Key Highlights
- Over $665K stolen from 50+ crypto wallets across Ethereum, Solana, BNB Chain, and Tron since March in an ongoing breach wave.
- Investigators trace funds through HTX and KuCoin, suspecting coordinated laundering possibly linked to AudiA6 service.
- Telegram trading bots under scrutiny as weak key storage and centralized systems fuel rising multi-chain wallet exploits.
A wave of private key compromises has drained more than $665,000 from over 50 crypto wallets across Ethereum, Solana, BNB Chain, and Tron since March 21. The thefts came to wider attention after two publicly reported incidents within the last 36 hours involving crypto figures Eli5defi and Unihax0r, though investigators have not confirmed whether both cases share the same attacker.
In a post on X, Specter said attackers still control part of the stolen funds. He linked the Eli5defi case to a wider network of wallet thefts affecting dozens of users. The funds moved across multiple blockchains before reaching exchanges such as HTX and KuCoin. Consequently, investigators now suspect coordinated laundering activity, possibly involving the service known as AudiA6.
Multi-chain laundering trail leads to HTX, KuCoin, and Tron
On-chain data identified a consolidation wallet: 0x8016FFb7…4DA6ff978 receiving a rapid-fire sequence of token transfers on March 22. Assets swept into the wallet included PEPE, LINK, ONDO, NEAR, SEI, AIOZ Network, HashAI, and over a dozen other tokens, all within an eight-minute window.
A second consolidation address: 0xF34b887d…D094B0126 shows a similar pattern on April 27, aggregating SHIB, FET, ChainLink, USDC, Tether, Mind of Pepe, Waifu, and other tokens from multiple source wallets. Several inbound transactions originated from distinct sender addresses, consistent with the multi-victim consolidation pattern Specter described.
According to Specter’s analysis, the attacker used small BNB gas fee transfers to link victim wallets before executing drains. Stolen assets were consolidated, bridged to BNB Chain, and deposited into HTX. Timing analysis then traced the flow to Solana and subsequently to KuCoin, from where the funds were withdrawn to a Tron wallet currently holding approximately $173,000 in USDT. Movement patterns suggest the attacker used the laundering service known as AudiA6.
No single compromised platform identified
What makes this cluster particularly difficult to investigate is the diversity among victims. According to Specter, some compromised wallets are four to eight years old with extensive transaction histories, while others are less than a year old with only a single inbound transfer. Victims also used different wallet providers, ruling out a single compromised application as the source.
Specter said, “I still can’t determine exactly how the keys were leaked.” He added that investigators may need to contact victims directly to gather more information. Besides, he warned users to remain cautious as the tracing work continues.
Telegram trading bots face renewed scrutiny
The latest wave of attacks has raised fresh concerns around Telegram-based crypto trading bots in 2026. Crypto trader Unihax0r confirmed losing more than $200,000 in a multi-chain exploit on May 11. “Just got drained or hacked for more than 200k. Sick to my stomach,” he wrote on X.
Researchers say many recent wallet breaches trace back to Telegram bot ecosystems. Unlike hardware wallets, these bots often generate and store private keys within centralized systems. As a result, attackers can take advantage of weak account security, fake verification bots, or stolen session tokens.
Rising pressure on wallet security infrastructure
The findings add to an already severe year for crypto security. April 2026 recorded more than $770 million in hack losses across the DeFi sector, making it the worst month on record for exploit incidents. While most of those losses stemmed from large-scale bridge and protocol attacks, the wallet-level key compromise pattern Specter has documented a quieter but persistent threat vector that is harder to detect and defend against.
Additionally, security firms warn that many trading bots remain closed-source and unaudited. Hacken has previously noted that some providers also limit liability for unauthorized account access.
The recent incidents follow a string of crypto thefts this year. In March, attackers hijacked BONK.fun through a compromised team account. Last week, the Grok/Bankr exploit highlighted new risks linked to AI-assisted wallet access. Consequently, pressure is increasing on the industry to strengthen wallet security and reduce exposure to centralized bot infrastructure.
Also Read: Peter Schiff Fires Back at Saylor: Calls STRC a ‘Classic Centralized Ponzi Run by MSTR’
