Hundreds of Crypto Wallets Drained in Automated Phishing Attack: The Silent Digital Heist of 2026
Another day, another automated attack drains digital wallets—only this time, it's not a handful, but hundreds. The crypto world wakes up to another security nightmare, proving that while blockchain itself might be immutable, the human endpoints remain painfully vulnerable.
The Attack Vector: Phishing Gets a Factory Reset
Forget the clumsy, misspelled emails from 'Nigerian princes.' This was phishing industrialized. An automated system, likely leveraging compromised API keys or malicious smart contract interactions, systematically targeted wallets. It didn't need a user to click a link—it just needed a momentary lapse in verification or a stale permission grant. The 'hundreds' drained weren't just random targets; they were a statistic generated by a ruthless, efficient script.
The Aftermath: Cold Wallets and Cold Reality
The immediate advice is the same tired refrain: use hardware wallets, revoke unnecessary permissions, enable 2FA. It's sound, but it rings hollow for those already emptied. The real story isn't the loss—it's the market's shrug. No major token price took a lasting hit. The collective psyche of crypto has normalized these events, treating them as operational overhead rather than existential threats. A cynical take? It's just another cost of doing business in the wild west—one that traditional finance would never tolerate but that crypto 'innovators' seem to budget for.
The Bottom Line: Security Theater Meets Digital Darwinism
This attack cuts through the hype of Web3 sovereignty. It bypasses the narrative of 'being your own bank' and highlights the grim reality: being your own security detail, audit team, and fraud department is a full-time job most aren't qualified for. The ecosystem's growth continues, ATHs get chased, but these incidents are the rust slowly eating at the hull. The industry builds breathtaking financial infrastructure on a foundation where user error can still mean instant, irreversible ruin. That's not a bug in the code—it's a flaw in the sales pitch.
TLDR
- An attacker drained hundreds of EVM wallets across multiple blockchain networks, taking typically under $2,000 per wallet in what appears to be an automated attack
- Security firms believe the exploit involved phishing emails that spoofed MetaMask branding to trick users into granting malicious approvals
- The attack may be linked to a separate $7 million Trust Wallet hack on Christmas Day that compromised 2,596 wallets through a supply-chain attack
- Crypto exploit losses dropped 60% in December to $76 million, down from $194.2 million in November
- ZachXBT reports the total stolen in this specific EVM wallet attack exceeded $107,000
An attacker has stolen funds from hundreds of cryptocurrency wallets across multiple blockchain networks in what security experts describe as a coordinated phishing campaign. The attack targeted wallets compatible with the Ethereum Virtual Machine (EVM) standard.
SECURITY ALERT (EVM): ZachXBT reports a coordinated wallet-draining event across multiple EVM chains.
Hundreds of Wallets hit
~$107K Stolen so far, Still Rising
Root Cause Unknown
Suspicious Address:… pic.twitter.com/gY7ZmetY6N
— crypto Patel (@CryptoPatel) January 2, 2026
Blockchain investigator ZachXBT first reported the breach, noting that the attacker drained small amounts from each compromised wallet. Most individual victims lost under $2,000, but the total amount stolen exceeded $107,000 across all affected addresses.
The attack affected wallets across multiple EVM-compatible blockchain networks. Security experts say this suggests the attacker deliberately cast a “wide net” to capture smaller amounts from many victims rather than targeting high-value wallets.
Cybersecurity firm Hackless warned that the attack appears to be automated. The firm urged users to immediately revoke smart contract approvals and monitor their wallet activity for suspicious transactions.
Phishing Email May Have Enabled Wallet Compromise
Security researcher Vladimir S. identified a potential attack vector involving fake emails. The phishing emails reportedly impersonated official MetaMask communications to trick users into approving malicious transactions.
Screenshots shared on social media showed an email that closely mimicked MetaMask’s official branding. This type of spoofing is designed to reduce user suspicion and increase the likelihood of successful compromise.
The attackers likely used these fake emails to convince users to grant wallet approvals. Once granted, these approvals gave the attacker permission to transfer funds from the victim’s wallet.
Security experts recommend that crypto users regularly review and revoke unnecessary smart contract approvals. They also advise verifying the authenticity of any wallet-related emails before clicking links or taking action.
Possible Connection to Trust Wallet Breach
The wallet drains may be linked to a separate security incident involving Trust Wallet. On Christmas Day, Trust Wallet reported a $7 million hack that affected approximately 2,596 wallets.
That breach was later attributed to a supply-chain attack called “Sha1-Hulud.” The attack targeted npm packages commonly used by cryptocurrency developers.
Trust Wallet’s incident report explained that leaked developer credentials from GitHub allowed the attacker to modify the wallet’s browser extension. The malicious version was then uploaded to the Chrome Web Store.
Binance co-founder Changpeng Zhao suggested the Trust Wallet attack required insider knowledge of the wallet’s source code. Blockchain adviser Anndy Lian described the circumstances as “not natural.”
Binance, which owns Trust Wallet, confirmed that the mobile app was not affected by the breach. The company also committed to reimbursing all impacted users.
Security experts have not confirmed whether the two incidents are directly connected. However, both attacks share common tactics including browser extension exploitation, phishing techniques, and abuse of wallet approvals.
