World Liberty Financial’s (WLFI) governance tokenholders are being targeted by a phishing wallet exploit tied to Ethereum’s EIP-7702 upgrade, according to SlowMist founder Yu Xian.
Introduced in May as part of Ethereum’s Pectra upgrade, EIP-7702 enables external accounts to temporarily function as smart contract wallets, granting delegated execution rights and supporting batch transactions to improve user experience.
In an X post on Monday, Xian explained that attackers are abusing this upgrade by pre-embedding a malicious, hacker-controlled address into victim wallets. Once a deposit is made, the hackers swiftly drain the tokens — a tactic currently impacting WLFI holders.
“Came across another case where multiple addresses lost WLFI. The theft once again stems from exploiting the 7702 delegate malicious contract, with private key leakage as the initial trigger,” Xian noted.
The Donald Trump–backed World Liberty Financial (WLFI) token launched trading on Monday with a total supply of 24.66 billion tokens.
How it works
Ahead of the official debut, an X user reported on Aug. 31 that their friend’s WLFI tokens were drained shortly after transferring Ether into their wallet.
Responding to the post, SlowMist founder Yu Xian identified it as a case of the “Classic EIP-7702 phishing exploit.” In this attack, once a private key is compromised, the attacker embeds a malicious delegate smart contract into the victim’s wallet address linked to that key.
In an earlier post, Xian added that such private key leaks typically occur through phishing schemes.
“As soon as you attempt to move any remaining tokens — like the WLFI locked in the Lockbox contract — the gas you provide is instantly siphoned away,” Xian explained.
He advised users to “cancel or overwrite the ambushed EIP-7702 with your own” and, if possible, transfer tokens out of the compromised wallet as a mitigation step.
WLFI community raises concerns
Reports of similar thefts have been surfacing in WLFI forums. A user posting under the handle hakanemiratlas said his wallet was compromised last October, leaving him fearful for his WLFI holdings.
“I only managed to move about 20% of my WLFI into a new wallet — it felt like a race against the hacker. Even sending ETH for gas was nerve-racking, since it could have been stolen immediately,” he wrote.
“Now, 80% of my WLFI remains trapped in the compromised wallet. I’m extremely worried that once those tokens unlock, the hacker will sweep them away instantly.”
Another user, Anton, said many others face the same risk due to the way the WLFI token drop was structured. Since the same wallet used to join the whitelist is required for the presale, it becomes a target.
“The moment the tokens land, automated sweeper bots grab them before we can move them to a safer wallet,” Anton warned, urging the WLFI team to add a direct transfer option for greater security.
Scammers target WLFI launch
In the days surrounding the WLFI token launch, multiple scams have surfaced. Analytics firm Bubblemaps flagged several “bundled clone” contracts designed to mimic legitimate crypto projects and mislead investors.
The WLFI team has also issued a warning, stressing that it never reaches out via direct messages on any platform. The project’s only official support channels are through email.
“If you get a DM claiming to be from us, it’s a scam and should be ignored. For emails, always verify that the sender’s address matches our official domains before engaging,” the team cautioned.
