Cryptocurrency network phishing losses decrease by 83%! EIP-7702 new attack methods still active

In 2025, cryptocurrency network phishing losses dropped to $83.85 million, an 83% decline, with victims reduced to 106,000. Scam Sniffer warns that the ecosystem remains active, as attackers shift to small-scale high-frequency strategies, with average losses of only $790 per victim. A new EIP-7702 attack single incident stole $2.54 million.

Bull Market’s Third Quarter Becomes a Hotspot for Network Phishing

The decrease in losses is not due to reduced attack activity but is closely related to market cycles. Web3 security platform Scam Sniffer analyzed on-chain features of Ethereum Virtual Machine (EVM) network phishing incidents, finding that losses increase during periods of active on-chain activity and decrease during market cooling. The third quarter of 2025 coincided with Ethereum (ETH)’s strongest rally of the year, with phishing losses reaching as high as $31 million, accounting for nearly 29% of annual losses from August to September.

The report states: “When the market is active, overall user activity increases, and the proportion of affected users also rises — the likelihood of network phishing correlates positively with user activity.” Monthly losses ranged from $2.04 million in the quietest December to $12.17 million in the most active August, a sixfold fluctuation. This correlation reveals attackers’ precise timing, launching attacks when user activity is at its peak and attention is most scattered.

Deeper reasons include behavioral changes during a bull market. As cryptocurrency prices rise, FOMO (Fear of Missing Out) drives users to frequently trade new tokens, participate in airdrops, and liquidity mining, all of which require frequent signing of authorizations, creating more opportunities for phishing. Attackers exploit users’ lowered judgment in excited states by forging fake websites of popular projects, impersonating official Discord channels, and other tactics to trick signatures.

The peak in Q3 is also related to the Ethereum Pectra upgrade. The introduction of new protocol features often comes with insufficient user education, allowing attackers to quickly develop new attack methods during this window. This pattern of “technological innovation bringing security windows” has repeatedly appeared in crypto history, from DeFi summer to NFT booms, with each technological breakthrough accompanied by new scams.

EIP-7702 Opens Pandora’s Box

2025 marks the emergence of new attack vectors. Malicious signatures based on EIP-7702 appeared shortly after the Ethereum Pectra upgrade, with attackers leveraging account abstraction mechanisms to bundle multiple malicious operations into a single user signature. Two major EIP-7702 attacks in August caused losses of $2.54 million, highlighting how quickly attackers adapt to protocol-level changes.

Originally designed to improve user experience, EIP-7702 allows externally owned accounts (EOA) to temporarily convert into smart contract accounts, enabling batch transactions and social recovery. However, this flexibility has been weaponized by attackers. They forge seemingly normal authorization requests but secretly embed multiple malicious operations within a single signature, such as token transfer approvals, account permission modifications, and setting malicious proxies.

Even more dangerous is the high concealment of EIP-7702 attacks. Traditional phishing usually involves explicit token approvals, which experienced users can recognize as abnormal. But EIP-7702 attacks can disguise themselves as legitimate account upgrades or batch transaction authorizations, even fooling technical users. Wallet interfaces often do not clearly display these complex operations, making it difficult for users to understand the true meaning of signatures.

While the $2.54 million loss is not huge, it is only an initial probe of this new method. Scam Sniffer researchers warn that as more wallets and DApps integrate EIP-7702 features, the scale and frequency of such attacks could significantly increase. Attackers are learning and optimizing this technique, and more sophisticated variants may emerge in the future.

From Lone Wolves to Net-Casting Strategies

The strategic shift in cryptocurrency phishing is driven by deep economic logic. Large-scale attacks, while yielding high single-attack profits, carry higher risks. Victims are more likely to report to authorities and hire on-chain analysis firms to trace funds, increasing exposure and legal risks for attackers. Conversely, small-scale high-frequency attacks generate lower individual gains but are often dismissed by victims as bad luck, and law enforcement resources are insufficient to investigate every small case.

More importantly, small-scale attacks are more scalable. Attackers can run hundreds of phishing sites simultaneously using automation tools, generate realistic phishing emails and social media messages with AI, and process victims in bulk. This “industrialized” scam model reduces the cost per attack and improves overall efficiency. The report concludes: “The drainage ecosystem remains active — as old drainers exit, new ones will emerge to fill the gap.”

Three Major Shifts in Network Phishing Patterns in 2025

Sharp decrease in large cases: In 2025, only 11 cases resulted in losses exceeding $1 million, down from 30 in 2024. The largest single phishing attack occurred in September, involving $6.5 million, with malicious Permit signatures.

Per-victim losses plummeted: The average loss per victim dropped to $790, a significant decrease from the previous year. This indicates attackers shifted from targeting “whales” with precision to broad-sweep strategies aimed at retail users.

Permit authorization remains dominant: Among incidents with losses over $1 million, attacks based on Permit and Permit2 authorizations accounted for 38% of total losses, proving this method remains effective and widely used.

Address Poisoning and Multi-Signature Vulnerabilities Become New Focus

In December 2025, losses from crypto-related hacking and cybersecurity vulnerabilities dropped to about $76 million, down 60% from $194.2 million in November. PeckShield recorded 26 major incidents that month, showing that although attack activity persists, overall losses have slowed.

The largest case involved a $500 million address poisoning scam, where attackers used similar wallet addresses to trick victims into transferring funds to other accounts. This attack exploits human visual limitations, as most wallet addresses display only the first and last few characters, with the middle omitted. Attackers generate addresses similar to the target address’s beginning and ending characters, sending small token transactions to create records. When victims copy addresses, they may mistakenly select the attacker’s address.

In another incident, a $273 million loss resulted from private key leaks related to multi-signature wallets. Multi-signature wallets are theoretically more secure, requiring multiple signatures to approve transactions. But if private keys are mishandled—such as stored in the cloud, shared via insecure channels, or leaked internally—the protection is effectively nullified. This case reminds us that the security of technical solutions ultimately depends on human operation.

While phishing losses decreased by 83%, this does not signal the end of the war. Scam Sniffer’s conclusion is clear: the ecosystem remains active, and attackers have merely changed tactics. With the next bull market, losses may surge again.