Ethereum EIP 7702 Malicious Wallet Draining Phishing Attack
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Ethereum is a decentralized, open-source blockchain platform launched in 2015 that enables developers to build and run smart contracts and decentralized applications (dApps). However, new features like EIP-7702, which grant externally owned accounts (EOAs) smart contract-like delegation capabilities, have introduced fresh security risks. Notably, these delegations can be exploited in phishing attacks that trick users into authorizing malicious contracts, leading to significant asset theft—as seen in a recent attack by the InfernoDrainer group, which used MetaMask’s EIP-7702 Delegator to steal over $146,000. Security firms like RealScamSniffers and SlowMist responded with alerts and detailed analyses, emphasizing the need for stronger protections, user education, and ongoing ecosystem collaboration to mitigate these emerging threats.[1][2][3][4][5]
About Ethereum
Ethereum is a decentralized, open-source blockchain platform that enables developers to build and deploy smart contracts and decentralized applications (dApps). Launched in 2015 by Vitalik Buterin and other co-founders, Ethereum extended the concept of blockchain beyond just a digital currency like Bitcoin, introducing programmability to the blockchain through its native scripting language, Solidity. This programmability allows for complex, automated agreements and processes to run without the need for intermediaries, making Ethereum a foundational technology for decentralized finance (DeFi), non-fungible tokens (NFTs), and many other innovations in the blockchain space.
At its core, Ethereum operates as a global, distributed virtual machine—the Ethereum Virtual Machine (EVM)—that executes smart contracts and processes transactions on the blockchain. Transactions on Ethereum are validated and recorded by a decentralized network of nodes (computers) worldwide, ensuring security and censorship resistance. Users pay fees, known as “gas,” to compensate miners (and now validators) for the computational resources required to execute their transactions and smart contracts. This fee mechanism helps allocate network resources efficiently and prevents spam.
Ethereum has undergone significant upgrades over time to improve scalability, security, and sustainability. The recent transition from Proof of Work (PoW) to Proof of Stake (PoS) consensus mechanism in the Ethereum 2.0 upgrade drastically reduced the network’s energy consumption and paved the way for future enhancements like sharding, which will increase transaction throughput. As one of the largest and most active blockchain ecosystems, Ethereum continues to drive innovation in decentralized technologies, empowering developers and users to create new forms of digital interaction and value transfer without centralized control.
About EIP 7702
EIP-7702 is a transformative proposal introduced in Ethereum's upcoming Pectra upgrade, aiming to bridge the gap between Externally Owned Accounts (EOAs) and Contract Accounts (CAs). It enables EOAs to behave more like smart contracts by allowing them to execute code while still being able to initiate transactions. This is achieved through a new transaction type, SET_CODE_TX_TYPE (0x04), which lets users assign a contract-like code to EOAs. This unlocks features such as social recovery, multi-signature support, zero-knowledge proofs, batch processing, and gas sponsorship—all without migrating to smart contract wallets.
Technically, EIP-7702 introduces an authorization_list that allows multiple EOAs to delegate operations by signing off on them, with cryptographic safeguards in place. The delegation can span multiple chains if the chain_id is set to 0, posing both opportunities and replay risks. When a transaction is executed, EOAs can be temporarily treated like smart contracts by assigning a specific bytecode prefix (0xef0100) pointing to the delegated target contract.
Despite its benefits, EIP-7702 introduces new risks. Misconfigured delegations, poor key management, and phishing vulnerabilities become critical concerns. Since EOAs can switch between acting as a user or a contract, it breaks certain security assumptions like msg.sender == tx.origin. Developers and wallet providers must update practices and interfaces to reflect this dual nature, implement storage safety measures (e.g., ERC-7201), and support compatibility with token standards and security hooks.
The Reality
There are many new risks with EIP-7702 that arise from giving EOAs smart contract-like capabilities. If a private key is compromised, the attacker retains full control regardless of any delegation. Delegations can be replayed across multiple chains if not carefully restricted, exposing users to cross-chain attacks. Initialization limitations and storage conflicts can lead to wallet misconfigurations or asset loss during re-delegation. EOAs acting as contracts also introduce risks for centralized exchanges, which may incorrectly process fake deposits. Furthermore, longstanding assumptions in smart contract logic—like tx.origin being an EOA—are no longer reliable, potentially breaking security protections. Finally, phishing threats increase, as users might unknowingly delegate to malicious contracts, leading to asset theft.
One of the new risks introduced by EIP-7702 is phishing-based asset theft. Since EOAs can now delegate control to smart contracts, a malicious actor can craft a deceptive contract and trick users into signing a delegation transaction. Once the delegation is authorized, the attacker effectively gains control over the victim’s account and can initiate unauthorized token transfers or perform harmful actions without needing direct access to the private key. Because these delegations appear legitimate on the surface and don’t immediately move funds, they can evade traditional detection methods. Wallet interfaces may also fail to clearly show what contract the user is delegating to, increasing the likelihood of users unknowingly granting dangerous permissions. This makes it essential for wallet providers to improve visibility into delegation targets and for users to exercise extreme caution when signing EIP-7702-related transactions.
What Happened
A phishing attack by InfernoDrainer exploited MetaMask’s EIP-7702 Delegator to trick a victim into unknowingly authorizing a batch transaction that transferred their tokens.
| Date | Event | Description |
|---|---|---|
| March 27th, 2025 12:14:52 AM MDT | SlowMist Preparing Guide | SlowMist prepared a guide on EIP-7702 that covers a high-level overview of its technical implementation, the new transaction type it introduces, and how it enables programmability for EOAs. The post also examines key risks and challenges associated with EIP-7702, such as phishing attacks, replay vulnerabilities across chains, storage collisions, and compatibility issues with existing contracts. It offers best practices for users, developers, wallet providers, and exchanges to mitigate these risks, and emphasizes the importance of cautious delegation, private key security, and contract compatibility in this new account abstraction paradigm. |
| May 23rd, 2025 8:31:35 AM MDT | User Wallet Is Drained | The user's wallet is drained of all assets after a successful phishing attempt which exploits the new EIP-7702 mechanisms. |
| May 24th, 2025 9:18:00 AM MDT | Real Scam Sniffer Tweet | RealScamSniffer posts an alert that an address that had recently upgraded to EIP-7702 lost $146,551 in a phishing attack involving malicious batched transactions. |
| May 27th, 2025 2:21:00 AM MDT | SlowMist Detailed Analysis | SlowMist posts a more detailed analysis which reveals that this is part of a new phishing method by the group #InfernoDrainer that exploits MetaMask's EIP-7702 Delegator mechanism. Unlike typical scams, the delegated address used appears legitimate, specifically a MetaMask EIP-7702 Delegator (0x63c0...), making detection harder. The attack tricked victims, such as the address 0xc6D2..., into initiating a batch execution that enabled unauthorized token access. This sophisticated method highlights new risks with EIP-7702 and underscores the need for heightened vigilance and updated security practices. |
Technical Details
The phishing attack was a new technique orchestrated by the well-known group InfernoDrainer, exploiting Ethereum's new EIP-7702 functionality. Unlike traditional phishing where victims are tricked into interacting with malicious addresses, this attack used a legitimate MetaMask EIP-7702 Delegator contract (0x63c0...) that had been deployed days earlier. This added a layer of deception, as the delegated address appeared trustworthy and familiar to users.
The victim, using EIP-7702 functionality, unknowingly initiated a batch execution through the MetaMask Delegator, which allowed the attacker's pre-crafted data payload to run with full authorization. The contract's execute function carried out these instructions, leading to the unauthorized transfer of tokens. The mechanism leverages the ability in EIP-7702 to delegate execution rights and batch process transactions, which the attacker used to drain assets in a single operation.
The technical trick involved hiding malicious instructions within what appeared to be a legitimate batch execution call. This was possible because the attacker carefully crafted the payload to blend in with expected Delegator behavior. Through this, they bypassed traditional phishing red flags and leveraged trust in well-known infrastructure to carry out the theft.
Total Amount Lost
RealScamSniffers reports the loss total as $146,551.
The total amount lost has been estimated at $147,000 USD.
Immediate Reactions
RealScamSniffers quickly raised an alert highlighting that an address upgraded to EIP-7702 lost $146,551 due to a malicious phishing attack involving batched transactions. Their warning emphasized the serious financial impact and the new phishing risks introduced by EIP-7702’s delegation features, urging users to be cautious.
SlowMist responded with an in-depth technical analysis and guidance, explaining how the phishing attack exploited MetaMask’s EIP-7702 Delegator mechanism to execute batch authorization and steal funds. They detailed the attack’s inner workings, the vulnerabilities involved, and recommended best practices for ecosystem participants to protect themselves, including careful handling of delegation authorizations and enhanced phishing checks. Overall, SlowMist’s approach combined raising awareness with practical security advice to mitigate future risks.
Ultimate Outcome
The end outcome was that the phishing attack successfully drained $146,551 from the victim’s Ethereum address by exploiting the EIP-7702 delegation mechanism, exposing significant security risks with the new protocol. Following this incident, security firms like RealScamSniffers and SlowMist raised alerts and provided detailed analyses and best practices to help users, developers, and service providers better understand the vulnerabilities and defend against similar attacks in the future.
Total Amount Recovered
There is no indication that any of the phished assets will ever be recovered.
There do not appear to have been any funds recovered in this case.
Ongoing Developments
Wallet providers, exchanges, and security firms are continuously working to strengthen defenses by improving phishing detection, transaction monitoring, and user warnings related to EIP-7702 delegations. At the same time, developers and protocol teams are updating their tools and smart contracts to securely support the new functionalities introduced by EIP-7702, ensuring compatibility while minimizing vulnerabilities.
In addition, user education campaigns are actively underway to raise awareness about the risks of private key leakage, multi-chain replay attacks, and phishing tactics specific to EIP-7702. Complementary standards like ERC-7779 are also being developed to address technical challenges such as storage conflicts and safe re-delegation. Meanwhile, security experts continue to investigate emerging threats and respond swiftly to new phishing attempts, aiming to protect users and reduce the potential for further losses. Overall, securing the EIP-7702 ecosystem is a dynamic, ongoing process involving collaboration between multiple stakeholders.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ SlowMist - "After analysis, we found that the phishing case is a new phishing trick, carried out by the well-known phishing group #InfernoDrainer." - Twitter/X (Accessed May 29, 2025)
- ↑ RealScamSniffer - "ALERT: An address upgraded to EIP-7702 lost $146,551 through malicious batched transactions in phishing attack." - Twitter/X (Accessed May 29, 2025)
- ↑ Wallet Draining Transaction - Etherscan (Accessed May 29, 2025)
- ↑ In-Depth Discussion on EIP-7702 and Best Practices - SlowMist Medium (Accessed May 29, 2025)
- ↑ https://x.com/realScamSniffer/status/1926296681198326254 (Accessed May 29, 2025)