More than $107,000 in total losses have already been identified through on-chain analysis.
No specific wallet provider or exploit vector has yet been confirmed by investigators.
Attackers are siphoning small amounts under $2,000 per wallet, delaying detection and spreading risk widely.
A new on-chain alert has drawn attention to a discreet but wide-reaching crypto theft campaign affecting hundreds of users across EVM-compatible blockchains.
The warning, shared by blockchain investigator ZachXBT, points to a coordinated wallet-draining operation that has already resulted in more than $107,000 in cumulative losses.
What sets this incident apart is not the size of individual thefts, but how they are carried out. Instead of targeting large balances, the attacker appears to be siphoning relatively small sums from a large number of wallets.
Most losses remain under $2,000 per address, allowing the activity to spread quietly without drawing immediate attention from victims or monitoring systems.
A stealthy pattern emerges
The affected wallets span several EVM-compatible networks, confirming that this is not limited to a single chain or ecosystem.
Transaction data reviewed by investigators shows consistent timing and similar transfer amounts, indicating a coordinated effort rather than isolated incidents.
So far, no specific wallet provider, decentralised application, or smart contract vulnerability has been identified as the entry point. There has also been no official confirmation linking the drains to compromised software updates or phishing campaigns.
What has been established is that the stolen funds are being funnelled into related addresses, suggesting a single actor or closely connected group is responsible.
This lack of a clear exploit vector has complicated efforts to contain the issue.
Without knowing how access is being gained, users and developers are left with limited immediate options beyond heightened vigilance.
Why small losses create big risks
While the financial impact on individual users may appear limited, the method itself raises broader concerns.
By spreading theft across many wallets, attackers can delay detection and reduce the likelihood of rapid, coordinated responses.
Victims may notice missing funds days or weeks later, if at all.
The approach also underlines the persistent risks facing self-custody users who interact with multiple chains, protocols, and permissions.
Each interaction increases the surface area for potential compromise, particularly within the interconnected EVM ecosystem.
The timing of the incident has added to unease in the crypto community.
It follows a series of security breaches in late 2025 that renewed scrutiny around wallet approvals, private key management, and cross-chain activity.
Exploits remain a constant threat
This episode fits into a wider pattern of ongoing security issues across the digital asset sector.
Data from blockchain security firm PeckShield shows that December saw around 26 major crypto exploits, resulting in losses of roughly $76 million.
While that total was significantly lower than November’s $194 million, it confirms that exploit activity remains persistent.
One of the most prominent incidents during the period involved Trust Wallet, which disclosed a security issue linked to a specific version of its browser extension.
The breach, which occurred over the Christmas period, led to about $7 million in losses.
The company has since started compensating affected users and introduced updates to strengthen verification and reimbursement processes.
ZachXBT has said the wallet-draining case is still developing, with fund movements continuing to be tracked.
There is currently no confirmed explanation for how the wallets were compromised, and no single product or service has been publicly blamed.
