QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$147 000 USD
MAY 2025
GLOBAL
ETHEREUM
DESCRIPTION OF EVENTS
Ethereum is a decentralized, open-source blockchain platform that enables developers to build and deploy smart contracts and decentralized applications (dApps). Launched in 2015 by Vitalik Buterin and other co-founders, Ethereum extended the concept of blockchain beyond just a digital currency like Bitcoin, introducing programmability to the blockchain through its native scripting language, Solidity. This programmability allows for complex, automated agreements and processes to run without the need for intermediaries, making Ethereum a foundational technology for decentralized finance (DeFi), non-fungible tokens (NFTs), and many other innovations in the blockchain space.
At its core, Ethereum operates as a global, distributed virtual machine—the Ethereum Virtual Machine (EVM)—that executes smart contracts and processes transactions on the blockchain. Transactions on Ethereum are validated and recorded by a decentralized network of nodes (computers) worldwide, ensuring security and censorship resistance. Users pay fees, known as “gas,” to compensate miners (and now validators) for the computational resources required to execute their transactions and smart contracts. This fee mechanism helps allocate network resources efficiently and prevents spam.
Ethereum has undergone significant upgrades over time to improve scalability, security, and sustainability. The recent transition from Proof of Work (PoW) to Proof of Stake (PoS) consensus mechanism in the Ethereum 2.0 upgrade drastically reduced the network’s energy consumption and paved the way for future enhancements like sharding, which will increase transaction throughput. As one of the largest and most active blockchain ecosystems, Ethereum continues to drive innovation in decentralized technologies, empowering developers and users to create new forms of digital interaction and value transfer without centralized control.
There are many new risks with EIP-7702 that arise from giving EOAs smart contract-like capabilities. If a private key is compromised, the attacker retains full control regardless of any delegation. Delegations can be replayed across multiple chains if not carefully restricted, exposing users to cross-chain attacks. Initialization limitations and storage conflicts can lead to wallet misconfigurations or asset loss during re-delegation. EOAs acting as contracts also introduce risks for centralized exchanges, which may incorrectly process fake deposits. Furthermore, longstanding assumptions in smart contract logic—like tx.origin being an EOA—are no longer reliable, potentially breaking security protections. Finally, phishing threats increase, as users might unknowingly delegate to malicious contracts, leading to asset theft.
One of the new risks introduced by EIP-7702 is phishing-based asset theft. Since EOAs can now delegate control to smart contracts, a malicious actor can craft a deceptive contract and trick users into signing a delegation transaction. Once the delegation is authorized, the attacker effectively gains control over the victim’s account and can initiate unauthorized token transfers or perform harmful actions without needing direct access to the private key. Because these delegations appear legitimate on the surface and don’t immediately move funds, they can evade traditional detection methods. Wallet interfaces may also fail to clearly show what contract the user is delegating to, increasing the likelihood of users unknowingly granting dangerous permissions. This makes it essential for wallet providers to improve visibility into delegation targets and for users to exercise extreme caution when signing EIP-7702-related transactions.
The phishing attack was a new technique orchestrated by the well-known group InfernoDrainer, exploiting Ethereum's new EIP-7702 functionality. Unlike traditional phishing where victims are tricked into interacting with malicious addresses, this attack used a legitimate MetaMask EIP-7702 Delegator contract (0x63c0...) that had been deployed days earlier. This added a layer of deception, as the delegated address appeared trustworthy and familiar to users.
The victim, using EIP-7702 functionality, unknowingly initiated a batch execution through the MetaMask Delegator, which allowed the attacker's pre-crafted data payload to run with full authorization. The contract's execute function carried out these instructions, leading to the unauthorized transfer of tokens. The mechanism leverages the ability in EIP-7702 to delegate execution rights and batch process transactions, which the attacker used to drain assets in a single operation.
The technical trick involved hiding malicious instructions within what appeared to be a legitimate batch execution call. This was possible because the attacker carefully crafted the payload to blend in with expected Delegator behavior. Through this, they bypassed traditional phishing red flags and leveraged trust in well-known infrastructure to carry out the theft.
RealScamSniffers reports the loss total as $146,551.
RealScamSniffers quickly raised an alert highlighting that an address upgraded to EIP-7702 lost $146,551 due to a malicious phishing attack involving batched transactions. Their warning emphasized the serious financial impact and the new phishing risks introduced by EIP-7702’s delegation features, urging users to be cautious.
SlowMist responded with an in-depth technical analysis and guidance, explaining how the phishing attack exploited MetaMask’s EIP-7702 Delegator mechanism to execute batch authorization and steal funds. They detailed the attack’s inner workings, the vulnerabilities involved, and recommended best practices for ecosystem participants to protect themselves, including careful handling of delegation authorizations and enhanced phishing checks. Overall, SlowMist’s approach combined raising awareness with practical security advice to mitigate future risks.
The end outcome was that the phishing attack successfully drained $146,551 from the victim’s Ethereum address by exploiting the EIP-7702 delegation mechanism, exposing significant security risks with the new protocol. Following this incident, security firms like RealScamSniffers and SlowMist raised alerts and provided detailed analyses and best practices to help users, developers, and service providers better understand the vulnerabilities and defend against similar attacks in the future.
There is no indication that any of the phished assets will ever be recovered.
Wallet providers, exchanges, and security firms are continuously working to strengthen defenses by improving phishing detection, transaction monitoring, and user warnings related to EIP-7702 delegations. At the same time, developers and protocol teams are updating their tools and smart contracts to securely support the new functionalities introduced by EIP-7702, ensuring compatibility while minimizing vulnerabilities.
In addition, user education campaigns are actively underway to raise awareness about the risks of private key leakage, multi-chain replay attacks, and phishing tactics specific to EIP-7702. Complementary standards like ERC-7779 are also being developed to address technical challenges such as storage conflicts and safe re-delegation. Meanwhile, security experts continue to investigate emerging threats and respond swiftly to new phishing attempts, aiming to protect users and reduce the potential for further losses. Overall, securing the EIP-7702 ecosystem is a dynamic, ongoing process involving collaboration between multiple stakeholders.
Ethereum is a decentralized, open-source blockchain platform launched in 2015 that enables developers to build and run smart contracts and decentralized applications (dApps). However, new features like EIP-7702, which grant externally owned accounts (EOAs) smart contract-like delegation capabilities, have introduced fresh security risks. Notably, these delegations can be exploited in phishing attacks that trick users into authorizing malicious contracts, leading to significant asset theft—as seen in a recent attack by the InfernoDrainer group, which used MetaMask’s EIP-7702 Delegator to steal over $146,000. Security firms like RealScamSniffers and SlowMist responded with alerts and detailed analyses, emphasizing the need for stronger protections, user education, and ongoing ecosystem collaboration to mitigate these emerging threats.
SlowMist - "After analysis, we found that the phishing case is a new phishing trick, carried out by the well-known phishing group #InfernoDrainer." - Twitter/X (May 29)
RealScamSniffer - "ALERT: An address upgraded to EIP-7702 lost $146,551 through malicious batched transactions in phishing attack." - Twitter/X (May 29)
Wallet Draining Transaction - Etherscan (May 29)
In-Depth Discussion on EIP-7702 and Best Practices - SlowMist Medium (May 29)
https://x.com/realScamSniffer/status/1926296681198326254 (May 29)
