On April 30, 2026, on-chain investigators reported that over 500 Ethereum wallets were drained in a coordinated attack, resulting in approximately $800,000 in losses. The exploit primarily targeted wallets that had been dormant for extended periods, some inactive for up to 14 years. The stolen funds were subsequently bridged and mixed through ThorChain, making it difficult to trace.
User @WazzCrypto was among the first to publicly flag the incident on X, noting that many of the affected wallets had not seen activity in over seven years. The attacker swept around 324.741 ETH as wrapped assets on the Bitcoin network via ThorChain, along with an additional $32,000 in ETH stored in a separate wallet. Some of the funds were converted into 9.56 BTC.
Security researchers, including on-chain analyst @tayvano, observed that the attacker may have manually processed some transactions, as certain wallets were only partially drained. The pattern of fund movement closely resembled techniques used by DPRK-linked hackers in previous DeFi exploits.
The exact vector of the attack remains unknown. Hypotheses include leaked private key databases from old breaches, compromised Electrum wallet versions, and npm supply chain attacks that could have exposed private keys. The incident follows the recent Bitwarden hack and the LastPass breach, both of which have been associated with crypto theft. Additionally, the use of trading bots that require private key input has been suggested as a possible vulnerability.
This event has further shaken trust in DeFi protocols and renewed criticism regarding Ethereum's suitability for large-scale financial activities.
