Telegram SIGMA bot linked to $200K wallet drain

Crypto trader and X personality Unihax0r reported losing more than $200,000 on May 11 after two wallets he controlled were emptied across Ethereum, Base and Binance Smart Chain (BSC). He posted on X, “Just got drained or hacked for more than 200k. Sick to my stomach,” shared the attacker’s wallet address and requested help tracing the funds.

On-chain investigators found no signs of a smart-contract exploit or malicious token approvals. Analysis of the transactions showed the attacker had signing control across multiple chains and completed the transfers in roughly 10 to 30 minutes. The largest single moves included about $125,000 in POD tokens on Base and roughly $21,000 in FHE on BSC, alongside ETH and smaller holdings. The attacker also sent ETH to one of the victim’s Ethereum addresses to cover gas fees used to sweep remaining token balances.

Both drained wallets were created through SIGMA, a Telegram multichain trading bot. The trader had imported those SIGMA-generated wallets into a second Telegram trading tool and into the Rabby browser wallet. Other wallets that were not created by SIGMA and were stored separately in Rabby and other services were not affected.

On-chain investigator kc (@k0braca1) wrote on X that the pattern “looks like a private key leak rather than related to any malicious transactions,” citing the attacker’s ability to sign transactions across chains. Community investigators and volunteers proposed several possible causes for the key exposure, including phishing via fake CAPTCHA or verification bots on Telegram, device compromise or infostealer malware, malicious browser extensions, or insecure handling of keys inside the bot infrastructure. Unihax0r reported checking his Telegram sessions and finding no unusual activity.

The stolen assets were moved to an externally owned account controlled by the attacker and are being routed through cryptocurrency mixers. A large portion of the funds remain in wallets on Base under the attacker’s control. Community trackers and fraud-hunting accounts have offered tracing help but noted that recovering funds after mixing is difficult.

Security researchers have warned that wallets generated inside third-party bots may have private keys created and stored within the bot’s infrastructure, which can leave users without direct control of their keys. Web3 anti-scam monitors reported a rise in Telegram-based malware and scam activity from late 2024 into early 2025, including fake verification bots and malicious links used to deploy software that can access wallets and browser data.

A prior incident in September involved a Telegram trading bot linked to the exploitation of 36 wallets and the theft of about 536 ETH, after which that bot went offline. Investigators and security researchers continue to advise against generating wallets through third-party bots and recommend keeping private keys and seed phrases in hardware wallets or other secure environments under the user’s direct control.