An attacker has siphoned funds from hundreds of crypto wallets across Ethereum Virtual Machine (EVM)–compatible networks, draining small amounts from each address in what onchain investigator ZachXBT described as a broad, low-value operation. Key Takeaways: Hundreds of EVM wallets were drained in a coordinated, low-value attack, with losses typically under $2,000 per address. Security firms warn the exploit appears automated and may involve phishing emails spoofing MetaMask and malicious browser extensions. The incident echoes recent wallet hacks despite overall crypto exploit losses falling sharply in December. While individual losses were limited, typically under $2,000 per wallet, the incident’s scope points to a coordinated campaign rather than an isolated breach. According to ZachXBT, affected wallets span multiple EVM chains, suggesting the attacker cast a “wide net” to capture modest sums at scale. Hackless Warns Automated Attack Behind EVM Wallet Drains Cybersecurity firm Hackless echoed that assessment, warning users that the activity appears automated and urging immediate steps such as revoking smart contract approvals and closely monitoring wallet activity. Early clues indicate a phishing vector may have played a role. Cybersecurity researcher Vladimir S. said a spoofed email posing as legitimate communication from MetaMask could have lured users into granting approvals or signing malicious transactions. Screenshots shared on social media showed an email closely mimicking official branding, a tactic designed to lower suspicion and accelerate compromise. Possible start of a large-scale hack. According to @zachxbt , hundreds of wallets across multiple EVM chains are currently being drained in small amounts (under $2k per victim). The root cause is still unknown. ~$107,000 stolen so far – and the number is still rising. Suspicious… pic.twitter.com/ZLkZ3RM4zG — Hackless (@hackless_defi) January 2, 2026 The wallet drain may also be linked to a separate incident involving Trust Wallet, which reported a $7 million hack on Christmas Day. That breach compromised roughly 2,596 wallets and was later tied to a supply-chain attack known as “Sha1-Hulud,” which targeted npm packages widely used by crypto developers. Trust Wallet’s incident report said leaked developer secrets from GitHub allowed an attacker to modify the wallet’s browser extension and upload a malicious version to the Chrome Web Store. Industry figures have suggested insider access could have been a factor in the Trust Wallet case. Blockchain adviser Anndy Lian called the circumstances “not natural,” while Binance co-founder and former CEO Changpeng Zhao said the attack likely required deep knowledge of the wallet’s source code. Binance, which owns Trust Wallet, said the mobile app was unaffected and committed to reimbursing impacted users. Whether the two incidents are directly connected remains unconfirmed. Still, the overlap in tactics,browser extensions, phishing, and approval abuse, shows a familiar risk pattern for EVM users. Crypto Hack Losses Fell 60% in December As reported, crypto-related losses from hacks and cybersecurity exploits fell sharply in December , dropping 60% month-on-month to about $76 million. The figure marks a notable decline from November’s $194.2 million, offering a rare pause after months of elevated attack activity across the sector. PeckShield said December saw 26 major crypto exploits, with a handful of incidents accounting for the bulk of losses. The largest involved a single user who lost $50 million in an address poisoning scam. In such attacks, threat actors send small transactions from wallet addresses that closely resemble legitimate ones, hoping victims will mistakenly copy or select the fraudulent address during a transfer. Last month, US prosecutors have charged a 23-year-old Brooklyn resident , Ronald Spektor, with stealing roughly $16 million in cryptocurrency from around 100 Coinbase users through an alleged phishing and social engineering scheme. The post Attacker Drains Hundreds of EVM Wallets in “Wide-Net” Crypto Exploit appeared first on Cryptonews .
