Wallet Drain
Investigation
Root Cause
The victim pushed a private key to a public GitHub repository while using Claude Code. Automated bots that continuously scrape GitHub for exposed secrets — private keys, API keys, seed phrases — found the key and immediately compromised the wallet.
This was not a phishing attack, malicious signature, or social engineering. The attacker had full private key access from the start.
Victim Wallet Profile
| Field | Value |
|---|---|
| Address | 0x8c76A394D736422CD0590d57f165b05E4e117835 |
| Type | EOA with ERC-7702 delegation Attacker-installed |
| Ethereum Txns | 1,879 |
| Base Txns | 212 |
| Deployed Contracts | 311 |
| Current Balance | Dust and spam tokens only — effectively $0 |
Attack Sequence
Step 1 — Key Compromise
Attacker's bot scraped the exposed private key from the public GitHub repository.
Step 2 — Asset Drain
Using the private key, the attacker drained all liquid assets (ETH, ERC-20 tokens, NFTs) across both Ethereum and Base.
Step 3 — Persistence via ERC-7702
The attacker set ERC-7702 delegations on both chains, pointing the victim's wallet to malicious smart contracts that act as a permanent drain trap.
Both contracts are unverified/decompiled, identical in structure, with the attacker address hardcoded.
Attacker Identity
Primary Wallet
Attacker| Chain | Txns | ETH | USDC |
|---|---|---|---|
| Ethereum | 86 | 1.49 (~$2,767) | 8.49 |
| Base | 55 | 2.12 (~$3,935) | 112 |
Secondary Wallet
ConsolidationReceived 0.118 ETH + 174.78 POL from primary
Sweeper Bot
BaseAutomated approve-swap-transfer loops
Fund Flow — Ethereum
| Action | Destination | Details |
|---|---|---|
| ETH + POL consolidation | 0x98b9...43 Secondary | 0.118 ETH + 174.78 POL |
| Token swaps (BSSB, WAMPL) | TransitSwap DEX | Swapped to ETH |
| Yearn V3 vault redemption | Attacker primary | Redeemed for USDC |
| AXOME transfer | 0xb868...3b | Separate recipient |
Fund Flow — Base
The attacker deployed a sweeper bot that executed automated loops on Base:
Checks NFTs — Stolen
Victim held Checks VV Originals. Current balance: 0.
| Field | Value |
|---|---|
| Tx Hash | 0x60e9bb5e...fba951a92 |
| Date | February 15, 2026 — 23:27:59 UTC |
| Checks Moved | 3 (#23, #42, #2020) |
| Recipient | 0x2e7581ad...207778e7 |
| Date | Recipient | Status |
|---|---|---|
| Feb 4, 2026 | 0x66d5...35 | Unconfirmed |
| Feb 3, 2026 | 0x052c...52 | Unconfirmed |
| Jan 1, 2026 | 0xd416...01 | Unconfirmed |
Fund Flow Diagram
All Known Attacker-Linked Addresses
| Role | Address | Chain |
|---|---|---|
| Primary attacker | 0x52c99accbaf0659df23ddbfbe9dfa64fb2732e6b | Both |
| Secondary wallet | 0x98b971f59b21b08988cd2274f996bc09af2ce743 | Ethereum |
| Sweeper bot | 0xbc1d9760bd6ca468ca9fb5ff2cfbeac35d86c973 | Base |
| NFT recipient | 0x2e7581ad773438db872415c2faa7895a207778e7 | Ethereum |
| AXOME recipient | 0xb868645fedba6961ddd099d48c4bc4728a4d113b | Ethereum |
| Malicious delegation | 0x47e747f5e8cb5819c966292dd969d989ae9dea5e | Ethereum |
| Malicious delegation | 0xdde8ac2d2d69b7e52419ea1503b6ce8d5e699add | Base |
Current Attacker Holdings
Recommendations
-
1Do NOT deposit any funds to the victim wallet — ERC-7702 delegation means the attacker can drain anything sent there.
-
2Revoke the ERC-7702 delegation — but the wallet should be considered permanently compromised since the attacker holds the private key.
-
3Monitor 0x2e7581ad...e7 — the stolen Checks NFTs may not have been sold yet and could be recoverable.
-
4Rotate all secrets in the same repository or environment as the leaked key.
-
5Report attacker addresses to exchanges and on-chain analytics providers (Chainalysis, Etherscan labels).
Attacker Identity Analysis
Deep-dive investigation into the attacker's operational patterns, infrastructure, and potential identity markers.
The NFT recipient wallet 0x2e7581ad...e7 is not a one-off recipient. It has 94 transactions and is ERC-7702 delegated — the same infrastructure the attacker uses on victims. Analysis reveals NFTs being drained from 5+ different victim wallets using identical 0xbca8c7b5 batch execution calls.
The NFT recipient's delegation contract (0x882d5e30...) tips block.coinbase in its batch execution flow. This is a hallmark of MEV/flashbot private transaction submission — the attacker pays block proposers directly to ensure their drain transactions are included privately, avoiding detection and front-running.
Every token swap performed by the attacker across all wallets goes through TransitSwap V5. This is a behavioral fingerprint — TransitSwap is a cross-chain DEX aggregator popular primarily in Asian markets. No Uniswap, no 1inch, no CoW Protocol. Exclusively TransitSwap.
The secondary wallet 0x98b9...43 has exactly 1 transaction — it received 0.118 ETH + 174.78 POL and went dormant. This is a classic dead-drop pattern: receive stolen funds at a fresh address and let it cool off before moving it further.
No funds from any attacker-linked wallet have moved to known centralized exchange deposit addresses. All liquidity remains in self-custodied wallets. The attacker is either waiting for the trail to cool, using P2P OTC channels, or hasn't cashed out yet — which means exchange-based identification is not currently possible.
Transaction history on the attacker's primary wallet dates back to September 2025. This is not a new operation — it's a sustained, professional key-scraping operation that has been actively draining compromised wallets for at least 5 months.