Fake Flashbots Protect: Session-Key Delegation Worth $283K

The "MEV protection" that wasn't

August 2025. A trader in New York is concerned about MEV sandwich attacks on a planned $200K USDC → ETH swap. He searches "flashbots protect" and lands on flashbots-protect.io. The site mimics the real Flashbots design and asks him to "connect for protected routing." He connects, signs a "session key" message. The signature delegates signing authority to a relayer address. Two transactions later, his entire wallet — $283K — is gone, signed by the relayer.

What Flashbots actually does

Flashbots Protect is a real service that routes transactions through a private mempool to prevent front-running and sandwich attacks. The real URL is protect.flashbots.net. Setup is configuring an RPC endpoint in MetaMask — no wallet connection, no signature, no delegated authority required. The user simply changes their network RPC, and transactions broadcast through that endpoint go through the protected pool.

How the impersonation works

The fake site teaches the user to grant "session key" authority — a delegation of signing power to a third-party address — by claiming the delegation is necessary for the protection to work. It is not. Session keys are a real Ethereum primitive (EIP-7702-related), but no protective service legitimately requires them. The delegation is the drain mechanism.

The three rules for "MEV protection" services

• Real MEV protection is RPC configuration, not signature delegation. Flashbots, MEV Blocker, Cowswap — all real protections involve changing where your transactions broadcast from, not delegating who can sign on your behalf.
• The real URLs are short and specific. protect.flashbots.net, rpc.mevblocker.io, cow.fi. Hyphenated lookalikes (flashbots-protect.io, mev-blocker.com) are fake.
• Session-key delegations are advanced operations. If you do not understand exactly what authority you are delegating and to which specific address, decline the signature. Wallet UIs typically show session-key requests prominently because the security implications are large.

The recovery

If you delegated session-key authority: revoke the delegation immediately if your wallet supports it; otherwise move all funds out of the wallet — the delegation cannot be revoked on EOA wallets after the fact in older flows. The wallet should be considered permanently compromised regardless. Generate a new one.

The deeper lesson

Sophisticated traders are the highest-value targets. Scams aimed at them use the language of the trading community — MEV, sandwich attacks, session keys, account abstraction. Real protection comes from understanding what each term actually means and being able to verify whether a given action is consistent with what is being claimed.