Urgent security risk: Ethereum’s EIP-7702 Pectra already infected by phishing scammers

Since the Pectra upgrade was activated on May 7, many users have scrambled to enable EIP-7702 smart accounts, unaware of the risks attached. 

The upgrade enables Externally Owned Accounts (EOAs) to briefly act as smart contract wallets by delegating control via a signed message. While the feature enhances user experience, the EIP-7702 has also exposed users to new security risks that require urgent attention.

Top 7702 delegator is allegedly a phishing scam

According to GoPlus Security, on-chain data from bundlebear.com has revealed over 10k addresses using smart accounts.

Using contract code decompilation, GoPlus found that once users authorize the malicious delegator with the 0x930fcc37d6042c79211ee18a02857cb1fd7f0d0b address, any ETH transferred to their account gets automatically redirected to the scammer’s address.

After analyzing the code, it was revealed that after authorization, all ETH gets auto-redirected to scammer wallet 0x000085bad in what has been identified as a sophisticated theft mechanism.

It is clear the scammer is exploiting the trust people have in the Pectra upgrade. While the threat is very real, some leading wallets like MetaMask have been able to safely integrate EIP-7702.

GoPlus Security has urged users who want to stay safe to only trust wallet interfaces for 7702 features and treat any external links or emails asking for smart account upgrades as scams.

It is agreed that the EIP-7702 will work wonders for Ethereum’s UX & transaction flexibility, but it is crucial to stay alert and never authorize through external links. GoPlus Security warns that if anyone pushes you to “upgrade” outside your wallet, then it’s 100% a scam.

Other recommended safety measures include never trusting email/URL links for 7702 authorization, always verifying contract source code, being extra cautious with non-open-source contracts and making sure to check authorization addresses carefully.

❗WARNING❗

🚨 Top 7702 Delegator Revealed as Phishing Scam 🚨

As thousands rush to enable EIP-7702 smart accounts after Pectra upgrade, dangerous vulnerabilities have emerged. While revolutionary for account abstraction, urgent security risks need attention.

Details ⬇️

— GoPlus Security 🚦 (@GoPlusSecurity) May 20, 2025

Hardware wallets are not safer either

Before the Pectra update, hardware wallets were deemed safer. But according to Yehor Rudytsia, on-chain researcher at Hacken, that is no longer the case.

Rudytsia says hardware wallets are now at the same risk as hot wallets from the perspective of signing malicious messages. “If done, all the funds are gone in a moment,” he said.

While there are ways to stay safe, they all require vigilance on the part of the users.

“Users should not sign the messages they do not understand,” Rudytsia advised. He also urged wallet developers to provide clear warnings when users are asked to sign a delegation message.

Users need to be especially cautious of the new delegation signature formats introduced by EIP-7702, as they are not compatible with the existing EIP-191 or EIP-712 standards. These messages often appear as simple 32-byte hashes and may bypass normal wallet warnings.

“If a message includes your account nonce, it’s probably affecting your account directly,” Usman warned. “Normal sign-in messages or offchain commitments don’t usually involve your nonce.”

Even worse, EIP-7702 allows signatures with chain_id = 0, meaning the signed message can be replayed on any Ethereum-compatible chain. This means it can be used anywhere.

Compared to hardware wallets, multisignature wallets remain more secure under the Pectra upgrade, thanks to their requirement for multiple signers. Single-key wallets — hardware or otherwise — will have to adopt new signature parsing and red-flagging tools to prevent potential exploitation.

Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now