Wintermute's recent research has found that the EIP-7702 proposal in the Ethereum Pectra upgrade is being widely used for malicious attacks. This proposal was originally aimed at optimizing user experience, such as supporting batch transactions, social verification, and setting spending limits, but currently, over 80% of the EIP-7702 authorizations are directed towards multiple contracts deploying the same 'automated theft' code.
Wintermute has named these malicious contracts 'CrimeEnjoyor', which operate by automatically draining the assets from a wallet once a user's private key is compromised.
Security agencies Scam Sniffer and SlowMist have also confirmed that the scam tool Inferno Drainer has launched attacks utilizing this proposal, with users losing nearly $150,000 due to malicious batch transactions. SlowMist founder Yu Xian urges wallet service providers to quickly support EIP-7702 and clearly display authorized contract information to avoid phishing attacks.