SIGMA bot blamed as attacker drains $200K from trader's wallets

Crypto trader and X personality Unihax0r lost +$200,000 on May 11 after someone drained two of his wallets across Ethereum, Base, and BSC. On-chain analysts think it was a private key leak linked to a Telegram trading bot.

“Just got drained or hacked for more than 200k. Sick to my stomach,” Unihax0r posted on X. He shared the attacker’s wallet address and asked people to help trace the funds.

Attacker swept three chains in under an hour

This wasn’t a smart contract exploit since there’s no malicious token approval.

On-chain analyst @k0braca1 looked at the transactions right after it happened and said it looked like a private key leak. The attacker “had full control over signing operations across multiple chains: Ethereum, Base and BSC.”

The drain took somewhere between 10 and 30 minutes. The biggest chunks were about $125,000 in $POD tokens on Base and $21,000 in $FHE on BSC, plus ETH and smaller positions. The attacker even sent a bit of ETH to the Ethereum wallet first to cover gas for sweeping the remaining token balances.

Hey bro, sorry this happened to you.

My quick assessment of what happened. The exploit looks like a private key leak rather than related to any malicious transactions, as the attacker has full control over signing operations across multiple chains: Ethereum, Base and BSC. It…

— kc (@k0braca1) May 11, 2026

SIGMA bot was the common thread

Both crypto wallets that got drained were created via a Telegram multichain trading bot called SIGMA. Unihax0r imported those wallets into GMGN, which is another Telegram trading tool, and Rabby Wallet.

Other wallets on Rabby and Jupiter were not drained since the SIGMA bot did not create them. This means that the SIGMA trading bot is the probable cause of this attack.

Investigators in the community have come up with a few ideas about what caused the theft of secret keys:

• Telegram phishing through fake CAPTCHA bots that pop up when you use SIGMA.
• Malware or infostealer infections.
• Device compromise.
• Malicious browser extensions.

Unihax0r said he checked his Telegram account and found no suspicious sessions, per Crypto Times.

The stolen crypto went to an externally owned account that the attacker controls.

The stolen crypto was transferred to an external wallet owned by the attacker. On-chain data shows the stolen tokens are already being mixed by the attacker.

Most of the assets are still sitting in the attacker’s wallets on Base. Community members and fraud tracking accounts have offered to help trace funds, but the odds of getting the money back are low.

Telegram bots are a structural weak point

Crypto losses connected to Telegram trading bots keep piling up. When a user generates wallets through Telegram bots, the private keys get created and stored within the bot’s infrastructure.

Security researchers from ForkLog warned about using Telegram bots to trade crypto. They explained that Telegarm bots “could potentially lead to asset losses and are not safeguarded against hacker attacks.”

Telegram bot scams have been ramping up. Web3 anti-scam platform ScamSniffer said Telegram group malware scams jumped by 2,000% between November 2024 and January 2025. Attackers use fake verification bots and phony group invitations to push malware that can access wallets and browser data.

Last September, Banana Gun, which is one of the most active Telegram trading bots, had 36 wallets exploited for 536 ETH. That was ~$1.9 million at the time. The bot went offline after that.

If you're reading this, you’re already ahead. Stay there with our newsletter.