.png){kind=small}
Between 30 April and 1 May 2026, a coordinated campaign drained funds from hundreds of EVM wallets, with estimated losses exceeding $800K. This post summarizes the confirmed attack sequence and laundering chain for compliance and security teams conducting risk assessments or exchange screening.
The campaign began with a scripted, automated sweep executed from a single primary drainer address (0xA707034429c8E4E01df056C0CbCf478F0FBeFAd7), assisted by a secondary address (0xEAD93Ad9e8004d9dd25589f7a5702f5813A4d7cd). Hundreds of wallets were fully drained in a single, batched execution window, behavior inconsistent with opportunistic phishing and consistent with a pre-built target list.
The most notable pattern: affected wallets were disproportionately 4–8 years old and showed no recent user interaction prior to being drained. This age clustering is the strongest behavioral signal in the dataset. It points to offline key compromise or a curated cohort derived from historical exposure data rather than real-time credential theft.
The root cause remains unconfirmed as of this report date. Smart contract exploitation and approval/signature abuse have been effectively ruled out as primary vectors.
Stolen assets were consolidated on-chain and then exited via a structured, multi-layer laundering chain:
1. EVM consolidation All swept funds aggregated to the primary drainer wallet.
2. Cross-chain bridge 324.741 ETH ($734K) was bridged from EVM to Bitcoin landing at bc1qtyqax7zt6mwfhg4fxfw9nsuz4h6xhxezzyhyjw. A small parallel EVM amount ($2,364) was routed directly to a non-KYC CEX.
3. BTC structuring The primary BTC wallet split 9.5683 BTC across Segwit and Taproot cluster addresses in structured ~9.3–9.5 BTC batches, a deliberate operational batching pattern.
4. Exchange hops Funds were routed through at least one non-KYC CEX and one no-KYC CEX before reaching the final obfuscation layer.
5. The majority of BTC (~$700–$722K per hop) entered Wasabi Wallet's CoinJoin mixer. A smaller branch was routed to a global CEX, suggesting a possible fiat off-ramp. A separate 2 ETH test transaction was sent to an exchange, likely to evaluate a Monero conversion pathway.
The pre-planned exit strategy, including bridging, structuring, non-KYC exchange hops, and CoinJoin usage, indicates a threat actor with operational maturity. This was not an improvised campaign. The age targeting further suggests advance preparation, whether via a leaked dataset, historical exposure, or weak entropy in early wallet software.
If you are investigating this incident or want to understand your exposure to exploit-linked fund flows across EVMs, BTC, and other supported chains, contact us to speak with our intelligence team or request a product demonstration.
--
This post is based on publicly available information and on-chain data as of 05 May 2026. Root cause attribution has not been confirmed by any wallet provider, security researcher, or law enforcement agency.
