An Ethereum wallet upgraded to the EIP-7702 standard with smart account functionality has fallen victim to a phishing attack — the user lost $146,551 in various memecoins.
According to Scam Sniffer, the scammers drained the funds through a malicious batch transaction that the victim (address 0xc6d289d) signed themselves. The attack was carried out via addresses 0xC83De81A and 0x33dAD2b.
Cybersecurity expert Yu Xiang called the hack highly inventive and linked it to the Inferno Drainer group. According to Check Point Research, this group’s malware is still active and has helped steal over $9 million in crypto in the past six months alone.
Yu Xiang, founder of blockchain security firm SlowMist, explained that this time the attackers did not spoof the user’s external wallet (EOA) address with a phishing one. Instead, they exploited MetaMask’s delegation mechanism introduced via EIP-7702 to execute a phishing attack with batch approval and drain the tokens.
“What do I mean by an ingenious scheme? In this case, the user’s EOA address wasn’t replaced with a 7702-compliant contract. The delegation address wasn’t fake — it was a legitimate MetaMask Delegator that existed just a few days ago: 0x63c0c19a2,” the expert clarified.
This makes the incident even more complex than previous EIP-7702-based attacks. Through the delegation mechanism, the attackers could choose which tokens to steal. Xiang noted that phishing groups are continuously developing more sophisticated techniques to steal funds, and users must remain extremely cautious.
He added that the user likely visited a phishing website and, due to inattention, approved the malicious transaction.
Phishing Attacks via EIP-7702 Raise Growing Security Concerns
The incident reignites concerns about the security of EIP-7702’s account abstraction feature, introduced just a few weeks ago in the Pectra upgrade. Since its launch, it has seen rapid adoption — with over 48,000 delegations recorded, according to Dune Analytics and Wintermute Research.
The feature allows a regular Ethereum wallet (EOA) to be temporarily converted into a smart account by delegating control to another address with the appropriate logic.
Typically, an EOA is a simple wallet without advanced features like contract-paid gas, alternative authorization methods, or batch transactions. But with EIP-7702, users gain more flexibility and convenience.
However, what was intended to improve UX has also introduced new attack vectors. A significant portion of 7702 delegates are malicious contracts. Dune Analytics shows that 36.3% of 175 delegates have already been flagged as fraudulent.
According to GoPlus Security, if funds are sent to an infected EOA, they are automatically rerouted to the attacker’s address. This is what enables phishing schemes to steal users’ assets so effectively.
Users Urged to Protect Themselves from Phishing
The emergence of new attack vectors has prompted experts to once again remind users to stay vigilant. Yu Xiang emphasized the importance of regularly checking whether you’ve unknowingly granted suspicious token approvals or delegated your wallet to a phishing address.
This can be done through a block explorer by reviewing your authorization history. If necessary, permissions can be revoked using a wallet that supports EIP-7702.
MetaMask Issues Warning to Users
Source: GoPlus Security
MetaMask, one of the most popular Ethereum wallets, has also warned users against clicking external links or email messages that prompt them to upgrade their wallet to a smart account. A pop-up message within the app states that such actions should only be performed from inside the wallet itself.
Web3 security firm GoPlus also reminded users of essential protective measures: always verify authorization addresses, review contract source code, and avoid interacting with closed-source contracts.
