More than 500 long-dormant Ethereum mainnet wallets were drained on April 30, with on-chain records showing roughly 260 ETH (about $600,000) moved into a single tagged address labeled Fake_Phishing2831105. Total losses across the cluster sit closer to $800,000, with the receiving Etherscan entry recording 596 transactions and a 324.741 ETH transfer through THORChain Router v4.1.1 in the same window. The wallets share one profile: years of inactivity, some dating back four to eight years, with no obvious fresh-baiting pattern that would point to a hot-wallet phishing campaign.
Why it matters
The drain stands out because the compromise vector is unresolved. Protocol exploits usually give investigators a contract, a function call, or a privileged transaction to inspect; here the central question sits at the wallet layer. Public discussion has surfaced theories ranging from weak entropy in legacy wallet tools and compromised mnemonics to trading-bot key handling and LastPass-era seed storage, with one affected user personally raising the LastPass lead. The case lands inside April's broader pattern — DefiLlama's API logged 28 incidents totaling $635,241,950 by May 1 — where the underlying control failures kept appearing at the operational layer rather than in contract code.
Market impact
The market signal is concentrated in user-side practice. A wallet's safety depends on the full history of its key — the seed phrase, the device that generated it, the software that touched it, and every place the secret may have lived — and idleness does not mitigate any of that. Users holding value in old wallets are being told to generate fresh keys through trusted hardware before moving funds, and never to enter old seeds into checkers, scripts, or unfamiliar recovery tools. Revoking protocol approvals helps for exposure surfaces like Wasabi's recent admin-key exploit, but a direct wallet drain points first at key security rather than at token approvals. The next quarter, per the broader April read, will reward constrained upgrade powers, visible timelocks, independent bridge verifiers, and disciplined key rotation over decentralization language that masks concentrated control.
Frequently asked questions
-
How many Ethereum wallets were drained in the Apr 30 incident?
More than 500 dormant Ethereum mainnet wallets were swept on Apr 30, with the on-chain tagged address showing roughly 260 ETH (~$600K) in confirmed movement and total losses closer to $800K.
-
Why is the dormant-wallet drain hard to investigate?
Protocol exploits usually expose a contract, function call, or privileged transaction for forensic review; here the compromise path sits at the wallet layer — old keys, seeds, devices, or storage — and the vector has not been confirmed.
-
Could the LastPass breach be connected to these wallet drains?
Public discussion has surfaced LastPass-era seed storage as one theory, and one affected user personally raised it, but no forensic confirmation has linked the cluster to the 2022 LastPass incident.
-
How does this drain compare with April's broader DeFi exploit tally?
By May 1 DefiLlama's API logged 28 April incidents totaling $635,241,950 across DeFi, with the dormant-wallet drain the user-facing counterpart to protocol-level failures like Wasabi, Drift, and KelpDAO.
-
What should users holding value in old Ethereum wallets do now?
Generate fresh keys through trusted hardware or modern wallet software before moving funds, never enter old seeds into checkers or unfamiliar recovery tools, and treat the root cause as provisional until forensic work identifies a common exposure source.
CryptoSlate