Most of the emptied wallets were for old compromised keys that had been exposed for years.
This week, hundreds of Ethereum wallets, many of which have been inactive for seven years or more, were drained in what on-chain observers called a live drainage campaign associated with the same attacker addresses.
According to some, losses have already exceeded $800,000.
What happened and what we know so far
One victim, posting under the handle Capitulation.eth, was the first to sound the alarm, claiming funds had left their wallet without authorization and noting that others were also being “zeroed.”
This was confirmed by crypto analyst Wazz, who shared on-chain data showing a single address sweeping wallets whose last fund transfers dated back to 2019.
Another analyst, Specter, put the number of victims at several hundred and estimated total losses at more than $800,000. According to them, the attacker deposited 2 ETH on an exchange, likely converted to Monero, and separately linked 324 ETH, worth approximately $734,000, to the Bitcoin network via Thorchain.
What is striking about this attack is the age of the wallets involved. Specter noted that the most affected wallets were created four to eight years ago, with a few exceptions.
Community researchers largely agree that this is not a smart contract vulnerability or a token trust exploit. Developer Fitna was blunt about this:
You might also like:
“Old secret keys and seed phrases were leaked years ago from bad wallet apps, low randomness, stolen saves, LastPass, cloud leaks or old 2017/18 software. Hacker is now draining leftover ETH.”
Cryptographer Mikerah offered a similar reading, suggesting the model points to an older key generation process that used low entropy, adding that the scenario is “really scary to imagine.”
Developer Rahul Saxena used the incident to urge users to check wallets for old token approvals and highlighted revoke.cash as a tool to remove them, although Fitna and others have pointed out that approval scams are separate from what appears to be happening here.
April was already a terrible month for DeFi security
This attack took place on the final day of what analyst Abdul described as “the worst month on record for DeFi exploits,” with approximately $635 million lost in 28 incidents in 30 days.
The list ranges from a $285 million exploit at Drift on April 1 to a $5 million-plus success on Wasabi Protocol on the same day the dormant wallet leak was reported.
The most significant incident of the month was the April 18 KelpDAO exploit, in which attackers drained nearly $294 million from the Liquid Restoration Protocol’s bridge contract, converting the stolen funds into ETH and spreading them across Ethereum and Arbitrum.
An attack on Syndicate Network, reported on April 29, added another $330,000 to the total when one address acquired 18.5 million SYND tokens via a bridge compromise and sold them, causing SYND to drop more than 37% in 24 hours.
