'Hundreds' Of EVM Wallets Drained in Mysterious Attack: ZachXBT

The recent wave of EVM wallet drains illustrates how a simple phishing email can cascade into a multi‑chain theft. Researchers traced the vector to a counterfeit MetaMask notification that lured recipients into authorizing malicious smart contracts. Because the message mimicked official branding, even seasoned users granted permissions, allowing an automated script to siphon up to $2,000 from each address. Such low‑value, high‑volume exploits are attractive to attackers seeking to stay under radar thresholds while amassing sizable total gains across hundreds of wallets.

The operation bears striking resemblance to the Trust Wallet breach that unfolded on Christmas, where a supply‑chain compromise of the “Sha1‑Hulud” npm package injected malicious code into the Chrome extension. That incident compromised 2,596 wallets and resulted in $7 million losses, raising concerns about insider knowledge and code‑base integrity. Analysts now suspect the same threat actor or toolkit is being repurposed for the broader EVM attack, highlighting how vulnerabilities in one wallet ecosystem can quickly propagate to others that share similar development pipelines.

Defenders recommend immediate revocation of all smart‑contract approvals, especially for high‑risk protocols, and continuous monitoring through on‑chain analytics tools. Users are also urged to adopt hardware wallets for long‑term storage and verify email sources before clicking links. For developers, rigorous code audits, reproducible builds, and signed package distribution are essential to thwart supply‑chain infiltration. As the crypto sector grapples with these layered threats, regulatory scrutiny and industry‑wide best‑practice frameworks are likely to tighten, aiming to restore confidence among investors and custodians alike.