tl;dr
**Crypto Heist: How a Phishing Scam is Draining World Liberty Financial Token Holders**
Imagine this: You’re about to send a small amount of ETH to pay for a gas fee, only to watch helplessly as your entire WLFI token stash vanishes in seconds. That’s the reality for hundreds of World Liberty Fin...
**Crypto Heist: How a Phishing Scam is Draining World Liberty Financial Token Holders**
Imagine this: You’re about to send a small amount of ETH to pay for a gas fee, only to watch helplessly as your entire WLFI token stash vanishes in seconds. That’s the reality for hundreds of World Liberty Financial (WLFI) holders, who are falling victim to a sophisticated phishing exploit tied to Ethereum’s latest upgrade.
The attack hinges on a feature from Ethereum’s May 2024 Pectra upgrade—specifically, EIP-7702. Designed to improve user experience by letting external accounts act like smart contract wallets, the upgrade also opened a backdoor for hackers. By tricking users into revealing their private keys through phishing scams, attackers plant malicious contracts in compromised wallets. These contracts lie dormant until a user deposits ETH for gas fees, at which point they spring into action, siphoning tokens to hacker-controlled addresses in an instant.
“It’s like a trap that triggers the moment you think you’re safe,” says Yu Xian, founder of security firm SlowMist, who first exposed the exploit on social media. One victim, hakanemiratlas, shared their harrowing experience on WLFI forums: After depositing ETH in October 2024, their wallet was instantly drained of 80% of their tokens. “Even sending ETH for gas fees felt dangerous,” they wrote. “The malicious contract activated the moment the funds arrived.”
The WLFI project, backed by Donald Trump and launched with a staggering 24.66 billion tokens, has become a magnet for scammers. Users like Anton, a presale participant, explain the problem: The project requires using the same wallet for both the whitelist and token transfers. Without a direct transfer option, any incoming tokens are automatically swept by bots. Once compromised, wallets become unusable—any attempt to move funds triggers the malicious contract.
**The Hack’s Anatomy**
Here’s how the attack unfolds:
1. **Phishing**: Hackers lure victims into revealing private keys via fake links or impersonating WLFI support.
2. **Malicious Setup**: Once keys are stolen, attackers deploy hidden contracts in the victim’s wallet.
3. **Trigger**: When users deposit ETH for gas fees, the contract activates, transferring all WLFI tokens to hacker addresses.
The exploit is a textbook case of “classic EIP-7702” abuse, Xian notes. While the upgrade aimed to streamline transactions, its delegated execution rights have been weaponized.
**What Can Users Do?**
Xian advises affected holders to act fast: Replace the malicious EIP-7702 delegation with user-controlled contracts or transfer tokens to new wallets before hackers strike. But time is against them—once the contract is active, it’s a race against the clock.
WLFI’s team has also issued urgent warnings. They confirm they never contact users via direct messages on platforms like X or email. Scammers often mimic official domains, so users are urged to verify senders meticulously.
**A Cautionary Tale**
The WLFI saga underscores a growing risk in DeFi: Upgrades meant to enhance user experience can also create new vulnerabilities. As EIP-7702 becomes more common, hackers will likely refine their tactics.
For now, WLFI holders are left grappling with a chilling reality: A single misplaced click could erase years of investment. Meanwhile, the broader crypto community watches closely, hoping this crisis sparks a renewed focus on security—before the next exploit strikes.
What would you do if your wallet was compromised? And how can the Ethereum ecosystem prevent such attacks in the future?