New ‘Micro-Drain’ Attack Hits EVM Chains; $107K Siphoned from Small Wallets
A stealthy new exploit is targeting the ‘long tail’ of crypto users, draining under $2,000 per wallet to avoid detection.
A coordinated wallet-draining operation is sweeping across EVM-compatible networks, targeting hundreds of users for relatively small sums in what appears to be a calculated effort to evade detection.
On-chain investigator ZachXBT alerted the market to the campaign on Jan. 2, noting that the attacker is systematically siphoning funds from self-custody wallets on Ethereum, BNB Chain, and Base. Unlike typical high-profile exploits that target whales or protocol treasuries, this entity is executing a high-volume, low-value strategy, draining less than $2,000 per victim.
It appears hundreds of wallets are currently being drained on various EVM chains for small amounts (<$2k total per victim) with a root cause not yet identified.
The Numbers
Aggregate losses currently sit at approximately $107,000 and are rising. The attacker’s address (0xAc2e...9bFB) is consolidating funds from at least 20 different blockchains.
Breakdown of the drained assets:
- Ethereum: ~$54,655 (51% of total)
- BNB Chain: ~$25,545 (24%)
- Base: ~$8,688 (8%)
- Residuals: Scattered across Arbitrum, Polygon, Optimism, and Avalanche.
Vectors: Phishing vs. Supply Chain
The root cause remains unconfirmed, but evidence points to a multi-pronged social engineering campaign. Community reports indicate a wave of sophisticated phishing emails impersonating MetaMask, urging users to perform an immediate “security upgrade.”
However, the scope suggests a broader compromise. Blockchain analytics firm Nansen and ZachXBT have noted potential links between this attacker and the recent Trust Wallet browser extension compromise (version 2.68), which resulted in over $7 million in losses in late December. The reuse of infrastructure or laundering addresses implies the same threat actor may be harvesting residual keys from that supply-chain breach.
The Strategy: Evasion by Design
Security researchers classify this as a “smurfing” or “dusting” style attack. By keeping individual thefts under the $2,000 threshold, the attacker avoids triggering automated alerts from major security bots and whale trackers, which typically filter for six-figure movements. This allows the operation to persist longer before centralized exchanges or issuers can blacklist the destination addresses.
