A crypto user known as 0x_abu on X thought he had cleaned up after a phishing hit. In October 2023, he clicked a fake Discord link promising a giveaway. His wallet held about $5 in BNB. It drained. He revoked all permissions, disconnected every connected site, and kept going. Small deposits came and went over nearly two years. Nothing triggered. No alerts. No losses.

Then he put in $400.

Gone. Before he could react.

“Deposited $400. Instantly gone. The moment it hit, it was wiped. No interaction. No signing. Just a notification and everything disappeared,” 0x_abu posted on X.

The wallet had been carrying a sweeper bot the entire time. Sitting quietly. Waiting.

What Was Actually Planted on That Wallet

A sweeper bot is an automated script. Once a bad actor gets hold of a wallet’s private key, they deploy the script to monitor that address on the blockchain around the clock. The moment funds land, the bot fires a transaction to an attacker-controlled address. No manual input. No delay a human could take advantage of.

The bot beats the owner every time because it operates directly from the private key level. It does not need approval from the user. It can sign outgoing transactions independently, silently, and faster than any wallet interface can register the incoming deposit.

What 0x_abu’s case showed, and what most security write-ups skip over, was the threshold condition built into the bot.

The Trigger Most People Never Hear About

OxNonso confirmed it directly on X, responding to 0x_abu’s post.

“It’s permanently cooked. What happened was a sweeper bot was planted on your wallet the moment it was compromised. But it had a condition of a certain amount value before it triggers (>= $200). Sorry bro, same thing happened to me back in 2023,” OxNonso wrote on X.

That detail changes the entire picture. The bot was not broken during those two quiet years. It was configured. A minimum deposit value, $200 or above in this case, had to be met before the script would execute. Every small transaction 0x_abu made fell below that line. The bot logged them and held.

The $400 deposit crossed the threshold. The bot moved.

This pattern is not limited to one chain or one user. JaviBlackcrow posted on X that he lost $50,000 worth of $memesai tokens from a Solana wallet he had used four years earlier.

“It happened to me with $50,000 of $memesai from a wallet I interacted with four years prior onchain on Solana. The protocol got hacked five years after it was closed and they got the connected wallets,” JaviBlackcrow stated on X.

Different chain. Longer dormancy window. Same outcome.

Why Revoking Permissions Does Not Save You

This is where holders get it wrong after a phishing event. Revoking token approvals feels like the correct response. It is not sufficient. The sweeper bot does not depend on an approval to operate. It holds the private key. It can sign any transaction it wants without asking for permission through the wallet interface.

To attempt a revocation, gas is needed. Any token sent to the compromised wallet to cover that gas gets swept before the revocation transaction can even process. The bot is watching the mempool. It moves first.

0x_abu made exactly this point in his post, noting he had revoked everything and disconnected every site after the 2023 incident. None of it mattered. The key was already gone.

The Only Real Option Left

Stop depositing into that wallet entirely. Any amount sent in is a loss, whether $5 or $400. Create a new wallet using a fresh seed phrase on a clean device. The compromised seed phrase should never be reused on any network, including other chains where the same phrase controls separate addresses.

The harder reality for holders who have been active for a few years: a phishing link clicked on a Discord server in 2023 might still have an active bot attached to the wallet today. Quiet does not mean gone. It may just mean the threshold has not been crossed yet.