New Ethereum feature exploited just weeks after launch in $146K phishing heist

A new Ethereum upgrade meant to make wallets smarter has already been used to steal crypto. The exploit happened only weeks after the feature’s debut. A victim lost over $146,000 in memecoins in a phishing scam that caught the user off guard.

The target wallet, labelled 0xc6d289d, had been upgraded to the new EIP-7702 smart account format. This update was part of Ethereum’s recent Pectra upgrade. It promised better control and smoother transactions, but like many new things in crypto, it came with hidden risks.

What Is EIP-7702 and Why Does It Matter?

EIP-7702 was introduced to give Ethereum users the best of both worlds. Normally, Ethereum users operate Externally Owned Accounts (EOAs). These are basic accounts controlled by private keys. They're limited in what they can do as they can’t batch transactions or sponsor gas fees.

Smart contract wallets can do more. They support batching, custom logic, and alternative authentication methods. However, they’re more complex to set up.

EIP-7702 lets users temporarily give their EOA smart contract powers. That means users can delegate control to another address to run smart features, just for one transaction. On paper, it’s a great idea, but it also introduces a big attack surface, and someone just took advantage of it.

The $146K Heist

According to Scam Sniffer, a blockchain security firm, the victim signed a malicious batch transaction. This gave the scammers permission to steal their funds. The attackers used addresses 0xC83De81A and 0x33dAD2b to execute the attack.

They didn’t even need to replace the user’s wallet with a fake one. They simply tricked the user into approving the wrong delegation. Once approved, the wallet acted like a smart contract wallet. The scammers then drained the funds.

The tokens were memecoins, often popular but highly volatile and easy to trade. The total loss was $146,551.

Who’s Behind It?

Cybersecurity expert Yu Xian, founder of blockchain security firm SlowMist, called the attack "creative." He explained that the phishing group behind the heist is likely Inferno Drainer.

Inferno Drainer is infamous in Web3. Though the group claimed to have shut down, their malware is very much still in use. A Check Point Research report said they’ve stolen over $9 million in crypto in just six months.

In this case, they didn’t even use a fake wallet. Instead, they used an EIP-7702 delegator, a mechanism built into MetaMask, to carry out the theft. The delegator they used, 0x63c0c19a2, was a real MetaMask contract. That made it harder for victims to suspect anything.

How It Worked

The victim was likely lured to a phishing website, where they prompt users to “approve” a transaction or upgrade their wallet. But In reality, users are approving malicious contracts.

Once the user signed the transaction, the attacker’s contract gained control. The attacker used the delegation feature to batch and steal tokens without the user ever realising the danger.

Unlike older phishing tricks, this one didn’t change the user’s address. It didn’t need fake wallets. It used real tools in a new and dangerous way.

A Growing Concern

This exploit raises concerns about EIP-7702’s security. It’s still a new feature. But scammers have already figured out how to use it against users.

Data from Dune Analytics (via Wintermute Research) shows that over 48,000 delegations have already happened. That’s a huge number for a new feature.

Worse, many of those delegations are to malicious contracts. Around 36.3% of the 175 known delegate contracts have been flagged as scams. That’s more than one in three.

Security firm GoPlus Security warned that once a user delegates control to one of these malicious contracts, any funds they receive can be automatically redirected to the scammer.

This means even if the user doesn’t do anything else, just receiving tokens could trigger a loss.

MetaMask Responds

MetaMask, one of the most widely used Ethereum wallets, issued a warning to users. A pop-up in the wallet now alerts users that any smart account upgrade should only happen inside the wallet. If a website or email asks you to “upgrade,” it’s a red flag.

MetaMask also recommends checking your token authorisations. Users can do this by browsing their authorisation history on block explorers. If they spot suspicious activity, they can revoke access using wallets that support EIP-7702.

How to Stay Safe

With scams getting more complex, users need to stay alert. Here are some simple safety tips:

• Never approve a transaction from an unknown website.
   
• Don’t click upgrade prompts from emails or links.
   
• Use trusted wallets like MetaMask and keep them updated.
   
• Check your token authorisation history regularly.
   
• Use revocation tools to cancel unknown approvals.
   
• Avoid interacting with non-open-source contracts.
   
• Be wary of memecoin airdrops. Many are traps.

Yu Xian emphasised that this attack is just the beginning. Phishing gangs are innovating faster than ever. Every new Ethereum feature will likely come with its own risks.

That doesn’t mean people should avoid using smart accounts. But they need to understand what they’re signing. Just because a wallet pop-up looks official doesn’t mean it’s safe.

Final Thoughts

Ethereum’s evolution is far from over. Features like EIP-7702 offer big improvements in user experience, but with innovation comes new threat vectors.

This $146K heist is a warning. The tools meant to empower users can also be turned against them. Scammers are always watching, and they are quick to exploit what’s new.

As Ethereum continues to grow, security awareness must grow with it. Every user, from beginner to pro, needs to double-check every action, every signature, and every delegation.

Crypto moves fast, scams move faster, so stay sharp.