EIP-7702 Exploit: How Hackers Are Stealing WLFI Tokens

Introduction

World Liberty Financial (WLFI) token holders are being targeted by hackers exploiting Ethereum’s EIP-7702 upgrade, according to blockchain security firm SlowMist. The exploit, dubbed the “classic EIP-7702 phishing attack,” allows attackers to plant malicious delegate contracts within victim wallets once private keys are leaked. When unsuspecting users transfer Ether or receive WLFI tokens, the exploit lets hackers quickly drain the assets. This security gap is tied to Ethereum’s Pectra upgrade in May, which introduced more flexible wallet permissions that attackers are now abusing.

Community reports highlight that multiple WLFI investors have already lost tokens in this way. Some users say they were only able to move part of their holdings before automated “sweeper bots” siphoned off the rest. Xian, SlowMist’s founder, noted that affected users often had compromised wallets from phishing attacks long before WLFI deposits were made. In some cases, addresses used to join the WLFI whitelist presale were inherently exposed, making those wallets high-risk. Security experts recommend that compromised holders immediately migrate to safer wallets and attempt to overwrite the malicious contracts.

The WLFI launch has also attracted broader scam activity, including cloned token contracts and fake support accounts on platforms like X. Analytics firm Bubblemaps traced “bundled clones” spoofing legitimate smart contracts to trick buyers, while the WLFI team itself has issued warnings to avoid direct messages claiming to be official support. Despite being backed by high-profile figures, including Donald Trump, the project is under heavy scrutiny as these attacks unfold. The episode underscores ongoing risks around token launches, phishing vulnerabilities, and the importance of safeguarding private keys in the evolving Ethereum ecosystem.