Security companies warn that the exploit shows signs of automation and may be related to phishing emails.
An attacker withdrew funds from hundreds of cryptocurrency wallets on Ethereum Virtual Machine (EVM) compatible networks, with small amounts withdrawn from each wallet. on-chain investigator ZachXBT described this as a large-scale but low-value operation.
Although the losses per wallet were typically under $2,000, the wide-ranging impact suggests this was an organized campaign, not an isolated incident.
According to ZachXBT, the affected wallets span multiple EVM blockchains, suggesting the attacker "cast a wide net" to collect small amounts in large quantities.
Hacker warns of automated attacks behind EVM wallet withdrawals.
Cybersecurity company Hackless also issued a similar assessment, warning that this activity appears to be automated and urging users to immediately revoke smart contract approval permissions and closely monitor wallet activity.
Initial clues suggest phishing may have been the source of the infection. Cybersecurity researcher Vladimir S. said a spoofed email, impersonating an official announcement from MetaMask , may have tricked users into granting permissions or signing malicious transactions.
Screenshots circulating on social media show that this email almost perfectly replicates the official brand identity — a familiar tactic to lower awareness and speed up intrusion.
The wallet withdrawal may also be related to another incident with Trust Wallet , which was reportedly hacked for $7 million on Christmas Day.
The incident affected approximately 2,596 wallets and was later identified as being linked to a supply chain attack called “Sha1-Hulud,” targeting npm packages used by many crypto developers.
A report from Trust Wallet indicates that a leak of developer secrets on GitHub allowed attackers to modify the wallet's browser extension and upload a malicious version to the Chrome Web Store.
Some industry insiders suggest that internal factors may have contributed. Blockchain advisor Anndy Lian called the situation “unnatural,” while Binance co-founder and former CEO Changpeng Zhao argued that the attack likely required very deep knowledge of the wallet's source code.
Binance — the company that owns Trust Wallet — said the mobile app was unaffected and pledged to reimburse users who suffered losses.
Whether the two incidents are directly related remains unconfirmed. However, the overlap in tactics—browser extensions, phishing, and abuse of authorization privileges—suggests a familiar risk pattern for EVM users.
Crypto hacking losses decreased by 60% in December.
According to reports, total losses from hacking and exploiting security vulnerabilities in the crypto sector decreased sharply in December, down 60% from the previous month to approximately $76 million.
This figure represents a significant drop from the $194.2 million recorded in November, offering a rare respite after months of escalating attacks across the industry.
According to security firm PeckShield , December saw 26 major exploits, with only a few incidents accounting for the majority of the losses. The largest involved a single user losing $50 million due to an "address poisoning" scam.
In this type of attack, attackers send small-value transactions from wallet addresses that look very similar to legitimate addresses, hoping that victims will be misled into copying or selecting a transfer address.
Last month, US prosecutors indicted Ronald Spektor , 23, of Brooklyn, on charges of stealing approximately $16 million in cryptocurrency from nearly 100 Coinbase users through phishing and social engineering schemes.
