Key Takeaways
More than 500 Ethereum wallets were drained of approximately $800,000 in a coordinated attack targeting long-dormant accounts, with the stolen funds later laundered through the cross-chain protocol ThorChain. The incident has raised new concerns about the security of older, inactive crypto holdings.
On-chain investigators at firms including LevelBlue first reported the activity on May 1, noting that the attacker systematically siphoned funds from hundreds of wallets into a single address. “Many of the drained wallets have been inactive for over 7 years,” on-chain researcher Wazz said in a post, highlighting the unusual nature of the attack which appears to have targeted accounts created between four and eight years ago.
The attack vector remains unconfirmed, though security analysts suggest several possibilities, including the use of malware kits like StepDrainer. According to LevelBlue researchers, such tools use fake wallet connection pop-ups to trick users into approving malicious transactions. After the theft, which occurred while Ethereum traded near $2,305.00, the attacker routed the funds through ThorChain, swapping assets to complicate tracking efforts.
This exploit challenges the long-held assumption that dormant wallets are inherently safer due to their lack of interaction with new smart contracts. The incident underscores latent risks tied to outdated key management practices or private keys exposed in historical data breaches that are only now being exploited. For long-term holders, it serves as a critical reminder that wallet inactivity alone does not guarantee security in an evolving threat environment.
The primary mystery surrounding the wallet drain is the absence of a confirmed entry point. Unlike typical exploits tied to phishing links or malicious contract approvals, this attack has not been traced to a single vulnerability. Security researchers are exploring theories that include compromised private keys from old data leaks, vulnerabilities in outdated wallet generation software, or the use of sophisticated wallet-draining malware.
The malware-as-a-service tool StepDrainer has been identified as a potential culprit. It operates across more than 20 blockchain networks, including Ethereum, and generates authentic-looking wallet connection interfaces that trick users into signing away control of their assets. This method bypasses the need to exploit a contract flaw, instead focusing on social engineering and user error.
Following the coordinated theft, the attacker immediately began moving the nearly $800,000 in stolen Ether and other tokens to ThorChain. The decentralized cross-chain liquidity protocol allows for asset swaps between different blockchains, such as Ethereum and Bitcoin, without relying on a centralized intermediary.
By converting the stolen ETH into other assets and moving them across chains, the attacker fragmented the transaction trail, making it significantly harder for investigators to trace and recover the funds. This tactic is common in DeFi exploits, highlighting the dual-use nature of decentralized infrastructure.
The incident has put downward pressure on Ethereum's price, which was trading at $2,305.00, up 1.78% in the 24 hours following the news, according to data from Forbes. The asset faces immediate technical resistance at its 5-day and 10-day moving averages, around $2,308 and $2,320 respectively, with a key support level at $2,200.
This article is for informational purposes only and does not constitute investment advice.
