On-chain investigator ZachXBT alerted the market to an active exploit draining wallets across multiple EVM-compatible chains, with reported cumulative losses exceeding $107,000. The disclosure positioned the incident as a live, cross-chain wallet-drain campaign rather than a closed post-mortem.
The attacker relied on a distributed, low-value strategy, typically taking under $2,000 per wallet, which made detection harder and elevated operational and compliance risk for treasuries, custodians, and VASP operators. The defining feature was stealth through fragmentation, where many small losses can accumulate into material exposure.
Attack Profile and Mechanism
The incident was characterized by many small outflows instead of a single large theft, with a likely aggregation hub identified as 0xAc2e5153170278e24667a580baEa056ad8Bf9bFB. Early analysis framed the campaign as a combination of social engineering and permission abuse that enabled repeated unauthorized transfers.
Reported vectors included phishing that impersonated wallet providers, including fake “upgrade” prompts designed to mimic MetaMask, alongside exploitation of existing token approvals previously granted by users. This hybrid approach allowed attackers to keep withdrawals modest per victim while scaling impact through volume across many wallets.
The pattern was contrasted with a late-2025 browser-extension incident tied to a single provider and larger per-wallet losses, while this campaign emphasized stealth and repetition. The shift in approach suggests attacker tradecraft oriented toward avoiding centralized alarms by keeping individual drains small.
Deep Analysis by @nansen_ai
related to @TrustWallet Chrome Extension Breach https://t.co/939S7PraHE pic.twitter.com/oiJXEmtBa2
— PudgyAmateur🐧✳️ (@PudgyAmateur) January 2, 2026
Operational Impact and Compliance Implications
For compliance teams and VASP operators, the situation points to two immediate priorities: approvals governance and monitoring tuned for high-frequency, low-value anomalies. Effective surveillance must be capable of linking small outflows into an aggregated risk picture across wallets and chains.
Practical mitigations cited include revoking old token approvals through regular approval audits, exercising strict caution with unsolicited messages and links due to the phishing component, moving high-value holdings to hardware wallets or fresh addresses when compromise is suspected, and increasing monitoring cadence for small-value drains. These measures strengthen custody hygiene while preserving cleaner forensic trails for tracing flows to suspected aggregation addresses.
As ongoing investigation continues, treasury teams and custodians are prioritizing permission hygiene and enhanced on-chain monitoring as near-term corrective actions. The real-world test will be whether teams can revoke obsolete approvals quickly, contain further losses, and preserve evidence aligned with incident response and reporting requirements.
