Analysts warn of $1.5M phishing exploit tied to Ethereum’s new EIP-7702

Analysts have sounded the alarm about a vulnerability linked to the relatively new Ethereum Improvement Proposal (EIP-7702) feature following a phishing attack that cost one investor over a million. Anti-fraud service Scam Sniffer has noted an increase in phishing scams where attackers target addresses upgraded under the new EIP-7702 ￰0￱ EIP-7702 feature, which was introduced as part of the Pectra upgrade from May, is designed to enhance wallet functionality by allowing Externally Owned Accounts (EOAs) to temporarily behave like smart ￰1￱ feature encourages optimization by allowing multiple operations to be executed within a single transaction, thereby improving efficiency for legitimate users.

However, the feature has reportedly opened them up to new exploitation ￰2￱ have been at least three victims this month The latest unfortunate victim reportedly lost a total of $1.54 million after signing EIP-7702 phishing batch transactions that contained multiple token transfers and NFT approval ￰3￱ of those funds has reportedly been bridged to Mainnet via Relay ￰4￱ bridged the stolen funds to Mainnet via Relay Protocol. Sourcce: @realScamSniffer (X/Twitter) The case comes two days after Scam Sniffer announced that another investor had lost $1M in tokens and NFTs after signing phishing batch transactions disguised as Uniswap ￰5￱ exploit came weeks after the anti-fraud service reported that an EIP-7702 upgraded address lost $66k to the same group using the same ￰6￱ schemes involve a fraudulent DeFi interface that is typically designed to mimic platforms like ￰7￱ victims were prompted to approve transactions that at first glance appeared routine, but in reality, were authorized hidden ￰8￱ approval, attackers would drain the wallet almost instantly, siphoning crypto and ￰9￱ to Scam Sniffer, many users are still in the dark about the risks linked to EIP-7702 because it is a recent ￰10￱ the malicious transactions are usually structured to appear normal, unsuspecting users are ￰11￱ experts have reported EIP-7702 exploits since June Scam Sniffer has confirmed that phishing attacks targeting EIP-7702 upgraded addresses have gone up, indicating a growing trend.

However, it is not a new trend, as security experts have been reporting incidents for months ￰12￱ June, Wintermute researchers revealed exploiters have targeted several unsuspecting crypto wallets with “automated sweeper” attacks, this time, using “delegate contracts”– a new feature launched as part of the EIP ￰13￱ EIP-7702 brings new convenience, it also introduces new risks Our Research team found that over 97% of all EIP-7702 delegations were authorized to multiple contracts using the same exact ￰14￱ are sweepers, used to automatically drain incoming ETH from compromised… ￰15￱ — Wintermute (@wintermute_t) May 30, 2025 In a series of tweets shared via its official X handle, Wintermute claimed its research team had discovered that over 80% of all EIP-7702 delegations were authorized to multiple contracts using the same exact ￰16￱ called them sweepers and reported that they are used to automatically drain incoming ETH from compromised ￰17￱ malicious attempts by hackers to drain ETH from wallets have continued despite the Ethereum Foundation’s one trillion dollar security program, which it announced on May ￰18￱ be safe, Scam Sniffer has urged users to be cautious and vigilant when approving batch transactions and to verify interfaces carefully before signing ￰19￱ DeFi platforms designed to mimic legitimate ones have been tagged as one of the most common attack vectors in the crypto sector, and the introduction of batch transactions, though proven to improve user experience for legitimate applications, has added complexity while increasing the chance of an ￰20￱ best way to get ahead of the issue is to use only trusted applications and triple-check permissions granted during every transaction, batched or ￰21￱ you're reading this, you’re already ￰22￱ there with our newsletter .