New Ethereum feature exploited just weeks after launch in $146K phishing heist

An Ethereum wallet upgraded to the EIP-7702 smart accounts has lost $146,551 in various memecoins to phishing scammers. Blockchain security firm Scam Sniffer reported the incident, noting the funds were stolen through malicious batched transactions.

According to the firm, the victim 0xc6d289d signed the malicious batched transactions, allowing the attackers to siphon the funds. The scammers used 0xC83De81A and 0x33dAD2b to execute the attack.

Following the incident, Cybersecurity expert Yu Xian noted that the phishing exploit was very creative and identified the popular phishing group Inferno Drainer behind the incident. The group had publicly claimed that it had shut down, but a recent report by Check Point Research shows that its malware remains well in use and has been used to steal over $9 million in crypto assets in the last six months.

Xian, the founder of blockchain security firm Slow Mist, noted that scammers did not switch the externally owned account (EOA) address to a phishing one. Instead, they used a mechanism in the Metamask EIP-7702 delegator to complete batch authorization phishing and stealing tokens.

He said:

“What I mean by a bit creative is that this time, the user’s EOA address was not switched to the 7702 contract address through phishing. In other words, the delegated address is not a phishing address, but the MetaMask that existed a few days ago: EIP-7702 Delegator Ox63c0c19a2.”

This makes the incident even more complex than the previous attempts to exploit the EIP-7702 feature. Through the mechanism, the attackers could select tokens to steal from the victim’s address. Xian added that this shows how phishing gangs continue to find new and creative ways to steal users’ funds. Thus, crypto users must be careful so as not to lose their assets.

As to how the attackers were able to compromise the user’s wallet, he explained that the victim likely visited a phishing website and accidentally approved the operation without paying attention to it.

Phishing scammers exploiting EIP-7702

The incident raises more queries about the security of the EIP-7702 account abstraction feature, which was introduced with the Pectra upgrade a few weeks ago. Since its introduction, many people have adopted it, with Dune Analytics data from Wintermute Research showing over 48,000 delegations.

The feature allows Ethereum users to temporarily enable smart contract wallet capabilities for their externally owned accounts (EOA) by delegating control to an address whose code they want to execute.

Generally, EOAs are basic Ethereum accounts without functionalities such as gas sponsorship, alternative authentication, and transaction batching. With these features, users get an improved experience from the same basic account.

However, what was meant to improve user experience now exposes users to new risks.  A sizable number of the authorized 7702 delegators are malicious contracts that steal users’ funds, with Dune Analytics data tagging 36.3% of the 175 delegate contracts as crimes.

According to GoPlus Security, funds sent to any affected EOA are automatically redirected to the scammer’s address. This allows phishing attackers to steal funds meant for infected addresses.

Users urged to protect themselves from phishing scams

Meanwhile, the emergence of new threat vectors has led to experts calling crypto users to be more vigilant. Xian noted that users need to check for any abnormal authorization of tokens and ensure they have not been delegated to a phishing address.

He advised that they can check this by viewing their authorization records through their block browser and cancel such authorization by switching to a wallet supporting EIP-7702.

The leading Ethereum wallet, MetaMask, has also cautioned users against clicking any external link or email that requires them to upgrade their wallets to smart contract accounts. A popup in the wallet stated that any prompt to switch to a smart account would be within the wallet.

Web3 security firm GoPlus also highlighted crucial safety measures, including verifying authorization addresses, verifying contract source code, and being cautious with non-open source contracts.

Cryptopolitan Academy: Coming Soon - A New Way to Earn Passive Income with DeFi in 2025. Learn More