Hundreds of dormant Ethereum wallets got drained this week, all funneling into a single tagged address. WazzCrypto flagged the incident on April 30, and what made it stick was that these weren't fresh targets. These wallets had been untouched for years, sitting cold and forgotten.
The mechanics matter here. Old wallets don't drain themselves. Someone accessed private keys across multiple accounts and executed a coordinated sweep. The timing and pattern suggest the vulnerability didn't happen last week. It traces back further, possibly years, meaning compromised keys have been sitting in the wild for a long time before being weaponized.
This is a teeth-grinder for holders who moved funds into old addresses and forgot about them. If your private keys leaked through a now-defunct exchange, an old compromised device, or exposure from years past, you're at risk. The attacker didn't need to break anything new. They just needed to find old keys and wait until now to move.
The broader lesson: dormant doesn't mean safe. Keys don't expire. Exposure from 2020 or 2021 remains current risk. If you have funds sitting in addresses from the before times, move them. Create new wallets with fresh key generation. The only security model that works is assuming your old keys might be compromised.