Security

Analysts Warn of $1.5 million phishing exploits related to Ethereum’s new EIP-7702

5 Min Read
5 Min Read
Analysts Warn of .5 million phishing exploits related to Ethereum’s new EIP-7702

Analysts are wary of a vulnerability linked to the relatively new Ethereum Improvement Proposal (EIP-7702) feature following a phishing attack of over 1 million investors.

Anti-Flaard Services Sniffer is paying attention to the rise in phishing frauds where target addresses of attackers have been upgraded based on the new EIP-7702 standard.

Introduced as part of the Pectra upgrade since May, the EIP-7702 feature is designed to enhance wallet functionality by allowing externally owned accounts (EOAs) to work temporarily like smart contracts.

This feature accelerates optimization by allowing multiple operations to be performed within a single transaction, thereby increasing efficiency for legitimate users. However, the feature reportedly opened them in a new exploitation window.

There have been at least three casualties this month

The latest unfortunate victim reportedly lost a total of $1.54 million after signing an EIP-7702 phishing batch transaction that included multiple token transfers and NFT approval operations. Some of these funds are reportedly placed on the mainnet via relay protocols.

Security analysts warn about a flaw in EIP-7702 after a user lost $1.54 million in one phishing attack

Exploiters buried stolen funds in the mainnet via relay protocols. Source: @RealScamsNiffer (x/Twitter)

The case comes two days after the fraud Sniffer signed a phishing batch deal disguised as a UNISWAP swap, and another investor announced that he lost $1 million in tokens and NFTs.

This exploit occurred a few weeks after the Anti-Fraud service reported that the upgraded address for EIP-7702 using the same exploit and losing $66,000 to the same group.

See also  North Korean state Kim Jong stole Bibit's cryptocurrency to fund his best friend Putin's Ukrainian war

These schemes include rogue Defi interfaces that are typically designed to mimic platforms such as UniSwap. Victims were encouraged to approve transactions that appear routine at first glance, but were actually allowed to be hidden transfers.

Once approved, the attacker will almost instantly drain the wallet and suck up the code and NFT.

According to Scam Sniffer, many users are still in the dark about the risks linked to EIP-7702, as it is a recent development. Malicious transactions are usually structured to look normal, making unsuspecting users vulnerable.

Security experts have reported the EIP-7702 exploit since June

Scam Sniffer has confirmed that phishing attacks targeting upgraded addresses for EIP-7702 are on the rise, indicating a growth trend. However, that’s not a new trend as security experts have been reporting incidents for months now.

In June, WinterMute researchers revealed that Exploiters were targeting several unsuspecting crypto wallets with “automatic sweeper” attacks. This time, we have a new feature launched as part of the EIP 7702 using “Delegate Contracts.”

EIP-7702 offers new conveniences, but also introduces new risks

Our research team found that over 97% of all EIP-7702 delegations were granted multiple contracts using the same exact code. These are sweepers and are used to automatically drain compromised ETH…pic.twitter.com/xhp7zr4hc9

– WinterMute (@wintermute_t) May 30, 2025

In a series of tweets shared via the official X-handle, Wintermute claimed that the research team found that over 80% of all EIP-7702 delegations were granted multiple contracts using the same exact code. They called them sweepers and reported that it was used to automatically drain ETH from compromised addresses.

See also  Data from over 18 million US crypto users listed for sale on Dark Web

Malicious attempts by hackers to drain ETH from their wallets continue despite the Ethereum Foundation’s $1 trillion security program, announced on May 14th.

For security, the fraud sniffer urged users to be cautious and vigilant when approving a batch transaction when verifying an interface carefully before signing anything.

Designed to mimic legitimate platforms, fake defi platforms are tagged as one of the most common attack vectors in the crypto sector, and the introduction of batch transactions has been proven to improve the user experience of legitimate applications, but they increase complexity while increasing the likelihood of exploits.

The best way to get ahead of the problem is to use only the trusted applications and triple check permissions granted during every transaction.

Discover more from Earlybirds Invest

Subscribe to get the latest posts sent to your email.

TAGGED:
Share This Article
Leave a comment

Popular News

Cupcakes turn your spare phone into free air-gap cold storage
Cupcakes turn your spare phone into free air-gap cold storage
Security
Kraken Perpetual Futures: Unlock exciting trading opportunities
Kraken Perpetual Futures: Unlock exciting trading opportunities
Exchange
C++ DEV Update: Announcing Remix
C++ DEV Update: Announcing Remix
Ethereum
OpenSim regions near 1 million
OpenSim regions near 1 million
Metaverse
AMF warns MICA of “atomic weapons” and France threatens to break the EU crypto market
AMF warns MICA of “atomic weapons” and France threatens to break the EU crypto market
Bitcoin
bitcoin
Bitcoin (BTC) $ 77,826.08
ethereum
Ethereum (ETH) $ 2,325.31
tether
Tether USDt (USDT) $ 1.00
bnb
BNB (BNB) $ 629.18
xrp
XRP (XRP) $ 1.42
cardano
Cardano (ADA) $ 0.248733
usd-coin
USDC (USDC) $ 0.999861
binance-usd
BUSD (BUSD) $ 1.00
dogecoin
Dogecoin (DOGE) $ 0.098388
okb
OKB (OKB) $ 84.18
shiba-inu
Shiba Inu (SHIB) $ 0.000006
tron
TRON (TRX) $ 0.323731
uniswap
Uniswap (UNI) $ 3.25
litecoin
Litecoin (LTC) $ 55.53
solana
Solana (SOL) $ 85.98
chainlink
Chainlink (LINK) $ 9.36
cosmos
Cosmos (ATOM) $ 1.96
ethereum-classic
Ethereum Classic (ETC) $ 8.40
filecoin
Filecoin (FIL) $ 0.93046
bitcoin-cash
Bitcoin Cash (BCH) $ 448.78
monero
Monero (XMR) $ 382.76

Discover more from Earlybirds Invest

Subscribe now to keep reading and get access to the full archive.

Continue reading