EIP-7702 phishing attacks on Ethereum exploited new wallet features to steal over $12M from 15,000+ wallets in August 2025. Protect your funds by rejecting unlimited approvals, verifying domains, and using hardware wallets or multisig setups when prompted to sign contract upgrades.
-
EIP-7702 features were weaponized to trick users into malicious approvals.
-
Over $12 million lost across 15,000+ wallets in August 2025; three whales accounted for ~46% of losses.
-
Security firms Scam Sniffer, SlowMist, and Wintermute highlight the surge and recommend stricter wallet hygiene.
Meta description: EIP-7702 phishing attacks on Ethereum drained $12M from 15,000+ wallets; learn how to spot malicious approvals and secure your wallet now. Read safety tips.
What happened in the August 2025 EIP-7702 phishing wave?
EIP-7702 phishing attacks saw scammers exploit Ethereum’s new wallet features to drain more than $12 million from 15,000+ wallets in August 2025. Blockchain security firm Scam Sniffer reported a 72% increase in losses month-over-month, with three whale wallets accounting for nearly 46% of the total thefts.
How did attackers use EIP-7702 to steal funds?
Ethereum’s EIP-7702 enables EOAs to temporarily act like smart contract wallets, adding batching, spending caps, passkeys, and address-preserving recovery. Criminals repurposed these conveniences by crafting malicious delegate contracts and prompts that trick users into granting broad approvals.
Wintermute’s Dune Analytics data shows that over 80% of delegate contracts tied to EIP-7702 displayed malicious behavior, affecting more than 450,000 addresses since rollout. Security firm SlowMist warns organized groups are scaling these techniques across EVM chains.
Why did losses concentrate in a few wallets?
Attack patterns indicate targeted phishing campaigns focused on high-balance addresses. Scam Sniffer found that three whale wallets represented ~46% of August’s $12M losses, including a single wallet loss of $3.08M. Attackers combine social engineering with automated contract prompts to maximize yield quickly.
Details of the attack: what data do security firms report?
Scam Sniffer quantified the August surge: $12M+ lost, a 72% increase from July, and a 67% rise in victim count month-over-month. Wintermute’s Dune Analytics highlighted that most suspicious behavior originated from delegate contracts associated with EIP-7702.
SlowMist founder Yu Xian noted that organized criminal groups quickly adapted EIP-7702 mechanics to scale thefts across EVM-compatible chains. These assessments come from blockchain analytics and public incident reports compiled by security firms.
What should users do now to reduce exposure?
Users should immediately audit active approvals, revoke unrecognized delegate contracts, and avoid signing prompts that reference contract upgrades without clear provenance. Prioritize hardware wallets, multisig for large balances, and limited allowances for routine operations.
Frequently Asked Questions
How can I check if my wallet was affected by EIP-7702 phishing?
Review active approvals in your wallet interface and on-chain explorers; look for delegate contracts or unusual unlimited allowances. Revoke permissions you do not recognize and monitor wallets for unauthorized transfers.
Can EIP-7702 features be made safer?
Yes. Developers and wallet providers can add clearer UI warnings, enforce approval granularities, and implement on-device confirmation flows. Community standards and audits can reduce misuse of delegate mechanics.
Are hardware wallets immune to these attacks?
Hardware wallets significantly lower risk by requiring physical confirmation, but they are not a total safeguard if users approve maliciously crafted transactions. Combine hardware wallets with good verification practices.
Key Takeaways
Phishing scams drained over $12M from 15,000+ wallets in August 2025, largely exploiting Ethereum’s EIP-7702 standard. Experts warn that even major projects are being targeted.
- Rapid adaptation: Criminals quickly weaponized EIP-7702 delegate mechanics to request malicious approvals.
- Concentrated losses: Three whale wallets made up nearly half of August’s reported losses.
- User actions: Revoke unknown approvals, use hardware wallets and multisig, and avoid unlimited signatures.
Conclusion
This surge of EIP-7702 phishing attacks demonstrates how protocol upgrades can create new attack surfaces when users and interfaces fail to adapt. Follow the outlined protections, monitor approvals regularly, and prefer hardware or multisig safeguards to reduce risk. COINOTAG will continue to track developments and publish updates.
