More than 500 Ethereum wallets, many inactive for years, were drained in a coordinated attack that resulted in approximately $800,000 in losses, with stolen funds subsequently laundered through cross-chain protocol ThorChain, according to on-chain investigators.
The incident stands out due to the age of the affected wallets, with some having remained inactive for up to seven years. Analysts noted that the attacker targeted wallets with no recent activity, raising concerns about latent vulnerabilities tied to older key management practices or previously compromised credentials.
The scale and pattern of the exploit have drawn attention across the crypto security community, particularly given the absence of a clearly identified attack vector.
Attack targets dormant wallets at scale
On-chain data indicates that a coordinated set of addresses systematically drained funds from hundreds of wallets over a short period. The affected wallets held ether and other tokens, though individual balances were generally modest.
Researchers observed that many of the compromised wallets were created between four and eight years ago, suggesting that older storage methods or exposed private keys may have played a role. In some cases, affected users reported no recent interaction with decentralized applications or suspicious contracts, adding to uncertainty around how access was obtained.
The attacker did not fully empty every wallet, leading analysts to consider whether the operation involved selective targeting based on balance thresholds or extraction strategies designed to avoid detection.
One of the most significant aspects of the incident is the absence of a confirmed entry point. Unlike common wallet drains tied to phishing links or malicious approvals, this attack has not yet been linked to a specific exploit mechanism.
Security researchers have suggested several possible explanations, including compromised private keys, vulnerabilities in outdated wallet software, or credentials exposed in historical data breaches that were only recently exploited.
The targeting of dormant wallets has intensified concerns because such addresses are often assumed to be safer due to their lack of interaction with newer protocols. The event challenges that assumption and highlights risks associated with long-term storage without periodic key rotation.
Funds routed through ThorChain to obscure trail
Following the theft, the attacker moved funds through ThorChain, a decentralized cross-chain liquidity protocol that enables asset swaps across multiple blockchains without centralized intermediaries.
Investigators said portions of the stolen ether were converted into other assets to complicate tracking efforts. The use of cross-chain infrastructure and asset swapping is a common tactic in crypto-related exploits, as it fragments transaction trails and reduces traceability.
The incident underscores persistent vulnerabilities in self-custody systems, particularly for wallets created during earlier phases of the crypto ecosystem. As the industry evolves, older wallets may rely on outdated security assumptions or tools that are no longer considered best practice.
Security analysts have warned that dormant wallets can become targets if private keys were exposed through weak entropy, compromised devices, or historical leaks. The latest event highlights the importance of proactive security measures, including migrating funds to newly generated wallets and updating storage practices.
While the financial impact is relatively limited compared to larger DeFi exploits, the nature of the attack has drawn significant attention due to its unusual targeting strategy and unclear technical cause.
For market participants, the incident reinforces the importance of wallet hygiene and key management as attackers continue to evolve their methods.
Investigators are continuing to analyze transaction patterns in an effort to determine the root cause. A clearer understanding of the exploit may inform future security recommendations and help prevent similar incidents.
For now, the attack serves as a reminder that inactivity alone does not guarantee safety in crypto, and that even long-dormant assets can become targets in an increasingly complex threat environment.