500+ Dormant Ethereum Wallets Drained After Years Idle

On-chain investigators and users on X reported that more than 500 Ethereum wallets with long periods of inactivity were emptied within about 24 hours. The attacker collected roughly 324.741 ETH and moved funds through ThorChain before converting portions into the privacy coin Monero (XMR) and about 9.56 BTC. Estimated losses total up to about $800,000.

A post on X from user WazzCrypto noted: ‘Hundreds of wallets (many of which haven’t been active in 7+ years) just got drained by the same address on ETH mainnet.’ On-chain records show most affected addresses were between four and eight years old, and one wallet had not moved funds in nearly 14 years. Several wallet owners confirmed their accounts were emptied despite no recent interactions with smart contracts or protocols.

The attacker gathered assets across more than 500 addresses. Chain data shows 324.741 ETH was wrapped and bridged onto the Bitcoin network via ThorChain. Some of those wrapped assets were swapped into XMR, other portions were converted into about 9.56 BTC, and roughly $32,000 in ETH was left in a separate wallet. Some wallets were not fully emptied; on-chain researcher tayvano observed that certain transfers and token handling appeared to be performed manually, indicating a mix of automated and hands-on activity.

Investigators are working to cluster the compromised addresses and trace the flow of funds. Victims and security teams are posting indicators of compromise on public block explorers and messaging platforms to help link addresses and identify additional laundering routes. Analysts say the pattern of bridging and mixing resembles techniques used in past crypto thefts.

Security researchers have proposed several possible vectors for the compromise. One hypothesis is that databases of leaked private keys or credentials were mined for old addresses. Another points to contaminated or flawed wallet software, including past incidents tied to desktop wallet distributions. Trading bots and other third-party services that require users to supply private keys or seed phrases are also under scrutiny as potential attack vectors.

Researchers noted the timing of the drains came shortly after public reports of password-manager security incidents and supply-chain compromises affecting open-source packages. Monitoring of on-chain activity is ongoing as investigators seek clustering links, additional laundering routes and any connection to earlier breaches.