Cross-Chain Chaos: Hundreds of Crypto Wallets Drained in Ongoing Attack—ZachXBT Sounds Alarm
Hundreds of digital wallets are being systematically drained in a sophisticated cross-chain exploit, according to on-chain investigator ZachXBT. The attack bypasses traditional security layers, moving assets across multiple blockchains before victims even notice.
The Mechanics of the Drain
This isn't a simple phishing scam. The exploit leverages vulnerabilities in cross-chain messaging protocols—the bridges that let users move assets between networks. Once a transaction is initiated on one chain, the attack intercepts and redirects funds on the destination chain, leaving empty wallets in its wake. Security audits missed it; automated alerts failed. It's a silent siphon operating in the seams between ecosystems.
Why This One Hurts
Cross-chain functionality is the holy grail of interoperability—the feature that's supposed to make crypto seamless. This attack turns that promise into a liability. It targets the very infrastructure that major DeFi protocols and institutions rely on for liquidity and functionality. The 'hundreds' of wallets cited aren't just retail accounts; they include smart contracts and treasury addresses, amplifying the financial and systemic damage.
The Bullish Paradox
Here's the twisted finance of it all: every major hack ultimately funds more security innovation—and drives more institutional investment into the very systems that failed. Venture capital flows toward 'solving' the problems that just cost users millions, creating a perverse, cynical growth loop where security failures become a revenue stream for the ecosystem's builders. The market shrugs, prices dip, then climb, as if rewarding the chaos.
The exploit remains active. Teams are scrambling to patch vulnerabilities, but the attacker's address keeps filling up. In crypto, the bridges to the future still have trolls lurking underneath—and they're taking a hefty toll.
Source: Telegram
Attack Pattern Emerges Across Multiple Blockchains
ZachXBT identified a suspicious address (0xAc2***9bFB) that may be linked to ongoing thefts targeting EVM chains.
The investigator is compiling verified addresses of theft victims as more victims come forward and is requesting that affected users contact him directly via X (formerly Twitter).
The distributed attack mirrors tactics seen in recent high-profile incidents, in which attackers exploit multiple smaller wallets rather than targeting a single large holding.
This approach often evades immediate detection while maximizing total extraction across compromised accounts.
Security researchers note that the cross-chain nature suggests sophisticated infrastructure, with threat actors operating simultaneously across different blockchain networks to drain funds before victims can respond.
Beyond EVM chains, the attack methodology resembles patterns observed in address-poisoning schemes and private-key compromises that have plagued the industry over recent months.
HACKERS ARE QUIETLY STEALING FUNDS FROM EVERYDAY WALLETS ACROSS EVM CHAINS
Researcher ZachXBT warns that hundreds of wallets are being drained across multiple EVM networks.
Most victims lose small amounts (under $2K), but the total stolen has already reached $107K.
The exact… pic.twitter.com/Jl6DcI0JqE
Experts emphasize that the coordinated timing and multi-chain execution indicate well-resourced attackers capable of maintaining persistent infrastructure across various blockchain environments.
Trust Wallet Breach Highlights Broader Vulnerability Crisis
The alert comes days after Trust Wallet users faced fresh complications when the company’s Chrome extension was temporarily removed from the Chrome Web Store, delaying a crucial claims verification tool for victims of the Christmas Day hack.
Trust Wallet CEO Eowyn Chen confirmed that Google acknowledged a technical bug encountered during the new version release.
“We understand how concerning this is, and our team is actively working on the issue,” Trust Wallet stated after identifying 2,520 drained wallet addresses linked to roughly $8.5 million in stolen assets across 17 attacker-controlled wallets.
The December 25 breach stemmed from a malicious version 2.68 of Trust Wallet’s browser extension, which appeared legitimate, passed Chrome’s review process, but contained hidden code that extracted recovery phrases.
Users who installed the compromised extension and logged in between December 24 and 26 faced immediate fund outflows across multiple blockchains, including Ethereum, Bitcoin, and Solana.
@TrustWallet users affected by the Chrome extension hack are still waiting for the claims tool after the extension was pulled due to a Chrome Web Store bug#TrustWallet #CryptoSecurity #Chromehttps://t.co/O6atPd0DVa
— Cryptonews.com (@cryptonews) January 1, 2026Trust Wallet traced the incident to a broader supply-chain attack known as Sha1-Hulud, which surfaced in November and compromised multiple companies through exposed GitHub secrets and a leaked Chrome Web Store API key.
The attack bypassed internal approval checks, allowing direct uploads of malicious code that appeared authentic to both automated security systems and manual reviewers.
Industry Faces Human-Layer Security Crisis
Mitchell Amador, CEO of Immunefi, warns that the crypto sector confronts a fundamental security reckoning as attack vectors increasingly target operational vulnerabilities rather than smart contract code.
“The threat landscape is shifting from onchain code vulnerabilities to operational security and treasury-level attacks,” he told Cryptonews. “As code hardens, attackers target the human element.“
Despite December’s 60% month-over-month decline in hack losses to $76 million, down from November’s $194.2 million, security experts emphasize that persistent threats remain.
“” Amador stated. “Most hacks this year haven’t occurred due to poor audits, they’ve happened after launch, during protocol upgrades, or through integration vulnerabilities.“
Blockchain security firm PeckShield documented 26 major exploits in December, with address-poisoning scams and private-key leaks accounting for substantial losses.
Crypto trader loses $50 million to address poisoning scam as industry grapples with nearly $90 billion in cumulative security losses.#Crypto #Scamhttps://t.co/ZXn2iF8wdi
One victim lost $50 million after mistakenly copying a fraudulent address that visually mimicked their intended destination.
Another major incident involved a private key leak tied to a multi-signature wallet, resulting in losses of approximately $27.3 million.
The industry’s vulnerability extends beyond technical exploits to social engineering schemes, with Brooklyn resident Ronald Spektor facing charges for allegedly stealing $16 million from roughly 100 Coinbase users by impersonating company employees.
