Recent Sophisticated Phishing Attacks: How Much Do You Know?

As the saying goes, "The higher the road, the greater the devil."

Crypto asset phishing remains rampant, especially with the emergence of "EIP-7702 Authorization Attacks," which have made hackers even more audacious...

Look at these cases:

On September 2nd, KOL @Tintinx2021 posted that they were tricked by scammers into downloading a fake meeting link under the guise of discussing a collaboration.

Also on September 2nd, a crypto whale @KuanSun1990, while discussing a collaboration with a BD they had met in real life on Telegram, had $13 million in assets transferred after downloading a malicious file from a fake Zoom link sent directly by the other party.

On September 8th, KOL @dov_wo entered a fake Zoom meeting link via Calendly after their Telegram contact's account was stolen.

Fortunately, due to timely intervention, these incidents ultimately did not result in significant asset losses, but hackers won't always come away empty-handed:

On September 12th, Thorchain co-founder @jpthor had $1.3 million stolen due to the same fake Zoom meeting link.

The combination of "stolen acquaintance accounts + phishing meeting links" has been used for years and remains effective. Naturally, we can imagine how rampant even more sophisticated and novel methods must be:

On August 5th, an address was stolen for $66k after upgrading to EIP-7702 and using a fake Uniswap.

On August 22nd, a whale was stolen for $1 million for the same reason.

On August 24th (yes, just two days later), another whale was stolen for $1.54 million after signing an EIP-7702 type phishing transaction.

The above is just an incomplete statistic for a single month.

Security firm Scam Sniffer (@realScamSniffer) reported that in August, a total of 15,230 victims were stolen, with the total amount reaching $12 million, an increase of over 60% compared to July.

Incidents related to the EIP-7702 standard are becoming increasingly frequent, which refers to the attack type mentioned above. Many people are unfamiliar with this concept, but the data presented warns us to be particularly vigilant against this novel attack method.

What is EIP-7702?

EIP-7702 introduces a new transaction type that allows a portion of an account address's code to be written as a proxy pointer. Subsequently, executions initiated to this address will be redirected to the target contract's code. This setting remains effective until you replace the proxy pointer with a new authorization or clear it.

Its design intent is to improve the user's transaction experience in three aspects:

• Simplify transaction processing: Bundling on-chain operations that would normally require two or three separate transactions into a single transaction, which either all succeed or all fail.
• Gas delegation: Others pay your gas fees, you are only responsible for signing, allowing transactions to be completed even if your wallet has no ETH.
• Permission downgrading: Giving a sub-key to the proxy contract, granting permissions only for "specific token, specific amount, specific application." For example, it can only spend a certain ERC-20 token but not ETH.

Why is EIP-7702 dangerous?

Although EIP-7702's original intention was to provide a better user experience, if you think carefully, when you hand over your "transaction execution rights" to a "malicious contract address" that has the right to perform various operations without limits, your assets are no longer yours.

As early as May of this year, Wintermute's research showed that over 97% of EIP-7702 related authorizations were associated with malicious contracts.

And the ways you might fall victim are very direct:

• Users may have entered a phishing website and signed an unknown transaction, which was actually an EIP-7702 type transaction, authorizing the address permissions to a target contract address designed by a hacker.
• Or, the private key may have been leaked. Attackers steal the private key and use a malicious EIP-7702 authorization tuple to delegate the victim's EOA to a "sweeper bot" contract, thereby immediately transferring new assets when the victim's wallet receives them.

How can users protect themselves?

• As always, carefully review the signature content and do not sign transactions you don't understand. More importantly, carefully check website URLs and SSL certificates, and avoid clicking links from social media direct messages or unknown emails.
• Regularly check authorization issues. For example, Rabby wallet's authorization management can clearly show whether an account has performed EIP-7702 authorization.
• Do not perform EIP-7702 type upgrades. Wallets and applications offer upgrade options to improve user experience. However, if users do not have an urgent need, it is best not to enable this feature.
• When authorizing EIP-7702 transactions, be sure to review the delegated contract address and ensure it comes from a fully audited, well-tested, and widely trusted protocol.

End

Regardless of whether hackers use new tricks or old routines, what truly determines the security of your assets is whether your private key is exposed in a high-risk environment. If your private key is secure (e.g., using a hardware wallet):

• Even if you accidentally click a hacker's phishing meeting link, your assets will not be immediately transferred because the hacker cannot find your private key on your computer.
• When only you know your private key (your hardware wallet is in your hands), hackers cannot authorize EIP-7702 for your address.

Finally, a quick note: OneKey's hardware wallet also supports EIP-7702 transaction parsing, which means that when you click any suspicious website, the lurking malicious authorizations are clearly visible on the hardware wallet, making it easy for users to identify and block them.

Attacks change, but the boundary remains the same – keep your private key in hardware, and keep the decision-making power in your own hands.