This week, hundreds of Ethereum wallets — many of them dormant for seven years or more — were emptied in a coordinated on-chain campaign linked to the same attacker addresses.
Observers tracking the activity estimate losses have already exceeded $800,000.
What Happened and What We Know So Far
The first public alarm came from a user known as Capitulation.eth, who reported that funds had departed their wallet without authorization and warned that other addresses were being “zeroed out.” On-chain analysts quickly corroborated the claim.
Crypto researcher Wazz shared on-chain data showing a single address systematically sweeping funds from wallets that last moved assets as far back as 2019. Another researcher, Specter, identified the number of victims in the hundreds and placed the estimated total loss above $800,000.
Specter’s breakdown suggests the attacker deposited 2 ETH to an exchange — likely converting it to a privacy coin such as Monero — and bridged about 324 ETH, valued at roughly $734,000, out of Ethereum through Thorchain to the Bitcoin network. The flow of funds indicates an attempt to quickly obfuscate and cash out the proceeds.
What stands out is the age of the compromised wallets. Most affected addresses appear to have been created between four and eight years ago, with very few recent wallets among the victims. That pattern shifted attention away from recent smart contract bugs or token approval scams toward a failure rooted in key generation or key storage practices from years past.
Developers and cryptographers examining the incident emphasize that this does not look like a smart contract vulnerability or a token approval exploit. Developer Fitna summarized the likely cause: old private keys and seed phrases leaked years ago through insecure wallet apps, weak randomness during key generation, stolen backups, compromised password managers like LastPass, cloud leaks, or antiquated 2017–2018 wallet software. In short, attackers are now sweeping out leftover ETH from long-dormant accounts.
Cryptographer Mikerah echoed this interpretation, suggesting the pattern points to legacy key-generation processes that used weak entropy. They described the prospect as “really scary to think about,” since it implies broad exposure of keys created under inferior security assumptions.
Developer Rahul Saxena used the event to urge users to audit their wallets for old token approvals and recommended tools such as revoke.cash to remove lingering approvals. However, several analysts made clear that token approval removal is a separate mitigation and does not address the apparent root cause here — compromised private keys or seed phrases.
April Was Already a Terrible Month for DeFi Security
This wallet-draining campaign occurred on the final day of what one analyst called “the worst month ever in terms of DeFi exploits.” April saw roughly $635 million lost across 28 incidents over 30 days, a grim reminder of the scale and frequency of attacks targeting decentralized finance.
The month’s incidents ranged widely in severity. On April 1, a major exploit at Drift resulted in a roughly $285 million loss. That same day, Wasabi Protocol suffered a multi-million-dollar hit. Mid-month, on April 18, KelpDAO experienced the largest single loss of the month when attackers drained nearly $294 million from a liquid restaking protocol’s bridge contract, converting the stolen assets into ETH and dispersing them across Ethereum and Arbitrum.
Later in the month, Syndicate Network reported a bridge compromise that added another roughly $330,000 to the month’s toll. An address obtained 18.5 million SYND tokens through the bridge issue, sold them, and drove the token down more than 37% within 24 hours.
Together, these incidents paint a worrying picture: threats to DeFi and crypto users are diverse and persistent. While some high-profile losses stem from protocol-level vulnerabilities and bridging exploits, other damaging incidents arise from legacy operational weaknesses — such as outdated key generation methods, insecure wallet software, and poor key management practices. The recent drain of long-dormant Ethereum wallets highlights how historical security flaws and leaked credentials can continue to produce losses years after they were created.
For users, the immediate takeaway is to prioritize secure key management: migrate funds from ancient wallets, avoid reusing old seed phrases, verify wallet software provenance, and consider hardware or other air-gapped storage for long-term holdings. While tools to revoke token approvals and review contract permissions remain useful, they cannot protect keys that are already compromised. The community response to this episode is likely to focus not only on forensic tracing and recovery efforts but also on education and improved standards for how wallets generate and protect private keys.