Mysterious EVM Drainer Targets Small Wallets; Connection to ‘Shai-Hulud’ Attack Suspected
A coordinated draining campaign linked to the Trust Wallet ‘Shai-Hulud’ attacker is siphoning small amounts from hundreds of EVM wallets, bypassing typical security alerts.
A silent, high-volume wallet draining campaign is actively siphoning funds across multiple EVM chains, with on-chain data suggesting a direct link to the recent Trust Wallet supply chain compromise. Unlike typical nine-figure bridge exploits, this campaign targets everyday users with balances under $2,000, accumulating over $107,000 in illicit gains so far.
The ‘Death by a Thousand Cuts’ Vector
On-chain investigator ZachXBT first flagged the anomaly, noting a pattern of small, rapid withdrawals across Ethereum, BNB Chain, and Base. The attacker’s strategy marks a distinct pivot from high-value protocol exploits to mass, low-value targeting. By keeping individual thefts below the $2,000 threshold, the perpetrator avoids triggering automated whale alerts and large-scale security responses.
The specific entry point for this new wave remains unconfirmed. While the Trust Wallet incident involved a malicious Chrome extension (v2.68), victims in this current cohort have not yet been unified by a single dApp or approval vector. However, the absence of a clear "smoking gun", such as a phishing link or compromised smart contract, has led investigators to suspect a broader leakage of private keys or a lingering backdoor from the initial supply chain event.
The Shai-Hulud Connection
Forensic analysis links the draining wallets to the "Shai-Hulud" supply chain attack that struck Trust Wallet users over Christmas. Trust Wallet previously acknowledged that the attacker controlled 17 specific addresses used to drain roughly $8.5 million. Data indicates these same addresses are now interacting with the new victim pool, suggesting the adversary is either monetizing previously dormant compromised keys or has expanded their infrastructure.
"The attacker is targeting a large number of wallets for relatively small sums… losses typically under $2,000 per victim."
The primary attacker address identified in the campaign is 0xAc2e5153170278e24667a580baEa056ad8Bf9bFB. Users observing interactions with this address should revoke approvals immediately.
Institutional Context: The Shift to Supply Chain Warfare
This incident reinforces a troubling trend in 2025: the weaponization of developer tools against retail users. The "Shai-Hulud" malware did not attack the blockchain consensus but rather the developer environment (GitHub secrets), allowing the injection of malicious code into trusted software updates. For the market, this implies that protocol audits are no longer sufficient; the risk has migrated to the CI/CD pipelines of wallet providers themselves.
