Wallet

Socket investigators say a supply-chain campaign dubbed "Trapdoor" used malicious packages on npm, PyPI, and Crates.io to target crypto developers, aiming to steal wallet keys and other secrets. The firm reported the activity began with waves of package releases on May 22 and continued with updates over the following weekend, affecting 34 packages across 384 versions, some of which remained available.

Ethereum posted a new on-chain activity record over the past 30 days, with daily transactions topping 3.62M at the end of April. Lower fees after the Glamsterdam upgrade—down 78%, with simple transfers as low as $0.004—appear to be enabling a surge in address-poisoning and dusting activity that puts user wallets at higher risk.

RAIL, Railgun’s native token, climbed above $4.51 to mark a new 2026 high before pulling back to $4.05 amid higher volatility. Trading volume reached $7.5M—about 10 times typical levels—and the token is up more than 128% year to date. The move coincided with renewed attention on crypto privacy and expectations that wallet integrations could broaden Railgun usage.

Ethereum co-founder Vitalik Buterin says many smart contract wallets and privacy tools still rely on third-party relays to get transactions included onchain, creating potential censorship and reliability risks. He points to FOCIL and EIP-8141, slated for the Hegota upgrade in late 2026, as a path to route transactions through the public mempool with a randomized validator inclusion model and a one-to-two slot inclusion target.

On May 23, 2026, XRP Ledger developer and Xaman wallet founder Wietse Wind warned the XRP community that scammers are impersonating Xaman and pushing fake "desktop wallet" downloads and bogus airdrop claims. He said he is seeing 20+ new X accounts per day and 10+ new domains per day designed to mimic Xaman. Wind urged users to stay vigilant and avoid connecting wallets to unknown sites or installing suspicious apps.

Ethereum's Clear Signing went live on May 12, 2026, with Ledger, Trezor and MetaMask switching signature prompts from hex strings to human-readable transaction details. The change targets signature-phishing losses that reached $6.27 million from 4,741 victims in Q1 2026, while keeping blind signing possible but more avoidable. The standard improves clarity for approvals such as "unlimited" token spend, though it does not remove risks tied to compromised apps or incomplete dApp metadata.

A report cited by Bitcoin journalist Joe Nakamoto says France accounts for about 70% of so-called crypto "wrench attacks," where victims are physically threatened to surrender digital assets. Nakamoto said France has recorded 41 crypto-related kidnappings so far in 2026, and linked the spike to centralized KYC databases and past breaches such as Ledger's 2020 customer-data leak.

Polymarket said a security incident on May 22 led to roughly $520,000–$700,000 in crypto being siphoned from an internal operations wallet, while user funds and core smart contracts were not affected. The activity was flagged after large outflows on Polygon (POL), with reports of about 5,000 POL withdrawn every 30 seconds from addresses tied to its UMA CTF Adapter. The team said it rotated keys and later recovered about $164,000 while trading and market resolutions continued normally.

XRP traded largely flat on Saturday after a week marked by broad crypto selling, slipping nearly 8% over the past seven days. Exchange outflows climbed to about 57.6% while deposits eased to roughly 42.4%, alongside reports of about 4,300 new wallets created in 24 hours and whale accumulation topping 71 million XRP over the past week. At press time, XRP changed hands at $1.33, down 1.19% in the last 24 hours.

Solana Floor warned on May 22, 2026 that scammers are impersonating Jupiter Exchange's Jupuary program by airdropping fake "$CJUP" tokens to Solana wallets and steering users to a wallet-draining phishing site. Jupiter has not announced any active distribution for May 2026, and users are advised to verify eligibility only through the official jup.ag airdrop checker and avoid interacting with unsolicited tokens.