Veteran crypto trader takes $6.5 million hit in wallet drainer attack

A seasoned crypto trader has fallen victim to a wallet drainer attack that siphoned over $6.5 million in digital assets, flagged by security platform Web3 Antivirus on Thursday.

The compromised account, identified as wallet 0x0d18D…D7e3, had been active for over four years. Records show the victim had been trading and staking on protocols such as Lido and Aave, and their funds were drained after they supposedly signed several phishing “permit” signatures. 

We've detected one of the largest wallet drainers in recent months, with total losses now surpassing $6.5M.

The victim wallet had been active for 4.5 years, trading and investing across DeFi, with significant activity on protocols like Lido and Aave. Despite this long history,… pic.twitter.com/Zfp9YhRGYj

— Web3 Antivirus (@web3_antivirus) September 18, 2025

As of this publication, the victim’s address still had $2.6 million coins in the address spread across 189 tokens.

Drained funds traced to two addresses

According to on-chain data seen on Etherscan, the attack began yesterday shortly after 9:28 PM UTC, and was completed within seven minutes. In one transaction, the victim’s holdings of 188.38 stETH, valued at over $807,000, were transferred to a known drainer address 0xa2e8Dfc32767f43611ABb43F66308E7Eb9C224F8, a known drainer address.

“The victim was definitely using one of the wallets, which shows that ‘built-in’ wallet protection wasn’t efficient,” Web3 Antivirus wrote on its X thread discussing the hack.

Another transfer saw 753.53 stETH, worth $3.23 million, moved into the same network of addresses. The stolen tokens were quickly converted, with part of the assets pushed through Lido’s pending withdrawal queue.

At the same time, the drainer siphoned off smaller portions of tokenized wrapped Bitcoin. Eleven separate transfers of aEthWBTC, each worth roughly 1.93 units, were logged. The token draining tactic was seemingly to take up smaller coins in value, which added up to thousands of dollars in lost assets.

Scam Sniffer investigations showed that a customer of the drainer using the address 0x1623915E35Ed39Bfa381010Ce224f89734889aC9 converted the seized stETH into different assets, including 753 stETH pending Lido withdrawal and 123 ETH on other blockchains.

🚨 UPDATE on the $6.28M phishing theft:

Drainer customer 0x1623…9aC9 converted to ETH and moved:

– 753 stETH pending Lido withdrawal
– 123 ETH bridged via Bridgers 4 hours ago to:
– Bitcoin: bc1quzjv00c5vsalcst4dj0p8p2r5rwchat89aamweTRz
– TRON:… https://t.co/lqpd9BJw3G pic.twitter.com/hNhDhbrQ81

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) September 18, 2025

Blockchain data shows 123 ETH was bridged just four hours after the initial attack. The funds were transferred to two external wallets outside Ethereum’s ecosystem: a Bitcoin address (bc1quzjv00c5vsalcst4dj0p8p2r5rwchat89aamweTRz) and a TRON account (TEuR8RSWJMHTCvYL77wmY17XXPzJfwD98f).

71 ETH was transferred using NEAR’s cross-chain intent protocol, and the drainer’s fee address 0xa2e8…4F8 routed 312.8 ETH to a fresh account, 0x5e91bfcfbddc1868770f17a4cb4f65043d17a64b, probably to spoof those who were tracking the stolen coins.

The incident spread across social media and was highlighted by several cybersecurity platforms and comments from blockchain investigators and traders. On-chain analyst Specter urged the victim to reach out to him on X, saying:

“The victim who lost $6M to a phishing attack should kindly send me a DM, as I have some information that could help in the case.”

Stolen crypto seized in Canadian crackdown

The attack on the veteran trader came on the same day when the Royal Canadian Mounted Police (RCMP) announced it had seized more than $56 million in crypto, the largest such operation in the country’s history.

As reported by Cryptopolitan late Thursday, the RCMP recovered the funds from TradeOgre, a platform that has now been dismantled as part of the investigation. It is the first time a crypto trading platform has been taken down by Canadian authorities, although there’s public outcry that it was closed down prematurely.

“The Money Laundering Investigative Team (MLIT) opened the file in June 2024, following a tip from Europol,” the RCMP confirmed in a statement. TradeOgre is accused of contravening Canadian law by failing to register as a money services business with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). 

The platform also reportedly did not identify its clients, a violation that allowed transactions to bypass oversight.

Authorities added that they believe the majority of the funds passing through TradeOgre were of criminal origin. “This is a common tactic used by criminal organizations that launder money,” the RCMP noted.

Join Bybit now and claim a $50 bonus in minutes