May 28, 2025 · 9 min read

When Wallets Swarm: Reading Early Signals Before an Exploit

Exploits rarely come out of nowhere. In the hours before “the big transaction,” there is often a swarm of small moves that can give teams a crucial head start.

Wallet Swarm Heatmap

Visualizing the convergence of low-value transactions before the storm.

The Myth of the “Out‑of‑Nowhere” Hack

Most post‑mortems talk about the single transaction that drained a pool or abused a contract. But from a defender’s perspective, what matters is everything that happened before that moment.

In our work across multiple incidents, we see three recurring early signals:

  • New wallets being funded from the same sources (e.g., Tornado Cash or a known CEX hot wallet).
  • Test transactions against non‑obvious code paths, often with minimal value (wei-level transfers).
  • Sudden interest in stale or low‑liquidity pools that haven't seen volume in weeks.

These signals often appear 4-12 hours before the main attack. This window is critical. It's the difference between a "war room" scrambling to pause contracts and a "post-mortem" explaining why the treasury is empty.

Pattern 1: Fund‑and‑Fan‑Out

Fund and Fan Out

The attacker funds a fresh wallet from a mixer (like Tornado Cash), then splits that ETH into 50+ smaller wallets.

What makes them interesting is the combination of:

  • Timing (compressed into a short window).
  • Destination (all converge on the same protocol or router).
  • History (wallets with minimal or no prior activity).

We call this the "Fan-Out" because visually, on a graph, it looks like a single node exploding into multiple leaves. The attacker is preparing multiple addresses to bypass rate limits or to obfuscate the flow of funds post-exploit.

Pattern 2: Micro‑Probing Exotic Code Paths

Before they ship a major exploit, skilled actors often probe code paths that typical users never touch. You might see tiny value transfers that:

  • Use uncommon function selectors.
  • Interact with deprecated or “forgotten” contracts.
  • Involve unusual token pairs or routing paths.

These "micro-probes" are the attacker's way of verifying their exploit hypothesis without triggering alarms. They are checking if the contract state changes as expected. If you see a transaction that reverts with a custom error, followed by one that succeeds with 0 value, pay attention.

How Trinetra Operationalizes These Signals

Trinetra Alert Screen

We don't just show you the dots; we connect them. Our engine correlates the funding source, the contract interaction type, and the timing to generate a high-confidence "Pre-Exploit" alert.

  1. A surge in newly funded wallets targeting a specific protocol.
  2. Overlapping origin addresses or funding hubs between these wallets.
  3. Micro‑transactions to low‑traffic functions on the same contract.

Individually, each signal might be “interesting.” Together, they push the risk score high enough to trigger a clear escalation path for your security team.

What Security Teams Can Do Next

You don’t need a full research org to benefit from these patterns. Start simple:

  • Maintain watchlists for critical contracts and routes in your stack.
  • Track clusters of new wallets interacting with them over short windows.
  • Establish a lightweight playbook for “pre‑incident” situations.

The goal isn’t to predict every exploit. It’s to move from surprise to preparedness — to notice when wallets start to swarm and give your team time to act.

Trinetra Tycoon bakes these patterns into live monitoring, so your analysts see more than just noise when the next swarm begins.

← Back to all articles