Hundreds of Wallets Drained in Ongoing Cross-Chain Attack, ZachXBT Warns

An active cross-chain exploit is draining hundreds of crypto wallets across multiple EVM-compatible blockchains, with losses exceeding $107,000 and climbing as the attack continues.

Blockchain investigator ZachXBT flagged the incident in the early hours of Friday, warning that victims are losing relatively small amounts per wallet (typically under $2,000), while the root cause remains unidentified.

The coordinated attack follows a devastating December for crypto security, which saw $76 million stolen across 26 major exploits, including a $50 million address poisoning scam and the Christmas Day Trust Wallet breach that drained roughly $7 million from users.

Attack Pattern Emerges Across Multiple Blockchains

ZachXBT identified a suspicious address (0xAc2***9bFB) that may be linked to ongoing thefts targeting EVM chains.

The investigator is compiling verified addresses of theft victims as more victims come forward and is requesting that affected users contact him directly via X (formerly Twitter).

The distributed attack mirrors tactics seen in recent high-profile incidents, in which attackers exploit multiple smaller wallets rather than targeting a single large holding.

This approach often evades immediate detection while maximizing total extraction across compromised accounts.

Security researchers note that the cross-chain nature suggests sophisticated infrastructure, with threat actors operating simultaneously across different blockchain networks to drain funds before victims can respond.

Beyond EVM chains, the attack methodology resembles patterns observed in address-poisoning schemes and private-key compromises that have plagued the industry over recent months.

Experts emphasize that the coordinated timing and multi-chain execution indicate well-resourced attackers capable of maintaining persistent infrastructure across various blockchain environments.

Trust Wallet Breach Highlights Broader Vulnerability Crisis

The alert comes days after Trust Wallet users faced fresh complications when the company’s Chrome extension was temporarily removed from the Chrome Web Store, delaying a crucial claims verification tool for victims of the Christmas Day hack.

Trust Wallet CEO Eowyn Chen confirmed that Google acknowledged a technical bug encountered during the new version release.

“We understand how concerning this is, and our team is actively working on the issue,” Trust Wallet stated after identifying 2,520 drained wallet addresses linked to roughly $8.5 million in stolen assets across 17 attacker-controlled wallets.

The December 25 breach stemmed from a malicious version 2.68 of Trust Wallet’s browser extension, which appeared legitimate, passed Chrome’s review process, but contained hidden code that extracted recovery phrases.

Users who installed the compromised extension and logged in between December 24 and 26 faced immediate fund outflows across multiple blockchains, including Ethereum, Bitcoin, and Solana.

Trust Wallet traced the incident to a broader supply-chain attack known as Sha1-Hulud, which surfaced in November and compromised multiple companies through exposed GitHub secrets and a leaked Chrome Web Store API key.

The attack bypassed internal approval checks, allowing direct uploads of malicious code that appeared authentic to both automated security systems and manual reviewers.

Industry Faces Human-Layer Security Crisis

Mitchell Amador, CEO of Immunefi, warns that the crypto sector confronts a fundamental security reckoning as attack vectors increasingly target operational vulnerabilities rather than smart contract code.

“The threat landscape is shifting from onchain code vulnerabilities to operational security and treasury-level attacks,” he told Cryptonews. “As code hardens, attackers target the human element.“

Despite December’s 60% month-over-month decline in hack losses to $76 million, down from November’s $194.2 million, security experts emphasize that persistent threats remain.

“Crypto is facing a security reckoning,” Amador stated. “Most hacks this year haven’t occurred due to poor audits, they’ve happened after launch, during protocol upgrades, or through integration vulnerabilities.“

Blockchain security firm PeckShield documented 26 major exploits in December, with address-poisoning scams and private-key leaks accounting for substantial losses.

One victim lost $50 million after mistakenly copying a fraudulent address that visually mimicked their intended destination.

Another major incident involved a private key leak tied to a multi-signature wallet, resulting in losses of approximately $27.3 million.

The industry’s vulnerability extends beyond technical exploits to social engineering schemes, with Brooklyn resident Ronald Spektor facing charges for allegedly stealing $16 million from roughly 100 Coinbase users by impersonating company employees.