At least 297 wallets were emptied on compatible chains by the Ethereum virtual machine (EVM) in a few hours, with almost USD 500,000 stolen, according to data presented on May 28 by the on-chain developer and researcher known in X as mr wildcat. The funds, according to the developer, were consolidated into a single address before being distributed through the exchange platform (swap)FixedFloat.
Ethereum concentrated the bulk of the damage with 230 addresses compromised and almost $495,000 stolen. The other nine affected chains recorded smaller amounts: BNB Chain with 38 addresses and around $917, Polygon with 32 addresses and just under $987, as seen in the following image:
Regarding the attack vector, Mr. Wildcat raised an unconfirmed hypothesis: “I suspect a massive leak of private keys associated with a wallet provider.” If so, andThe incident would not point to a vulnerability in an external module or a smart contractbut directly to the keys that grant full control over the funds. This would be very similar to what happened at the end of April, whose hack affected more than 500 wallets and left more than USD 700,000 in stolen funds, as reported by CriptoNoticias.
A second incident in less than a week
The hacking of these almost 300 wallets occurs three days after an exploit that drained approximately USD 3 million from 86 wallets in Ethereum and Base, reported by CriptoNoticias.
In that case, the attacker did not need his victims’ private keys, since exploited a vulnerability in an external Squid Router module (a tool that allows exchanges between networks to be executed from the wallet) to impersonate an authorized operator and execute transactions without permission. The funds were converted to DAI through liquidity pools that the attacker himself had set up in advance on Uniswap.
Both incidents illustrate different attack vectors. The Squid Router exploit did not require access to private keys, but instead targeted an external module installed in the affected wallets.
The case analyzed by mr wildcat, if the hypothesis is confirmed, would have compromised the keys directly from a provider, which implies a deeper level of access and a risk that is more difficult to mitigate for the individual user.