Hackers Exploit Smart Wallets to Steal WLFI Tokens
Hackers exploit Ethereum update to steal WLFI tokens, says SlowMist founder.
Hackers are exploiting a vulnerability in an Ethereum update to steal World Liberty Financial (WLFI) tokens, according to SlowMist founder Yu Xian.
又遇到一位玩家多个地址的 $WLFI 都被盗事件,看了下盗窃手法,又是 7702 delegate 恶意合约利用,前提也是私钥泄露,黑客在目标钱包地址上提前埋伏好恶意的 7702 delegate 地址,之后将目标地址所有 ETH 及价值 token(比如这里是 $WLFI)转走,一点渣渣都不剩,如果用户转入 ETH 当… https://t.co/YyVvMPwaGM
— Cos(余弦)😶🌫️ (@evilcos) September 1, 2025
According to him, the attackers are exploiting EIP-7702. The attack unfolds in several stages. Initially, hackers obtain the victim’s wallet private key, typically through phishing.
They then deploy a malicious delegate contract. As soon as the user funds the account, for instance, by receiving WLFI tokens or depositing ETH for gas fees, a bot automatically transfers all assets to the fraudsters’ address.
The EIP-7702 feature was introduced in the Pectra update in May. It was intended to simplify wallet operations by allowing them to temporarily act as smart contracts and execute batch transactions.
Fraudsters and WLFI
Trading of the WLFI token from the DeFi project linked to the Trump family, World Liberty Financial, began on September 1.
On the project’s forums, victims confirm the issue. One of them reported that he managed to withdraw only 20% of his WLFI in a “race” with the hacker. The remaining 80% are locked in a compromised wallet. He fears losing them immediately upon unlocking.
Another user explained that the problem is exacerbated by the token sale conditions. Participation in the presale required using a whitelisted wallet. Many of these wallets may have been compromised long before the event.
How to Protect Yourself
Xian suggested a possible solution: users should cancel or replace the malicious delegate contract in the wallet with their own. After that, they should immediately transfer all assets to a new address.
In the wake of the token launch, other fraudsters have also become active. Analytical firm Bubblemaps discovered several smart contracts mimicking well-known crypto projects.
WATCH OUT: 🚨 $WLFI is live and bundled clones are everywhere
Be careful what you buy https://t.co/F91ubhcK52 pic.twitter.com/bHpe87F3uC
— Bubblemaps (@bubblemaps) September 1, 2025
The WLFI team warned that they never message users directly, and official support is only available via email.
Back in June, the Trump family DeFi project conducted a USD1 stablecoin airdrop among WLFI holders.
Рассылки ForkLog: держите руку на пульсе биткоин-индустрии!