On April 30, blockchain investigator WazzCrypto flagged a chilling discovery on Ethereum mainnet: hundreds of long-dormant wallets had been systematically drained into a single tagged address, turning old key exposure into one of the sharpest crypto security warnings of the year. By May 1, the scale of the incident became clear — over 500 wallets, some idle for four to eight years, had been quietly emptied of approximately 260 ETH, worth roughly $600,000 at current prices near $2,295 per ether. Total losses across affected wallets approached $800,000.
The Exploit Mechanics
The attacker consolidated drained funds into an Etherscan-labeled address tagged Fake_Phishing2831105, which recorded 596 transactions and moved approximately 324.741 ETH through the THORChain Router v4.1.1 during the April 30 window. Unlike typical DeFi exploits that target smart contract vulnerabilities, this attack operated at the wallet layer itself. The affected wallets shared a common pattern: they were old, largely untouched accounts that had been quiet for years before suddenly activating and transferring their entire balances to the attacker’s collection address.
What makes this attack particularly concerning is the absence of a clear compromise vector. The wallets did not interact with any new phishing contracts or suspicious dApps before being drained. Instead, the attacker appears to have obtained private keys or seed phrases through historical exposure — potentially from weak entropy in legacy wallet generation tools, compromised mnemonic storage, or leaked key material from earlier breaches. Multiple affected users have raised the possibility that the compromise traces back to the 2022 LastPass breach, where encrypted vault data was exfiltrated and has been slowly cracked by attackers over the intervening years.
Affected Systems
The incident affected Ethereum mainnet wallets spanning multiple generations of tooling. Some wallets dated back to the 2017-2018 ICO era, while others were created during the 2020-2021 DeFi summer. The diversity of affected wallets suggests the compromise is not limited to a single wallet application or generation tool. Any wallet whose seed phrase was stored in a compromised password manager, generated using weak random number generators, or exposed through other historical breaches could be at risk.
This attack landed amid an already devastating month for crypto security. April 2026 became the most hacked month in crypto history, with DefiLlama recording 28 to 30 separate incidents totaling over $625 million in stolen funds. The Wasabi Protocol lost $4.5 to $5.5 million through an admin key exploit, and the Drift decentralized exchange suffered a $285 million social engineering attack. The dormant wallet drain adds a distinctly personal dimension to this wave, as it targets individual holders rather than protocol treasuries.
The Mitigation Strategy
For users holding significant value in older wallets, the response is straightforward but urgent. Idleness does not mitigate private key risk. A wallet’s security depends on the full history of its key — the device that generated it, the software that touched it, every location where the seed phrase was stored, and every tool that had access to the private key material.
The recommended course of action is to immediately inventory any high-value wallets that have been dormant for extended periods, generate fresh key material using modern hardware wallets with strong entropy sources, and transfer funds to these new addresses. Users should never enter old seed phrases into online checkers, recovery scripts, or unfamiliar verification tools, as these can be harvesting fronts. For wallets that used password managers for seed storage, particularly LastPass prior to its 2022 breach, migration should be treated as time-critical.
Lessons Learned
This incident exposes a fundamental truth about crypto security that many users overlook: the security of a wallet does not improve with time. Unlike traditional financial accounts that benefit from institutional monitoring and fraud detection, a cryptocurrency wallet’s security is only as strong as the moment its keys were generated and every interaction since. A seed phrase exposed in 2022 can be exploited in 2026 with no warning and no recourse.
The attack also highlights the long tail of data breaches in the crypto space. When password managers or cloud storage services are compromised, the stolen data does not expire. Attackers can spend years brute-forcing encrypted vaults or correlating leaked data across multiple breaches before finding the keys to unlock valuable wallets. The four-to-eight-year dormancy period of the affected wallets suggests the attacker has been patient and methodical, building a database of vulnerable addresses over an extended period.
User Action Required
If you hold cryptocurrency in wallets created before 2023, especially if seed phrases were ever stored digitally, take immediate action. Generate new wallets using trusted hardware devices, transfer assets, and verify that old wallets are fully emptied. Monitor the tagged address on Etherscan for any connection to your historical activity. The crypto ecosystem rewards proactive security — in this case, silence from your old wallets does not mean safety.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals regarding your specific situation.
Ethereum’s rollup-centric roadmap is the right approach
500 dormant wallets drained through a single collection address. the LastPass breach from 2022 is the likely root cause. encrypted vaults being slowly cracked over years
wallet_dr the LastPass breach angle is terrifying. encrypted vaults from 2022 being cracked in 2026 means anyone who stored seed phrases in any cloud password manager from that era should rotate everything immediately
LastPass vaults from 2022 being cracked in 2026 is the slowest ticking bomb in crypto. if you ever stored a seed phrase in a password manager move those funds NOW
the LastPass angle explains why wallets from 2017-2018 were targeted specifically. those were the years people were most likely storing seed phrases in password managers
Gas fees on L2 are now low enough for mass adoption
The blob space upgrade changed the L2 economics completely
260 ETH stolen from wallets idle for 4-8 years. if you have old wallets from 2017-2018 sitting in LastPass, move those funds now. the cracking is ongoing
Raluca this is exactly why I moved everything off LastPass in 2023. the slow cracking of encrypted vaults is a ticking time bomb for thousands of crypto users
596 transactions flowing into a single collection address and nobody noticed for hours. on-chain monitoring tools need to do better at flagging unusual consolidation patterns from dormant wallets
500 dormant wallets drained through one collection address. the attacker knew exactly which keys were compromised and waited years to use them. patience from a thief is terrifying
waiting 4 years to crack LastPass vaults and drain 500 wallets is next level patience. most attackers would have dumped everything within months
500 wallets drained through Fake_Phishing2831105 and the funds went through THORChain router. privacy chains are great for criminals and terrible for everyone else