- Attackers exploit Ethereum’s EIP-7702 feature using bots and malicious “sweeper” contracts.
- Over 97% of EIP-7702 delegations link to identical scams copying the “CrimeEnjoyor” contract.
- Wallets with leaked private keys are being drained instantly through automated batch transactions.
Cybercriminals have found a way to exploit Ethereum’s latest upgrade, Pectra, rolled out on May 7, with new features aimed at improving wallet usability. According to Wintermute, bots are abusing EIP-7702 to launch wallet-draining attacks. These attacks use automated “sweeper” contracts to steal funds from compromised wallets. Wintermute identified a key malicious contract called “CrimeEnjoyor.”
This contract uses simple, copy-pasted bytecode. Criminals deploy many identical versions of it. When a wallet with leaked keys receives ETH, the contract instantly transfers the funds to an attacker. Over 80% of all EIP-7702 delegations have ties to these sweeper contracts.
The EIP-7702 feature enables wallets to act like smart contracts temporarily. Users can now perform batch transactions, sponsor gas fees, and set spending limits more easily. It was introduced to simplify the Ethereum experience for mainstream users. It supports signing one transaction to complete several actions. This was previously possible only through smart contracts. Now, users can approve tokens, swap assets, and transfer funds in a single step.
Wintermute shared its findings through a Dune dashboard. It revealed that more than 97% of EIP-7702 delegations used nearly identical malicious code. The code enables faster and cheaper automated attacks, making it easier for scammers to act.
Security firm Scam Sniffer found that a hacker tricked one person into losing over $150,000 on a single EIP-7702 transaction. The malware campaign Inferno Drainer was connected to the theft. Experts predict that criminals are quickly taking advantage of EIP-7702 for fraudulent schemes.
Related: Ethereum Pectra Upgrade Adds Smart Accounts, Boosts L2 Speed
The upgrade remains optional and is not required for basic Ethereum use. But its delegation feature, when combined with stolen private keys, creates a serious risk. Security researcher Taylor Monahan said the real issue lies in protecting private keys.
Wintermute is urging the Ethereum community to remain alert and recommends that wallet providers display clearer delegation information to users. The firm has made public the decoded bytecode to help detect these sweeper contracts. Other researchers, including SlowMist, have echoed these warnings.
Ethereum’s goal was to make wallets smarter and safer. However, scammers have exploited EIP-7702 as a tool for rapid-fire attacks. Experts continue to call for stronger user protections and monitoring.
