Someone just drained long-forgotten dormant Ethereum wallets, and the cause may trace back years

A notable development has hit the crypto markets. Hundreds of Ethereum wallets that had sat untouched for years were drained into the same tagged address, turning old key exposure into this week’s sharpest crypto security warning. 30, WazzCrypto flagged the incident affecting mainnet wallets on X, and their warning spread quickly because the affected accounts did not appear to be freshly baited hot wallets. They were old wallets with quiet histories, some tied to assets and tooling from an earlier Ethereum era.

Over 260 ETH, roughly $600,000, was drained from hundreds of dormant wallets. More than 500 wallets appear to be affected, with losses totaling roughly $800,000, and many wallets have been idle for four to eight years. The related Etherscan address is labeled Fake_Phishing2831105 , and shows 596 transactions, and records a 324.

Market Dynamics

741 ETH movement to THORChain Router v4. The constant across them is more important for now: long-idle wallets have been moved to a common destination, while the compromise path remains unresolved. That unresolved vector makes the drain the strongest warning this week, following a surge in DeFi hacks.

Protocol exploits usually give investigators a contract, a function call, or a privileged transaction to inspect. Here, the central question sits at the wallet layer. Did someone obtain old seed phrases, crack weakly generated keys, use leaked private-key material, abuse a tool that once handled keys, or exploit another path that has yet to surface?

Public discussion has produced theories including weak entropy in legacy wallet tools, compromised mnemonics, trading-bot key handling, and LastPass-era seed storage. One affected user personally raised the LastPass theory. The practical advice for users is limited but urgent.

Market Impact

Idleness does not mitigate private-key risk. A wallet with value depends on the full history of the key, the seed phrase, the device that generated it, the software that touched it, and every place that secret may have been stored. For users, the response is probably to inventory high-value old wallets, move funds only after setting up fresh key material through trusted hardware or modern wallet software, and avoid entering old seeds into checkers, scripts, or unfamiliar recovery tools.

Revoking approvals helps for protocol exposure, including Wasabi's user warning , but a direct wallet drain points first to key security rather than token approvals. April widened the control surface The wallet cluster landed amid April's crypto exploit tally, which was already elevated. DefiLlama-linked reporting put April at roughly 28 to 30 incidents and more than $625 million in stolen funds.

As of May 1, the live DefiLlama API showed 28 April incidents totaling $635,241,950. A May 1 market thread captured the pressure point: this week's wallet drains, Wasabi Protocol's admin-key exploit, and April's larger DeFi losses all hit control surfaces that ordinary users rarely inspect. The link across the month is architectural rather than attributional.

Crypto markets are watching this development closely as investors weigh its potential impact on prices.