EVM Wallets Hacked: Ethereum & BNB Chain Users Face Massive Drain as Security Flaw Exposed
Digital vaults cracked open. A sweeping exploit targeting Ethereum Virtual Machine (EVM) wallets has siphoned funds across two of the largest blockchain networks—Ethereum and BNB Chain. The attack vector remains active, exposing a critical vulnerability at the heart of widely used wallet infrastructure.
The Anatomy of a Drain
Security analysts trace the breach to a flaw in wallet interaction logic. The exploit doesn't brute-force private keys—it tricks transaction signing processes. Users sign what looks like a routine approval, only to hand over blanket access to their assets. Once that permission slips through, automated scripts liquidate holdings in seconds.
Cross-Chain Chaos
The attack's reach across both Ethereum and BNB Chain highlights a systemic risk. It targets the EVM's standard itself—the common runtime environment powering both networks. This isn't a chain-specific bug; it's a protocol-level weakness affecting any wallet built on EVM compatibility. Interoperability's double-edged sword just got sharper.
The Fallout and the Finger-Pointing
Loss estimates are still rolling in, but early figures point to a multi-million dollar heist. The community response splits between urgent warnings to revoke wallet permissions and cynical shrugs about 'decentralized risk.' One fund manager quipped, 'This is why we keep 80% in cold storage—the other 20% is for paying the blockchain's innovation tax.'
Patchwork Solutions Emerge
Wallet providers and security firms scramble to deploy detection scripts and user alerts. The immediate fix? Manually revoke suspicious token approvals—a tedious process most users avoid until it's too late. Long-term, the incident pressures core developers to harden the EVM's approval mechanisms. Expect a wave of 'security-focused' hard forks and audit service promotions.
This breach cuts deep, proving that convenience-focused wallet design often bypasses fundamental security. As the dust settles, one truth remains: in crypto, you're not just your own bank—you're also the lone security guard on a very dark night.
Source: Investigations by ZachXBT on Telegram.
The wallets are being funneled into the address identified as 0xAc2e…ad8Bf9bFB, which on-chain data shows is holding assets from nearly 20 different blockchains.
Ethereum, BNB, Avalanche, Arbitrum among EVM chains affected
According to blockchain information from Debank, shared by the 2D investigator on Telegram, the attacker’s accumulated assets include about $54,655 worth of assets on Ethereum, accounting for 51% of its total balance. The BNB Chain follows with approximately $25,545, or 24%.
At the time of this reporting, smaller but still notable balances were also recorded from layer-2 and alternative chains like Base ($8,688), Arbitrum ($6,273), Polygon ($3,498), Optimism ($1,480), Zora ($994), Linea ($909), and Avalanche ($386).
Investors on Crypto Twitter suggest that the hacker may have used fake MetaMask emails sent during the holidays to trick traders to hand them their wallet seed phrases.
However, per an analysis from Nansen, the address has been confirmed as one of the attacker wallets connected to the Trust Wallet Chrome Extension “Shai- Hulud” Supply Chain Attack, the security incident that began over the Christmas period.
As reported by Cryptopolitan on Christmas Eve, a malicious code compromised Trust Wallet’s browser extension version 2.68, resulting in an estimated $7 million in losses.
“Our Developer GitHub secrets were exposed in the attack, which gave the attacker access to our browser extension source code and the Chrome Web Store (CWS) API key,” Trust Wallet explained in a post-mortem published last Tuesday. “The attacker obtained full CWS API access via the leaked key, allowing builds to be uploaded directly without Trust Wallet’s standard release process, which requires internal approval/manual review.”
They used that access to register the domain “metrics-trustwallet[.]com” and distributed a trojanized version of the extension, with a backdoor that could harvest users’ wallet mnemonic phrases and transmit them to “api.metrics-trustwallet[.]com.”
Trust Wallet said about one million users of its Chrome extension were asked to update to version 2.69 after the compromised update was pushed to the browser’s extension marketplace on December 24.
“Sha1-Hulud was an industry-wide software supply chain attack that affected companies in several sectors, including but not limited to crypto,” the company said. The disclosure brought light to Shai-Hulud 3.0, a newer iteration of the malware that researchers believe is a stealth version of the original code.
“The primary difference lies in string obfuscation, error handling, and Windows compatibility, all aimed at increasing campaign longevity rather than introducing novel exploitation techniques,” Upwind researchers Guy Gilad and Moshe Hassan said.
Nansen expects the stolen tokens to be routed through Tornado Cash, eXch, Railgun, THORChain, Debridge, and TRON OTC venues.
Holiday email scams takeover Christmas in record 2025
At the start of December, the FBI’s Internet Crime Complaint Center sent warnings to Americans about fraudulent and phishing emails, saying citizens had lost more than $785 million annually to non-payment and non-delivery scams during holidays, with credit card fraud adding another $199 million.
Moreover, blockchain-monitoring firms Chainalysis and TRM Labs estimate that cybercriminals stole $2.7 billion in crypto last year, the highest annual total on record. The largest by far was the breach of Dubai-based exchange Bybit, where attackers stole about $1.4 billion.
That attack surpassed previous record-setting crypto heists, including the $624 million Ronin Network breach and the $611 million Poly Network hack in 2022.
North Korean state-linked hackers were the perpetrators of most crypto theft incidents, stealing at least $2 billion during the year, according to Chainalysis and Elliptic. Since 2017, those groups are estimated to have taken around $6 billion in crypto supposedly used to fund the country’s sanctioned nuclear weapons program.
Sign up to Bybit and start trading with $30,050 in welcome gifts
