Your Old Crypto Wallet Is NOT Safe — The April 30 Ethereum Drain Proves It

The industry told you cold wallets are forever. On April 30, 2026, the chain proved otherwise.

Over 500 Ethereum wallets — many untouched since 2018 and 2019 — were drained in a coordinated sweep. Approximately $800,000 gone. 324.741 ETH routed through THORChain for obfuscation. All victim funds funneled to a single receiving address. And as of this writing, the attack vector remains officially unconfirmed.

That last part is the part that should concern you.

What Happened

On-chain analyst WazzCrypto first flagged the anomaly on April 30. The pattern was unmistakable: hundreds of wallets dormant since at least December 2019 suddenly executing transactions — swaps, approvals, and claims firing in coordinated bursts, all sending funds to the same destination address. SAI (Single Collateral DAI, a token deprecated since 2019) was swept alongside ETH, confirming the vintage of the wallets targeted.

The attacker then moved the consolidated funds through THORChain, a cross-chain liquidity protocol commonly used to obscure the origin and destination of crypto flows.

Total confirmed damage: 260+ ETH across 500+ wallets. Total moved through laundering infrastructure: 324.741 ETH.

The attack targeted ETH mainnet only. No Layer 2 activity. No protocol exploit identified. No phishing campaign linked.

Three Attack Vectors Under Investigation

Security researchers have identified three hypotheses. None are confirmed. That is the core of the problem.

Hypothesis 1: Legacy low-entropy key generation.

Ethereum wallets created between 2017 and 2019 were frequently built using wallet generators with weak entropy sources — browser-based randomness, predictable seeds, short passphrases. The cryptographic assumptions that made those keys "secure" in 2018 have degraded under eight years of computational advancement. Blockchain attackers have been systematically scanning low-entropy address ranges for years. This may be the results of a long-running harvest finally executed.

Hypothesis 2: Old DeFi approvals exploited.

Many of the affected wallets carried lingering token approvals — unlimited spend permissions granted to early Compound, Uniswap V1, and early Aave contracts in 2019 and 2020. Protocols upgrade. Contracts get replaced. If an attacker gained control of a legacy approved contract address, every wallet that still carries an active approval against that address is exposed — regardless of whether the wallet has been touched since.

Hypothesis 3: Legacy seed phrase exposure.

The 2018–2020 era produced a wave of insecure tooling: password managers with weak encryption, trading bots that stored credentials in plaintext, browser extension wallets with questionable security practices, and an epidemic of "seed phrase checkers" that were outright harvesting tools. Multiple data breach incidents across that period exposed archived private credentials. Attackers may have spent years building a database of leaked seed phrases and are now running systematic wallet sweeps against them.

The critical implication of all three hypotheses: if the attack vector is key compromise — not a smart contract bug, not a front-end phish — there is no patch. No hardware wallet protection. No approval revocation. No multisig. If someone holds your private key, the wallet is gone.

Who Is Actually At Risk

Retail crypto holders who created wallets during the 2017–2020 ICO boom represent the largest exposed population. The categories:

OG wallets from the ICO era. Millions of retail wallets were created using the early tools of that period — many of which are now known to have had weak entropy implementations, insecure storage, or were outright scam collection tools.

"Set and forget" cold storage. The retail mental model for years has been: send funds to a hardware wallet or cold address, don't touch it, it's safe. This incident directly challenges that model. A wallet that hasn't been touched since 2019 is not necessarily safe — it reflects the security posture of 2019.

Legacy DeFi participants. Anyone who used early DeFi protocols and never cleaned up their approval trail is exposed to Hypothesis 2. Unlimited spend approvals granted in 2019 do not expire. They sit live on-chain until explicitly revoked.

Poor seed phrase hygiene (2018–2020 vintage). Cloud notes, email drafts, Dropbox files, unencrypted password managers — any seed phrase that touched a digital medium in that era should be treated as potentially compromised.

What You Do Right Now

This threat is active. The attacker still has operating capital and the drain continues. There is no confirmed patch because there is no confirmed exploit. The action window is now.

If you have a wallet created before 2021 with any meaningful holdings:

Do not touch your old seed phrase. Do not enter it into any application — not seed checkers, not recovery tools, not "migration assistants." Scammers are already deploying fake recovery tools exploiting this incident specifically.

Create fresh keys using a modern hardware wallet (Ledger or Trezor current generation) or a reputable software wallet created today. If you use a hardware wallet, verify the firmware is current.

Send a small test transaction from the old wallet to the new address. Confirm receipt. Then migrate all remaining funds in a single transaction. Do not leave residual amounts in the old wallet.

Revoke all outstanding approvals on the old wallet at revoke.cash before or during migration. If Hypothesis 2 is the vector, this removes the exposure. If it's not, you've still cleaned up a legitimate attack surface.

Assume the old seed is compromised if it was ever stored digitally before 2021. Treat it accordingly.

For all wallets, regardless of age:

Run revoke.cash quarterly. Unlimited spend approvals are a persistent attack surface. Clean them.

Never type your seed phrase into anything claiming to check, verify, or recover it. The only legitimate use of your seed phrase is to restore a wallet you control, on hardware you control, in a software environment you trust.

Cold wallets are not immune. They haven't been targeted the same way — yet. The security posture of the era in which a wallet was created is the security posture that wallet carries.

The Broader Context

April 2026 was the worst month in recorded crypto security history. Twenty-eight to twenty-nine exploit incidents. $629 to $635 million in total losses. Seventy-six percent of all 2026 hack value attributed to North Korean state actors — the $285 million Drift exploit and the $293 million Kelp DAO breach alone account for the majority.

The dormant wallet sweep adds a dimension that the headline exploits don't have: those attacks targeted protocols and bridges. This one targeted individuals. Retail holders who thought their old wallets were safe are now learning they were not.

The same week, Hong Kong's Monetary Authority issued a warning about fake HSBC and HKDAP stablecoin tokens circulating before HSBC's licensed stablecoin has launched. Blockaid data shows 54,000 fake stablecoins created since the GENIUS Act passed in July 2025. As regulation legitimizes the space, scammers pivot to impersonating the very institutions regulation is supposed to endorse. The attack surface is not shrinking.

The security model that got most retail users this far — cold storage, set and forget, trust the seed — is insufficient for the threat environment that exists now.

Migrate. Revoke. Verify.

— Zero out.