Ethereum News: How Hackers Are Exploiting EIP-7702 To Drain Wallets

On May 24, Ethereum news saw a wallet freshly enabled with EIP-7702 lost about $150,000 when scammers tricked the user into approving a malicious batch of token transfers.

Phishing attacks in crypto have surged. In April 2025 alone, scams drained roughly $5.3 million from 7,565 wallets. Now attackers are leveraging Ethereum’s latest Pectra upgrade – specifically EIP-7702 – to empty user accounts.

Security analysts warn that this novel exploit shows how quickly hackers are adapting to Ethereum’s new smart-wallet features.

Ethereum EIP-7702 and the Pectra Upgrade

EIP-7702 is a key feature of Ethereum’s May 2025 “Pectra” upgrade. It essentially lets ordinary wallets (Externally Owned Accounts, or EOAs) temporarily act like smart-contract accounts during a transaction.

Technically, a user can attach small snippets of contract code to their address for one transaction. This brings advanced “account abstraction” benefits to normal wallets: for example, a user can now batch multiple transfers in one transaction, let someone else sponsor their gas fees, or use alternative signature schemes.

Wallet providers like Ambire and Trust Wallet have already rolled out EIP-7702 support on Ethereum. Ambire’s CEO hailed it as “the single greatest UX upgrade” to Ethereum, since it unlocks smart-account features without forcing users to create new contract wallets.

However, security experts warned that EIP-7702 also opens new attack surfaces. By letting a wallet run custom code, scammers could, in theory, pack an entire wallet-draining routine into a single approval step.

As one developer put it, EIP-7702 “provided a new avenue for phishing campaigns to empty entire wallets at once”. In short, features meant to improve flexibility can backfire if users aren’t extremely careful.

Ethereum News: Inferno Drainer’s $150K Scam via EIP-7702

The danger became real on May 24, 2025. Scam Sniffer – a Web3 anti-scam platform – reported that a user’s MetaMask wallet, recently upgraded to EIP-7702, was drained of about $146,551.

Blockchain security firm SlowMist quickly analyzed the case and identified the culprit as Inferno Drainer, a notorious phishing gang.

Rather than hijacking the wallet address or stealing seed phrases, the attackers leveraged the new “delegator” system in Ethereum’s EIP-7702 upgrade as per news reports. They convinced the user to authorize a trusted MetaMask delegator contract (part of EIP-7702) that the hackers had already registered.

When the victim signed what looked like a normal transaction, it triggered an invisible “execute” call that ran a batch of fraudulent transfers in the background.

The result was a silent batch drain of tokens. The screenshot below (from Scam Sniffer’s logs) shows the malicious batch approvals highlighted in red – dozens of tokens were approved for transfer in one swoop.

Because this all happened inside the delegated smart wallet, the user saw no obvious pop-ups for each token approval. In effect, the victim unknowingly gave blanket permission for the attackers to move dozens of different assets in one step.

How Inferno Drainer’s Phishing Scam Worked

The ScamSniffer monitoring dashboard (above) shows multiple token allowances approved at once via a single batch transaction. This is exactly how Inferno Drainer’s phishing scam worked: the victim’s MetaMask “execute” call silently processed a bundle of malicious approvals, allowing the hackers to siphon off about $150,000 in coins.

Yu Xian, founder of SlowMist, explained the scheme: the phishing group “used a delegated MetaMask wallet – one already authorized under EIP-7702 – to approve token transfers silently through a batch authorization process”.

In his words, “the phishing gang uses this mechanism to complete batch authorization operations on tokens related to the victim’s address”.

In other words, the attackers did not have to overwrite the user’s address with a fake one; they simply piggybacked on MetaMask’s smart-contract code.

Xian noted this is more complex than prior scams: the user’s EOA address remained unchanged, while the malicious batch was handled by the MetaMask EIP-7702 Delegator contract.

SlowMist’s analysis underscores that this exploit was “very creative” – it abused a legitimate wallet feature in an unexpected way.

The Inferno Drainer group itself claimed to have shut down recently, but Xian pointed out that its malware is still active and has netted over $9 million in the past six months. The May 24 hack fits their playbook of multi-chain wallet scams, but with a new twist thanks to Ethereum’s EIP-7702 upgrade.

Phishing Trends and EIP-7702 Risks

This inferno attack wasn’t an isolated blip. Crypto phishing remains rampant. Scam Sniffer’s April 2025 report recorded about $5.29 million lost to phishing scams that month, up 26% in victims from March (7,565 victims). (Notably, April’s total was down 17% from March’s $6.37M, but many more users were hit.)

Last year was even worse: about $494 million was stolen via wallet phishing in 2024 – a 67% jump over 2023 – according to Scam Sniffer. These losses highlight how attackers keep inventing new tricks even as wallets get more secure.

The Ethereum EIP-7702 exploit is the latest evolution. Traditional phishing often tricks victims into approving a single token transfer or sending funds to a copycat address.

By contrast, the Inferno gang’s method lets them bundle dozens of token approvals in one hidden step. As SlowMist noted, this marks a shift: attackers are now integrating official Ethereum upgrades into their scams.

Yu Xian warned that because users rely on advanced wallet features like EIP-7702, phishers see “new avenues” to drain funds. In short, familiar groups are catching up to new technology.

Aside from Inferno Drainer, other EIP-7702 schemes surfaced in May. On May 20, GoPlus Security (via BlockBeats) issued an alert about a malicious EIP-7702 “delegator” address.

If a user authorized this address, it would instantly siphon any ETH in the wallet to the attacker’s account. GoPlus urged users to enable EIP-7702 only through official wallet UIs and to refuse any unsolicited upgrade links in emails.

In their words, “only authorize the 7702 function through the official wallet app… never click on external links or the ‘upgrade’ option in emails, and always verify the contract source code.”. These precautions echo SlowMist’s advice: always verify where transactions originate and audit your approvals.

Expert Advice and User Takeaways

Security firms stress vigilance. Scam Sniffer recommends double-checking any site or contract before signing. For example, they advise users to verify websites before logging in or approving transactions, audit token permissions regularly, and avoid clicking unverified links.

SlowMist’s Yu Xian offers similar warnings: “Everyone should be vigilant… be careful that the assets in your wallet will be taken away” if scammed.

He specifically urges users to review all token authorizations and watch for any unfamiliar Ethereum EIP-7702 delegations tied to their wallet. In a recent interview, Xian also warned crypto users: “Don’t trust just one source. When it involves money, always establish another reliable source for verification.”

In practice, that means cross-checking Discord servers, Twitter posts or email links through official channels, and never rushing to sign a random prompt.