Ethereum News Today: Hackers Weaponize Ethereum Upgrade to Drain WLFI Wallets in Seconds

Generated by AI AgentCoin World
Tuesday, Sep 2, 2025 4:30 am ET2min read
ETH
--
Aime RobotAime Summary

- Hackers exploit Ethereum's EIP-7702 upgrade to steal WLFI tokens via phishing attacks, planting malicious delegate contracts in user wallets.

- Attackers drain funds immediately after transactions, with victims like hakanemiratlas losing 80% of tokens due to compromised whitelisted wallets.

- Security experts urge users to replace malicious contracts and transfer assets, but even gas payments trigger automatic thefts, worsening losses.

- WLFI faces scams and fake contracts, raising concerns about project governance as Ethereum's rapid upgrades highlight phishing risks.

World Liberty Financial (WLFI), the decentralized finance (DeFi) project backed by former U.S. President Donald Trump, is under attack as hackers exploit vulnerabilities in the

Ethereum
network to steal tokens from users. The primary method of exploitation involves a known phishing-based wallet attack tied to the EIP-7702 upgrade, according to Yu Xian, founder of cybersecurity firm SlowMist. The exploit allows attackers to plant a malicious delegate contract in a user's wallet before any significant transaction takes place, enabling them to drain funds as soon as they are deposited or transferred.

EIP-7702, introduced as part of Ethereum’s Pectra upgrade in May, was designed to enhance user experience by allowing external accounts to temporarily act like smart contract wallets. However, this feature has been weaponized by bad actors who leverage it to execute rapid token thefts. Xian explained in a post on X that the theft process typically begins with the private key being compromised, often through phishing attacks. Once access is gained, the attacker plants a malicious delegate contract into the victim’s wallet, allowing them to automate the transfer of assets—such as the WLFI tokens—without the user’s knowledge or consent [1].

The impact of the attack has been significant for early WLFI tokenholders. Several users have reported that their wallets were drained shortly after receiving WLFI tokens or depositing Ethereum (ETH) for gas fees. One user, identified by the handle hakanemiratlas, described the experience as a high-stakes race against time. They were able to transfer only 20% of their WLFI tokens to a secure wallet, leaving the remaining 80% vulnerable to immediate theft. Another user, Anton, noted that many individuals who participated in the WLFI presale used compromised whitelisted wallets, making them particularly susceptible to this form of attack [1].

In response to the growing number of incidents, Xian advised users to cancel or replace the malicious delegate contract within their wallets and immediately transfer their tokens to a new, secure address. However, the challenge lies in the fact that even initiating a transaction—such as sending ETH for gas—can trigger an automatic sweep by the attacker. This has made it difficult for users to safely relocate their assets without risking further losses [1].

The WLFI project has also seen an uptick in related scams, with analytics firm Bubblemaps identifying several fake smart contracts that mimic established projects to deceive users. In addition, the WLFI team has issued warnings to users not to trust unsolicited direct messages across any platform, emphasizing that official support is only available through email. These scams and the underlying vulnerabilities in the token’s infrastructure have raised concerns about the overall security and governance of the project [1].

As the WLFI token continues to face scrutiny and attacks, the broader crypto community is watching closely to see how the project will respond. The exploitation of EIP-7702 highlights the risks associated with rapid Ethereum upgrades and the importance of user education in mitigating phishing and wallet-based attacks.

Source:

[1] Hackers are using the 'classic EIP-7702' exploit to snatch ... (https://cointelegraph.com/news/wlfi-token-holders-falling-prey-classic-wallet-exploit)

[2] Hackers Exploit Smart Wallets to Steal WLFI Tokens (https://forklog.com/en/hackers-exploit-smart-wallets-to-steal-wlfi-tokens/)