Analysts have sounded the alarm about a vulnerability linked to the relatively new Ethereum Improvement Proposal (EIP-7702) feature following a phishing attack that cost one investor over a million. Anti-fraud service Scam Sniffer has noted an increase in phishing scams where attackers target addresses upgraded under the new EIP-7702 standard. The EIP-7702 feature, which was introduced as part of the Pectra upgrade from May, is designed to enhance wallet functionality by allowing Externally Owned Accounts (EOAs) to temporarily behave like smart contracts. This feature encourages optimization by allowing multiple operations to be executed within a single transaction, thereby improving efficiency for legitimate users. However, the feature has reportedly opened them up to new exploitation windows. There have been at least three victims this month The latest unfortunate victim reportedly lost a total of $1.54 million after signing EIP-7702 phishing batch transactions that contained multiple token transfers and NFT approval operations. Part of those funds has reportedly been bridged to Mainnet via Relay Protocol. Exploiters bridged the stolen funds to Mainnet via Relay Protocol. Sourcce: @realScamSniffer (X/Twitter) The case comes two days after Scam Sniffer announced that another investor had lost $1M in tokens and NFTs after signing phishing batch transactions disguised as Uniswap swaps. That exploit came weeks after the anti-fraud service reported that an EIP-7702 upgraded address lost $66k to the same group using the same exploit. These schemes involve a fraudulent DeFi interface that is typically designed to mimic platforms like Uniswap. The victims were prompted to approve transactions that at first glance appeared routine, but in reality, were authorized hidden transfers. Upon approval, attackers would drain the wallet almost instantly, siphoning crypto and NFTs. According to Scam Sniffer, many users are still in the dark about the risks linked to EIP-7702 because it is a recent development. Since the malicious transactions are usually structured to appear normal, unsuspecting users are vulnerable. Security experts have reported EIP-7702 exploits since June Scam Sniffer has confirmed that phishing attacks targeting EIP-7702 upgraded addresses have gone up, indicating a growing trend. However, it is not a new trend, as security experts have been reporting incidents for months now. In June, Wintermute researchers revealed exploiters have targeted several unsuspecting crypto wallets with “automated sweeper” attacks, this time, using “delegate contracts”– a new feature launched as part of the EIP 7702. While EIP-7702 brings new convenience, it also introduces new risks Our Research team found that over 97% of all EIP-7702 delegations were authorized to multiple contracts using the same exact code. These are sweepers, used to automatically drain incoming ETH from compromised… pic.twitter.com/xHp7zr4hC9 — Wintermute (@wintermute_t) May 30, 2025 In a series of tweets shared via its official X handle, Wintermute claimed its research team had discovered that over 80% of all EIP-7702 delegations were authorized to multiple contracts using the same exact code. They called them sweepers and reported that they are used to automatically drain incoming ETH from compromised addresses. The malicious attempts by hackers to drain ETH from wallets have continued despite the Ethereum Foundation’s one trillion dollar security program, which it announced on May 14. To be safe, Scam Sniffer has urged users to be cautious and vigilant when approving batch transactions and to verify interfaces carefully before signing anything. Fake DeFi platforms designed to mimic legitimate ones have been tagged as one of the most common attack vectors in the crypto sector, and the introduction of batch transactions, though proven to improve user experience for legitimate applications, has added complexity while increasing the chance of an exploit. The best way to get ahead of the issue is to use only trusted applications and triple-check permissions granted during every transaction, batched or not. If you're reading this, you’re already ahead. Stay there with our newsletter .
