Classic EIP-7702 phishing exploit. First, your friend's private key gets leaked. The phishing group (possibly more than one) sets up an EIP-7702 exploit mechanism on the wallet address corresponding to your friend's private key. With this mechanism, if you try to transfer out the remaining tokens, like those WLFI tokens thrown into the Lockbox contract, any Gas you send will be 'automatically' drained… The frontrunning approach is feasible: send Gas, cancel or replace the ambushed EIP-7702 with your own, and transfer out the valuable tokens. These three actions can be bundled into one block using flashbots… but SlowMist doesn’t handle frontrunning services. If needed, try reaching out to @0xAA_Science or @BoxMrChen. Note: The private key leak is the root cause here.