- Over 80% of EIP-7702 delegations are used by malicious actors to enable automated fund-draining smart contracts.
- The “CrimeEnjoyor” contract leads most attacks and has been replicated across thousands of wallet-draining incidents.
- Nearly all EIP-7702 scams use identical code, highlighting widespread misuse of the feature by phishing and scam groups.
Ethereum’s newly introduced EIP-7702 feature has been linked to a rising wave of wallet-draining scams. The feature, added in the Pectra upgrade on May 7, enables regular wallets to operate like smart contracts. Since its release, over 12,000 transactions involving suspicious contracts have been traced, many of which exploit this optional function.
The feature was designed to offer improved usability for Ethereum wallets. It allows functions like gas sponsorship and transaction batching. However, its smart contract-like flexibility has attracted malicious actors. Blockchain security firm Wintermute reports that more than 80% of EIP-7702 delegations are being used to enable automated contracts that sweep funds from wallets once their private keys are compromised.
A Single Malicious Contract Leads the Majority of Attacks
A contract named “CrimeEnjoyor” has emerged as a central component in these attacks. Wintermute revealed that this contract is simple, effective, and widely copied. Its code allows attackers to quickly move assets from wallets using the EIP-7702 delegation. The firm has publicly decoded the bytecode to help developers and users spot harmful activity.
Security researchers say phishing kits like “Inferno Drainer” are being used alongside EIP-7702 to carry out large thefts. In one confirmed case, a user lost nearly $150,000 in a single batched transaction. Scam Sniffer, a watchdog group, linked the theft to phishing-driven key exposure, which was then exploited using the EIP-7702 feature.
Almost All EIP-7702 Delegations Share Similar Code
According to Wintermute, 97 percent of EIP-7702-enabled contracts analyzed so far use nearly identical code. This shows the extent to which attackers have standardized the method of exploitation. The simplicity of these contracts allows even low-skill scammers to replicate the process with minimal effort.
Experts emphasize that private key exposure remains the core vulnerability. While EIP-7702 is not flawed in itself, it accelerates fund transfers once a wallet is compromised. Ethereum wallet providers are being urged to make delegation targets more visible so users can better understand what permissions they grant.
Blockchain firms, including Wintermute and SlowMist, have called for collective action. They are encouraging the Ethereum community to report malicious contracts and improve awareness around EIP-7702 mechanics. Increased transparency and stronger wallet safeguards are now seen as necessary to reduce risk.
