Hackers are exploiting Ethereum's recent EIP-7702 upgrade to systematically drain WLFI tokens from holders of World Liberty Financial, a cryptocurrency project backed by Donald Trump. The attack method, identified by SlowMist founder Yu Xian, involves a combination of phishing to compromise private keys followed by pre-planting malicious smart contracts in victim wallets.
The exploit leverages Ethereum's Pectra upgrade from May 2024, which introduced EIP-7702 to allow externally owned accounts to temporarily function like smart contract wallets. This feature enables batch transactions and delegated execution rights designed to improve user experience, but attackers have weaponized it by installing malicious delegate contracts that automatically sweep all funds when users deposit ETH for gas fees.
Multiple WLFI holders have reported complete losses, with one user managing to save only 20% of their tokens through emergency transfers while racing against automated sweeper bots. The WLFI team has issued warnings about fake support messages and scam tokens targeting the project's launch. Security firm Bubblemaps identified multiple WLFI scam contracts imitating the legitimate project.
According to Wintermute research, over 97% of EIP-7702 delegations are linked to identical wallet-draining contracts. The phishing group behind these attacks has netted over $9 million across chains in 2025 by convincing users to authorize attacker-controlled delegate contracts.