Prominent crypto trader and X personality Unihax0r (@0xUnihax0r) was drained of more than $200,000 in a multi-chain attack on May 11, 2026, in what on-chain investigators have identified as a private key compromise—not a smart contract exploit or malicious token approval.
“Just got drained or hacked for more than 200k. Sick to my stomach,” Unihax0r wrote on X around 01:53 UTC, sharing the attacker’s wallet address (0xF7cFFC27732a5C9c4E2D592F3E33435F8dDb019A) and requesting community help tracing the funds.
The incident has reignited a fierce debate about the security risks of Telegram-based trading bots — the infrastructure that an estimated hundreds of thousands of crypto traders rely on daily for on-chain execution.
The Attack: Manual, Methodical, Multi-Chain
On-chain analyst reveals a manual drain executed over a roughly 10–30 minute window between approximately 00:37 and 00:56 UTC. Two wallets were emptied across three chains: Ethereum, Base, and BSC.
The bulk of the losses came from approximately $125,000 in $POD tokens on Base and $21,000 in $FHE on BSC, along with ETH and smaller positions including $SAT1. The attacker was thorough enough to dust the Ethereum wallet with a small amount of ETH to sweep remnant token balances—a hallmark of an experienced operator with full signing control.
Critically, this was not a malicious approval drain or a smart contract exploit. The attacker had direct private key access, enabling them to sign transactions natively across all three chains without needing any on-chain permissions.
The SIGMA Connection
The two compromised wallets share a common origin: both were originally generated or imported via the SIGMA Telegram bot, a multi-chain trading bot that supports Ethereum, BSC, Base, Solana, Avalanche, and other networks through a single Telegram interface.
Unihax0r confirmed that the wallets were subsequently imported into GMGN (a Telegram-based trading and analytics bot) and Rabby Wallet (a browser-based wallet). Other wallets on Rabby and Jupiter that were not generated through SIGMA remained untouched — a detail that has focused community attention on the SIGMA workflow as the likely compromise point.
The suspected attack vectors, according to community on-chain observers, include Telegram-based phishing — particularly malicious CAPTCHA bots that appear when interacting with SIGMA — as well as potential malware or infostealer infections, device compromise, malicious browser extensions, or a fake GMGN workflow. Unihax0r reported no suspicious Telegram sessions on his account.
Funds Likely Unrecoverable
The stolen assets were moved to the attacker’s externally owned account (EOA). On-chain traces suggest mixing and tumbling attempts are already underway, with the majority of funds sitting in attacker-controlled addresses primarily on Base. Community members and fraud tracking accounts have offered further tracing assistance, but recovery prospects are considered low.
All compromised wallets have been flagged as fully compromised, and Unihax0r has been advised to migrate to entirely new wallets.
The Telegram Bot Security Problem
The incident spotlights a structural vulnerability in the Telegram trading bot ecosystem that security researchers have flagged throughout 2026. When users generate wallets through Telegram bots, the private keys are created and — in many cases — stored within the bot’s infrastructure. Unlike hardware wallets where keys never leave the device, Telegram bot wallets rely on the security of the bot provider, the user’s Telegram account, and every intermediary the keys pass through.
The attack surface is wide. Malicious CAPTCHA bots—designed to look like legitimate verification steps within Telegram trading channels—have become a common phishing vector in 2026. When a user interacts with a fake CAPTCHA, the bot can harvest session tokens, inject clipboard-replacing malware, or in some cases directly exfiltrate private keys stored in the Telegram environment.
Security firm Hacken has noted that most Telegram trading bots are closed-source and unaudited, and some explicitly disclaim responsibility for unauthorized access to user accounts in their terms of service. The absence of end-to-end encryption in Telegram bot interactions exposes an additional layer of risk.
DEXTools’ 2026 safety guide for Telegram bots is blunt on the core risk: “Bots get hacked. Extract profits daily.” The recommendation to use burner wallets with only active trading capital — never storing significant holdings — is widely considered best practice but frequently ignored by traders seeking the convenience of a unified multi-chain interface.
A Familiar Pattern in 2026
The Unihax0r drain joins a growing list of high-profile individual wallet compromises in 2026. In December 2025, a crypto whale lost $27.3 million after a multi-signature wallet was compromised via a leaked private key. In March 2026, BONK.fun was hit after attackers hijacked a team account and deployed a wallet drainer on the site’s domain. And just last week, the Grok/Bankr exploit demonstrated how even indirect key exposure—through AI agent intermediaries—can result in six-figure losses.
The incident drew widespread reactions on Crypto Twitter, ranging from sympathy to pointed irony over the “Haxor got hacked” dynamic—and, more constructively, renewed warnings about the fundamental trade-off at the heart of Telegram bot trading: speed and convenience vs. custodial risk.
Also Read: BONK.fun Hack Exposes Users to Wallet Drainer Threat
