ETHEREUM’S NEW FEATURE IS BEING ABUSED TO DRAIN WALLETS?

- Ethereum’s recent “Pectra” upgrade included EIP-7702, a feature meant to improve wallet usability.

- It lets wallets temporarily behave like smart contracts, batch multiple actions, sponsor gas fees, and add spending controls.

- But Wintermute’s analysis shows over 80% of EIP-7702 delegations link to automated “sweeper” contracts that drain wallets with leaked private keys.

- Wintermute calls the main culprit contract “CrimeEnjoyor.” It’s simple, copy-pasted code, now behind the majority of these delegations.

- These bots automatically “sweep” funds from compromised wallets and send the ETH to attackers.

- Wintermute decoded the bytecode to reveal these malicious contracts publicly, aiming to raise awareness.

Is EIP-7702 Optional?

- Wintermute’s research found 97% of all EIP-7702 delegations used near-identical malicious code.

- Per reports, EIP-7702 is optional and not required for basic Ethereum operations. But its ease of delegation makes it ripe for abuse, especially among users with compromised private keys.

- Security experts warn wallet providers to clearly show delegation targets to users, to reduce phishing risks. SlowMist called for vigilance, saying phishing gangs quickly adapted.

- The core problem isn’t EIP-7702 itself. As security expert Taylor Monahan explained, it’s the persistent struggle to secure private keys. The upgrade reportedly makes automated attacks faster and cheaper.

- Since Pectra went live on May 7, over 12,000 EIP-7702 transactions have occurred. Wintermute urges the community to flag compromised contracts and protect users.

- Security firm, Scam Sniffer, spotted a wallet losing nearly $150,000 in a single batched transaction tied to the Inferno Drainer scam—a known crypto malware service.