Malicious Ethereum Contracts Fail to Profit Post-EIP-7702 Upgrade: Wintermute
The recent Ethereum upgrade, Pectra, introduced EIP-7702, a feature allowing standard Ethereum addresses to act as smart contracts. While the change enhances user convenience by enabling features like batched transactions and spending limits, it has also opened the door to potential abuse.
According to crypto market maker Wintermute, a wave of malicious contracts—nicknamed "CrimeEnjoyors"—has emerged to exploit wallets with weak security. These contracts are designed to scan for and drain compromised wallets, but so far, have not proven profitable.
“Our research team found that over 97% of all EIP-7702 delegations used the exact same code—automated sweepers attempting to extract ETH from compromised wallets,” Wintermute said on X.
More than 80% of all EIP-7702 wallet delegations have involved nearly identical contracts, often reused and deployed at scale. These simple, copy-paste contracts seek vulnerable wallets that have granted contract permissions under the new framework.
Despite the widespread attempt, attackers have largely failed to benefit. The CrimeEnjoyors reportedly spent about 2.88 $ETH ETH to authorize roughly 79,000 wallet addresses, with over 52,000 authorizations tied to a single address: 0x8938...e704.
One of the contracts’ destinations for stolen ETH—0x6f6b...0428—has yet to receive any funds as of Friday, suggesting that many of these attacks may be ineffective or prematurely deployed.
In one known incident, a wallet lost nearly $BTC 150,000 via malicious batched transactions stemming from a phishing attack, as reported by Scam Sniffer. Still, such cases appear to be exceptions rather than the rule.
Wintermute concluded that while the EIP-7702 upgrade provides new functionality, it also underscores the importance of strong wallet security practices, particularly around delegation and contract permissions.