Over 500 dormant Ethereum wallets got drained in late April 2024, losing victims about $800,000 total. Stolen funds moved to Etherscan's 'Fake_Phishing2831105' address before a 324.741 ETH transfer to THORChain Router v4.1.1 on April 30. The cause remains unclear.
April's Attack Wave
DefiLlama recorded 28 confirmed crypto incidents that month totaling $635.2 million stolen. Wasabi Protocol lost $4.5–5.5 million on April 30 after an attacker hijacked admin controls using UUPS proxy upgrades across Ethereum, Base, and Blast networks. Drift Protocol suffered $285 million in losses from social engineering, fake collateral, and oracle manipulation. KelpDAO also lost roughly $290 million that April. The Ethereum wallet drain was one of many hits.
Tracking the Funds
The attacker targeted wallets untouched for years. All stolen ETH went to the 'Fake_Phishing2831105' address, which processed 596 transactions including the big THORChain transfer. It's not clear where the funds went after that.
The Breach Theories
Security teams have a few ideas. Legacy wallet tools might've generated weak keys due to poor entropy. Mnemonics stored in services like LastPass could've been compromised. Trading bots holding keys might also be to blame. The focus on dormant wallets suggests old keys were exposed. No one's sure what went wrong yet.
