, with most affected addresses holding less than $2,000 each in assets.
- The incident has drained around $107,000 so far, mainly from Ethereum and BNB Smart Chain, and comes shortly after a $4 million exploit on Flow.
Less than a day into the new year, blockchain investigator ZachXBT warned that a fresh exploit was quietly draining small balances from hundreds of cryptocurrency wallets across Ethereum Virtual Machine (EVM) networks. His early alert turned scattered user complaints into a single incident, with more than $107,000 flowing through one receiving address before investigators understood how the attacker operated. The case lands only days after the Flow blockchain, built by the team behind CryptoKitties and NBA Top Shot, suffered an estimated $3.9–$4 million exploit that pushed the FLOW token down by about 40%, adding more pressure to an already fragile security environment. In this context, the new wave of wallet drains flagged by ZachXBT looks less like an isolated event and more like the next chapter in a growing series of multi-chain security incidents.
Early-year exploit drains wallets across EVM chains
The exploit highlighted by ZachXBT stretches across at least twenty EVM compatible blockchains, including Ethereum and BNB Smart Chain, with on-chain data tying hundreds of wallets to the same draining pattern. Each compromised wallet loses a relatively small amount, usually less than $2,000, but the combined loss already exceeds $107,000 and continues to grow as new affected addresses are identified. Tracking dashboards show that the attacker’s main receiving wallet briefly held around $109,000 in aggregated assets before funds moved again into fresh destinations, suggesting a deliberate attempt to stay ahead of any freezing or blacklisting efforts.
Most of the stolen value comes from Ethereum, where roughly $55,000 in ETH and tokens has left user wallets without authorization. BNB Smart Chain accounts for a little more than $25,000 in additional losses, while the rest is spread across other EVM networks that include Base, Arbitrum, Polygon, Optimism, Linea, Zora and Avalanche. This distribution shows that the attacker does not fixate on a single ecosystem but instead targets any compatible chain where vulnerable wallets exist. The collection wallet itself shows another distinctive pattern, because it receives a stream of very small transfers, often between $0.02 and $2, at irregular but frequent intervals. That behaviour points toward automated scripts that sweep whatever balance remains in each compromised account, as long as there is enough value to cover gas fees. Despite the six-figure total, the wallet now holds only about $7,000 in visible assets, still concentrated mainly on Ethereum and BNB Smart Chain. The rest appears to have been moved on, either to fresh addresses controlled by the attacker or into services that help obscure the origin of funds. Analysts following the case stress that no confirmed explanation exists yet for how the attacker gained access to so many unrelated wallets across different chains. Until that root cause becomes clear, the exploit remains an open incident rather than a closed historical hack.
How ZachXBT traced over $107,000 in small wallet losses
The approach that ZachXBT used shows how independent investigators can assemble a complex story from public blockchain data. Initial reports of unexpected outgoing transactions began appearing in community channels near the end of December, but they looked like isolated problems and did not point to a broader campaign. Once ZachXBT and other researchers noticed that many of these transfers ended at the same receiving address, they could regroup scattered incidents into a single timeline. From there, it became possible to map every incoming transaction across roughly twenty EVM networks, group victims by chain, and calculate that most individual wallets lost less than $2,000 even as the total drained amount climbed beyond $107,000. In his investigation updates, ZachXBT explained that funds from Ethereum wallets accounted for just over half of the receiving wallet’s peak balance, while transfers from BNB Smart Chain contributed almost a quarter. Smaller amounts arrived from networks such as Base, Arbitrum, Polygon, Optimism, Linea, Zora and Avalanche, filling out the rest of the portfolio. This spread matches the idea of a broad, low-intensity campaign rather than a focused attack on a single protocol. The investigator also pointed to a specific address, beginning with 0xAc2e and ending with ad8Bf9bFB, as the main hub that collects the drained funds before they move elsewhere. That detail gives exchanges, wallet providers and analytics firms a concrete target to monitor for suspicious inflows and potential cash-out attempts. Beyond the raw numbers, the pattern documented by ZachXBT suggests a clear strategy. Instead of chasing a few large whale wallets, the attacker appears to focus on many smaller holders who may not check their addresses every day. A loss of a few hundred dollars can sit unnoticed for longer, especially when a user holds several test wallets across different chains and treats them as disposable. At the same time, the attacker still gains a meaningful haul once those small thefts add up across hundreds of victims. That trade-off between lower individual risk and higher aggregate reward makes this style of wallet drainer difficult to detect until someone like ZachXBT pieces the fragments together and raises a public alarm.
Ongoing investigation, suspected vectors, and user exposure
Specialist security teams and independent researchers still work to identify the entry point that allows this EVM wallet drainer to move funds out of so many accounts without an obvious common factor in wallet provider, device or operating system. Some affected users report persuasive phishing emails that posed as messages from well-known wallet brands and urged them to perform urgent security upgrades or reveal seed phrases, which raises the possibility that social engineering plays a role in the campaign. Other analysts have compared addresses from the current exploit with those flagged during a recent supply chain attack on the Trust Wallet browser extension, where a malicious version of the extension on the Chrome Web Store drained about $7–$8.5 million from roughly 2,500 wallets. On-chain analysis by firms such as Nansen indicates that the address identified by ZachXBT may link to infrastructure used in that earlier incident, suggesting that this wave of drains could represent a second phase built on already compromised keys rather than a brand new vulnerability. For ordinary users, the practical risk extends beyond the $107,000 headline figure, because the exploit often hits accounts that many holders view as too small to monitor closely. A trader who keeps most holdings on a hardware wallet may check that primary address after every transaction, yet the same person might ignore older browser wallets that still contain tokens from earlier experiments on BNB Smart Chain, Polygon, Arbitrum or other EVM compatible networks. Those neglected addresses become easy targets if an attacker controls seed phrases, password managers, browser extensions or outdated backups. The slow stream of transfers between $0.02 and $2 that ZachXBT and others observed matches the profile of scripts that sweep leftover balances from exactly this kind of forgotten wallet. Until investigators confirm a single root cause, security guidance remains broad but still practical. Users can reduce exposure by reviewing all wallets derived from the same seed phrase, even those with small balances, and by revoking old token approvals on EVM networks where they no longer interact with decentralized applications. Treating every unsolicited message that asks for recovery phrases or urges an immediate upgrade as suspicious also helps, regardless of how polished the branding looks. These steps cannot guarantee safety from every unknown exploit, but they narrow the attack surface while specialists and investigators such as ZachXBT continue to track the drainer’s activity.
From Flow’s $4 million breach to the new ZachXBT alerts
The warning that ZachXBT issued arrives in a market already unsettled by the recent exploit on Flow, the Layer 1 blockchain developed by the company behind NBA Top Shot and CryptoKitties. On December 27, the Flow Foundation confirmed that an attacker exploited a weakness in the network’s execution layer and moved roughly $3.9–$4 million in assets off-chain before validators coordinated a halt. That incident pushed the FLOW token down by about 40% in a short window and prompted major South Korean exchanges to suspend deposits and withdrawals while they assessed the situation. Although Flow’s team later described the loss as manageable and brought the chain back online, the episode reminded users and developers that base-layer security failures can have immediate consequences for both liquidity and trust. Taken together, the Flow breach and the EVM wallet drains tracked by ZachXBT highlight the range of attack surfaces that the crypto ecosystem now exposes. In the Flow case, the focus rests on execution layer design, validator coordination and questions about rollback proposals, because the attacker struck the protocol’s core infrastructure rather than a single user-facing application. In the wallet drainer case, the story shifts to user endpoints, browser extensions, phishing campaigns and key management. Both incidents show how attackers adapt to multi-chain environments, using cross-chain bridges, token mints and network-specific tools to move stolen funds between ecosystems and complicate forensic analysis. That wider picture gives additional weight to the alerts issued by ZachXBT, because they sit inside a broader trend rather than standing alone.
Conclusion
The exploit that ZachXBT brought into focus serves as an early reminder that even modest wallet balances sit at risk when attackers find scalable ways to automate theft across many EVM chains. With more than $107,000 already drained from hundreds of addresses that each held less than $2,000, the case shows how small individual losses can quickly add up when no one notices the pattern. Ongoing investigations into possible links with earlier browser extension attacks, phishing campaigns and leaked keys may eventually reveal a precise technical cause, yet users do not need to wait for a final report before tightening basic security habits. Regular checks of older wallets, consolidation of funds into well-protected accounts and careful skepticism toward urgent upgrade messages already reduce the room in which this kind of drainer can operate. As the year begins, the alerts from ZachXBT underline a simple point for anyone active on EVM chains: security attention should cover every address, not only the largest ones.
Disclaimer
The information provided in this article is for informational purposes only and should not be considered financial advice. The article does not offer sufficient information to make investment decisions, nor does it constitute an offer, recommendation, or solicitation to buy or sell any financial instrument. The content is opinion of the author and does not reflect any view or suggestion or any kind of advise from CryptoNewsBytes.com. The author declares he does not hold any of the above mentioned tokens or received any incentive from any company.
Featured image created by AI
