World Liberty Financial (WLFI) tokenholders are becoming the latest victims of a phishing exploit linked to Ethereum’s EIP-7702 upgrade. Security researchers warn that the method, while not new, is being used aggressively to target the governance token’s investors.
The WLFI token, associated with Donald Trump’s political and financial backing, launched recently with a supply of 24.66 billion tokens. But almost immediately after its debut, reports surfaced that investors were seeing their holdings disappear from compromised wallets.
According to Yu Xian, founder of blockchain security firm SlowMist, the issue lies in the abuse of Ethereum’s EIP-7702, an upgrade introduced in the Pectra hard fork in May. The change allows external accounts to behave temporarily like smart contract wallets, enabling features like batch transactions for smoother user experiences.
Hackers, however, have found ways to weaponise the functionality. By pre-planting a malicious delegate contract into a victim’s wallet, they can drain tokens as soon as deposits are made. Xian confirmed in an X post that this was the exact method used to steal WLFI tokens.
An X user first raised concerns on Aug. 31, reporting that a friend’s WLFI tokens vanished after transferring Ether to a wallet. Xian responded, explaining that this was a textbook example of the “Classic EIP-7702 phishing exploit.”
Here’s how the attack unfolds:
Xian further explained that victims attempting to rescue tokens often end up losing their gas fees too, since the malicious contract redirects those funds. He suggested that users try cancelling or overwriting the ambushed contract and moving remaining tokens to a new, uncompromised wallet.
The issue has been widely discussed in WLFI forums, where affected users are sharing their struggles.
One investor, posting under the handle hakanemiratlas, said he lost most of his holdings despite managing to move a fraction to a new wallet. He explained that every transaction felt like a race against the hacker’s automated sweeper bots, and most of his tokens remain stuck in a compromised address.
Another user, Anton, highlighted a structural problem: WLFI’s presale required participants to use their whitelist wallets. That means many wallets holding WLFI were already exposed before launch. Anton warned that bots are stealing tokens the instant they are unlocked, leaving little time for users to transfer them to safety. He has urged the WLFI team to introduce a safer, direct transfer method to help investors.
Adding to the chaos, scammers have taken advantage of WLFI’s high-profile launch. Analytics firm Bubblemaps reported discovering several cloned contracts mimicking legitimate crypto projects. These fakes aim to trick investors into interacting with malicious tokens.
In response, the WLFI team has issued repeated warnings, clarifying that they never reach out to users via direct messages. Their only official communication channels are through verified email domains. They caution users to carefully verify all correspondence to avoid falling victim to impersonation scams.
While the exploit requires private key compromise, its impact highlights the dangers of phishing campaigns targeting new token launches. EIP-7702 was designed to enhance user experience, but has inadvertently created another attack vector when combined with stolen credentials.
For WLFI holders, the immediate risk is the loss of tokens due to automated sweeper bots. For the broader Ethereum community, the incident raises questions about security practices, wallet safety, and the unintended consequences of new protocol upgrades.