Over 500 dormant Ethereum wallets were systematically drained of 260 ETH (~$600,000) in a coordinated attack that exposed a critical vulnerability in long-idle key storage. Security researcher WazzCrypto flagged the incident on April 30, identifying the tagged address Fake_Phishing2831105 as the consolidation point for funds siphoned from wallets inactive for 4-8 years. The total loss across affected accounts reached approximately $800,000, with 324.741 ETH subsequently moved to THORChain Router v4.1.1. The compromise vector remains unconfirmed, leaving open questions about weak entropy in legacy wallet tools, exposed seed phrases, or historical infrastructure vulnerabilities.
Old Keys Never Sleep: The Dormancy Illusion
Dormant wallets create a false sense of security. A wallet untouched for years still carries the full attack surface of its original creation: the entropy source, the device that generated it, every software tool that touched the seed phrase, and every location where that secret may have been stored. WazzCrypto’s analysis identified 500+ wallets idle for 4-8 years before the drain occurred, suggesting attackers either recovered historical key material or exploited a single point of exposure affecting multiple early-era wallets. The pattern implicates legacy wallet tooling rather than active protocol vulnerabilities. No official statement has been released by affected wallet owners, and forensic analysts including Chainalysis and Blockaid have not published a definitive compromise vector.
April Marked by Control-Surface Failures, Not Code Bugs
The dormant wallet drain sits within a broader April exploit pattern targeting operational infrastructure rather than smart contract logic. Between April 21-30, attackers compromised Drift Protocol (extracting $286M via signer workflow failure), KelpDAO (draining 116,500 rsETH worth ~$292M through bridge verification breakdown), and Wasabi Protocol (siphoning $4.5M-$5.5M via admin-key exposure). Across these incidents, total April losses reached $625M-$635M. Each exploit exploited control surfaces: admin key management, signer processes, or bridge verifier access. The dormant wallet drain follows the same pattern, pointing to private-key compromise rather than contract vulnerability. The consolidation of 500+ wallet drains into a single address suggests either automated tooling or a coordinated operation targeting a shared exposure point.
Legacy Tools and Seed Storage Under Scrutiny
Theories for the compromise include weak entropy in early Ethereum wallet generators, leaked seed phrases stored insecurely (LastPass exposure has been mentioned as one possibility), compromised trading-bot key handling, or private-key material exposed through now-defunct wallet services. The fact that wallets from the “earlier Ethereum era” appear concentrated in the victim set suggests a systemic vulnerability tied to specific tooling or services, not isolated user error. Blockaid and Chainalysis are conducting forensic analysis, but no confirmed cause has been disclosed. Until the compromise vector is identified, dormant wallet holders cannot assess whether their own keys remain at risk or whether the attack exploited a closed vulnerability in deprecated tools.
Next Steps: Attribution and Remediation Gaps
With 596 transactions recorded on the Etherscan address Fake_Phishing2831105 and funds flowing into THORChain, chain analysis is ongoing. The unresolved compromise vector creates a critical gap: affected wallet owners cannot determine whether to rotate keys, whether their current tools remain vulnerable, or whether the attack vector has been closed. A confirmed root cause is essential for the broader Ethereum ecosystem to assess exposure and implement targeted mitigations. Until then, the incident stands as a stark reminder that wallet security depends on the full historical chain of custody—not just current practices.
