Phishing Attacks Surge: August 2025 Hits Record 15,000+ Victims as EIP-7702 Exploits Intensify

ScamSniffer’s latest monthly report reveals a significant resurgence in phishing activities during August 2025, with financial losses reaching $12.17 million - marking a 72% increase compared to July. This represents one of the highest monthly totals this year, following a pattern where losses peaked at $10.25 million in January before declining to their lowest point of $2.80 million in June.

Record-Breaking Victim Count

The number of users affected by phishing scams reached unprecedented levels in August, with 15,230 victims recorded - a 67% increase from July’s 9,143 victims. This marks the first time in 2025 that the monthly victim count has exceeded 10,000, surpassing even January’s previous high of 9,220 affected users.

Notable incidents include:

• A single user lost $3.08 million on August 6 after unknowingly approving a malicious transaction that transferred their aEthUSDT tokens to a phishing contract
• Three major cases collectively accounted for 46% of all August losses
• One victim lost $1.54 million after signing an EIP-7702 phishing batch transaction
• Another user lost approximately $1 million in cryptocurrencies and non-fungible tokens through similar attack vectors

EIP-7702 Exploits Dominate August Attacks

ScamSniffer’s analysis identifies a sharp increase in EIP-7702 batch signature scams, which were responsible for the majority of August losses. This attack vector not only caused two of the three largest financial losses for the month but also affected numerous other users:

• User 0x4897e lost $235,977 to batch transfers disguised as legitimate DEX swaps
• User 0x5ad31d lost $66,000 through similar deceptive transactions
• Security analysts have identified a clear pattern of phishers specifically targeting addresses that upgraded to EIP-7702

EIP-7702, introduced during the Ethereum Pectra upgrade in June, allows externally owned accounts (EOAs) to temporarily utilize smart contract capabilities, including transaction batching. While designed to enhance user experience, this feature has inadvertently created a security vulnerability that malicious actors are increasingly exploiting.

According to ScamSniffer: “This time attackers use batch transfers (vs previous batch approvals), routing through Uniswap Universal Router to appear legitimate.”

The exploitation of EIP-7702 vulnerabilities has been occurring since the June Pectra upgrade but has intensified recently as attackers refine their techniques. Using automated sweeper attacks, they can steal any funds deposited into compromised addresses.

WLFI Token Holders at Elevated Risk

The vulnerability concerns have become particularly pronounced among World Liberty Financial (WLFI) token holders. SlowMist founder Yu Xian recently observed that attackers are specifically targeting WLFI holders through a sophisticated approach:

1. Obtaining private keys through phishing attacks
2. Setting up EIP-7702 exploit mechanisms for the compromised address
3. Immediately stealing tokens once they are unlocked

This has prompted requests from affected users for the WLFI team to implement direct transfer options to protect addresses on the WLFI whitelist that have already been compromised.

Address Poisoning Continues to Threaten Users

Beyond EIP-7702 exploits, address poisoning remains a persistent threat to cryptocurrency users. Several significant losses in August were attributed to this technique:

• One user lost $636,559 after copying an incorrect deposit address from their contaminated address book
• Two other users lost $500,000 and $19,000 respectively through similar address poisoning incidents

In these cases, the fraudulent addresses were designed to mimic legitimate ones, with identical first six and last four characters - a classic hallmark of address poisoning attacks.

The increase in direct transfers to phishing contracts was likely facilitated by malicious advertisements. ScamSniffer noted that phishing ads appearing in Google Search results frequently use Google Sites to host fake DeFi interfaces. Even more concerning, Bing search results have ranked phishing sites as the #1 result for users searching for popular blockchain analytics platforms.