How a Dormant Approval Enabled a $13.3M Ethereum Exploit

An old Ethereum token approval was exploited, allowing an attacker to drain $13.3M from a wallet within seconds of receiving funds.

An Ethereum wallet lost about $13.3 million in seconds after a long-forgotten token approval was activated.

The funds arrived through an account abstraction transaction, and the attacker acted immediately. Blockchain data shows the wallet had unknowingly granted spending rights weeks earlier.

Once the transfer landed, the approval allowed full access without further confirmation. The incident shows how dormant permissions can remain active and be used without warning.

Wallet Receives Funds and Is Drained Quickly

The victim wallet, identified as 0xba15E9b644685cB845aF18a738Abd40C6Bcd78eD, received about $13.3 million in a single transaction.

The attacker executed the transfer using an account abstraction mechanism designed to simplify wallet operations.

Moreover, blockchain records show the funds arrived and the attacker removed them within seconds. Consequently, the rapid timing left no window for manual intervention or defensive action.

The speed of the drain suggested the attacker did not need new permissions. Instead, the attacker already had access before the transfer occurred.

Additionally, security trackers confirmed that no new approval transactions took place during the incident. This ruled out common phishing or signature-based attacks.

Investigators then reviewed historical onchain activity linked to the wallet. Their focus shifted to older token approvals that had never been revoked.

This review revealed an earlier approval that still allowed third-party spending. That dormant permission became the entry point for the exploit.

Old Approval Enabled the Exploit

Investigators traced the root cause to an approval transaction made on January 1, 2026. That call granted spending rights to address 0x616000e384Ef1C2B52f5f3A88D57a3B64F23757e.

At the time, the approval did not raise public concern. The permission remained active and was not revoked.

An old approval just cost $13.3M.

The victim address 0xba15E9b644685cB845aF18a738Abd40C6Bcd78eD received ~$13.3M via an account abstraction transaction and was drained within seconds.

The root cause traces back to an approve() call made on Jan 1, 2026, granting spending rights… pic.twitter.com/vDVhX8emXD

— QuillAudits 🥷 (@QuillAudits_AI) January 26, 2026

The attacker address, 0x6cAad74121bF602e71386505A4687f310e0D833e, later used this approval.

It allowed full access to the incoming funds. Once the funds arrived, the attacker executed transfers without delay. The attacker removed the entire balance in one coordinated action.

Fund Movements After the Drain

After the drain, the attacker swapped the stolen assets from tokens into WETH and then into ETH. These steps reduced exposure to token-level tracking.

The attacker then moved funds across multiple wallets. Transfers were fast and spread across several addresses.

This method created a complex transaction pattern. Attackers often use such patterns to slow down tracing efforts.

Blockchain analysis shows a portion of the ETH remains on-chain. These funds sit in addresses still linked to the attacker.

Related Reading: $25M in Losses: Machi Liquidated for 1,000 ETH After Market Drop

Ongoing Onchain Observations

Security observers continue monitoring the attacker-linked wallets. However, investigators found no mixing services during the initial movements.

The presence of funds on-chain leaves room for tracking. Analysts rely on transaction timing and address links.

The incident shows how older approvals can remain active. Wallet owners often forget these permissions over time. The event adds to recent cases involving stale approvals. It reinforces the need for regular permission reviews.

As of the latest data, no recovery transaction has occurred. The stolen funds remain under attacker control.