EIP-7702 phishing attacks on Ethereum exploited new wallet features to steal over $12M from 15,000+ wallets in August 2025. Protect your funds by rejecting unlimited approvals, verifying domains, and using hardware wallets or multisig setups when prompted to sign contract upgrades.
EIP-7702 features were weaponized to trick users into malicious approvals.
Over $12 million lost across 15,000+ wallets in August 2025; three whales accounted for ~46% of losses.
Security firms Scam Sniffer, SlowMist, and Wintermute highlight the surge and recommend stricter wallet hygiene.
Meta description: EIP-7702 phishing attacks on Ethereum drained $12M from 15,000+ wallets; learn how to spot malicious approvals and secure your wallet now. Read safety tips.
What happened in the August 2025 EIP-7702 phishing wave?
EIP-7702 phishing attacks saw scammers exploit Ethereum’s new wallet features to drain more than $12 million from 15,000+ wallets in August 2025. Blockchain security firm Scam Sniffer reported a 72% increase in losses month-over-month, with three whale wallets accounting for nearly 46% of the total thefts.
‘,
‘
🚀 Advanced Trading Tools Await You!
Maximize your potential. Join now and start trading!
‘,
‘
📈 Professional Trading Platform
Leverage advanced tools and a wide range of coins to boost your investments. Sign up now!
‘
];
var adplace = document.getElementById(“ads-bitget”);
if (adplace) {
var sessperindex = parseInt(sessionStorage.getItem(“adsindexBitget”));
var adsindex = isNaN(sessperindex) ? Math.floor(Math.random() * adscodesBitget.length) : sessperindex;
adplace.innerHTML = adscodesBitget[adsindex];
sessperindex = adsindex === adscodesBitget.length – 1 ? 0 : adsindex + 1;
sessionStorage.setItem(“adsindexBitget”, sessperindex);
}
})();
How did attackers use EIP-7702 to steal funds?
Ethereum’s EIP-7702 enables EOAs to temporarily act like smart contract wallets, adding batching, spending caps, passkeys, and address-preserving recovery. Criminals repurposed these conveniences by crafting malicious delegate contracts and prompts that trick users into granting broad approvals.
Wintermute’s Dune Analytics data shows that over 80% of delegate contracts tied to EIP-7702 displayed malicious behavior, affecting more than 450,000 addresses since rollout. Security firm SlowMist warns organized groups are scaling these techniques across EVM chains.
Why did losses concentrate in a few wallets?
Attack patterns indicate targeted phishing campaigns focused on high-balance addresses. Scam Sniffer found that three whale wallets represented ~46% of August’s $12M losses, including a single wallet loss of $3.08M. Attackers combine social engineering with automated contract prompts to maximize yield quickly.
‘,
‘
🔒 Secure and Fast Transactions
Diversify your investments with a wide range of coins. Join now!
‘,
‘
💎 The Easiest Way to Invest in Crypto
Dont wait to get started. Click now and discover the advantages!
‘
];
var adplace = document.getElementById(“ads-binance”);
if (adplace) {
var sessperindex = parseInt(sessionStorage.getItem(“adsindexBinance”));
var adsindex = isNaN(sessperindex) ? Math.floor(Math.random() * adscodesBinance.length) : sessperindex;
adplace.innerHTML = adscodesBinance[adsindex];
sessperindex = adsindex === adscodesBinance.length – 1 ? 0 : adsindex + 1;
sessionStorage.setItem(“adsindexBinance”, sessperindex);
}
})();
Scam Sniffer quantified the August surge: $12M+ lost, a 72% increase from July, and a 67% rise in victim count month-over-month. Wintermute’s Dune Analytics highlighted that most suspicious behavior originated from delegate contracts associated with EIP-7702.
SlowMist founder Yu Xian noted that organized criminal groups quickly adapted EIP-7702 mechanics to scale thefts across EVM-compatible chains. These assessments come from blockchain analytics and public incident reports compiled by security firms.
Users should immediately audit active approvals, revoke unrecognized delegate contracts, and avoid signing prompts that reference contract upgrades without clear provenance. Prioritize hardware wallets, multisig for large balances, and limited allowances for routine operations.
Review active approvals in your wallet interface and on-chain explorers; look for delegate contracts or unusual unlimited allowances. Revoke permissions you do not recognize and monitor wallets for unauthorized transfers.
‘
];
var adplace = document.getElementById(“ads-htx”);
if (adplace) {
var sessperindex = parseInt(sessionStorage.getItem(“adsindexHtx”));
var adsindex = isNaN(sessperindex) ? Math.floor(Math.random() * adscodesHtx.length) : sessperindex;
adplace.innerHTML = adscodesHtx[adsindex];
sessperindex = adsindex === adscodesHtx.length – 1 ? 0 : adsindex + 1;
sessionStorage.setItem(“adsindexHtx”, sessperindex);
}
})();