Cybersecurity researchers have uncovered a sophisticated crypto-stealing operation involving a malware kit called StepDrainer, which is draining funds from wallets across Ethereum, BNB Chain, Arbitrum, Polygon, and at least 17 other networks. The malware-as-a-service kit uses fake but realistic Web3 wallet pop-ups to trick users into approving transfers.
According to LevelBlue, StepDrainer misuses real smart contract tools like Seaport and Permit v2 to display wallet approval pop-ups that appear legitimate, but contain fake details. In one case, victims saw a message claiming they were receiving '+500 USDT,' making the approval seem safe. The malicious code is loaded through changing scripts and deployed from decentralized on-chain accounts, allowing attackers to evade traditional security scanners.
Separately, security researchers reported a coordinated attack targeting old Ethereum wallets, many inactive for over seven years. On-chain analyst Wazz identified a single attacker address sweeping funds from dormant wallets. Another analyst, Specter, estimated total losses at more than $800,000, with the attacker bridging 324 ETH (worth ~$734,000) to the Bitcoin network via ThorChain and depositing 2 ETH to an exchange likely converted to Monero.
Community experts ruled out smart contract or token approval exploits. Developer Fitna stated: 'Old secret keys and seed phrases leaked years ago from bad wallet apps, weak randomness, stolen backups, LastPass, cloud leaks, or old 2017/18 software. Hacker is now draining leftover ETH.' Cryptographer Mikerah suggested the pattern points to an older key generation process with weak entropy.
The attack landed on the final day of what analyst Abdul described as 'the worst month ever in terms of DeFi exploits,' with roughly $635 million lost across 28 incidents in 30 days. Major incidents included a $285 million exploit at Drift on April 1, a $294 million exploit at KelpDAO on April 18, and a $5 million hit on Wasabi Protocol on the same day as the dormant wallet drain.
