Ethereum’s Pectra Update Feature EIP-7702 Becomes a Tool for Wallet Drainers

Scammers are exploiting Ethereum’s new EIP-7702 feature to drain funds from wallets with compromised private keys. The upgrade, introduced on May 7 as part of Ethereum’s Pectra update, has over 12,000 transactions involving suspicious contracts.

EIP-7702 was developed to improve Ethereum wallet usability. It allows standard wallets to temporarily function like smart contracts, enabling features such as gas sponsorship, spending limits, and transaction batching. While the EIP-7702 feature is optional for users to activate, it has seen rapid adoption, unfortunately, by malicious actors.

Wintermute, a blockchain security firm, that more than 80% of EIP-7702 delegations are being used to enable “sweeper” contracts. These automated contracts target wallets with leaked private keys and move funds instantly to the attacker’s wallet.

According to Wintermute’s research, a single contract, nicknamed “CrimeEnjoyor”, is responsible for the majority of wallet-draining activity. The contract’s code is simple and widely copied, making it easy for scammers to replicate.

Wintermute publicly decoded the contract’s bytecode to help wallet developers and users identify suspicious delegations. They aim to raise awareness and prompt faster community response in flagging malicious activity.

In one incident highlighted by the security firm Scam Sniffer, a user lost nearly $150,000 in a single batched transaction. The theft was linked to the “Inferno Drainer” scam—a well-known toolkit used by phishing groups.

Wintermute says 97% of all EIP-7702 delegations so far use nearly identical code, indicating widespread misuse of the feature.

While EIP-7702’s design is not inherently flawed, experts agree that it enables faster, cheaper automated attacks once a wallet’s private key is compromised. Taylor Monahan, a well-known crypto security advocate, stressed that the core issue is ongoing private key leakage across the ecosystem.

Security researchers are urging wallet providers to clearly display delegation targets to users. Without this transparency, users may unknowingly authorize malicious contracts.

Blockchain security firm SlowMist warned that phishing gangs have already adapted to exploit EIP-7702. As a result, wallet providers and users must remain vigilant.

Wintermute has called on the Ethereum community to report known malicious contracts and increase visibility into delegation mechanics. Their findings suggest that stronger safeguards and more transparent wallet interfaces are now critical to user safety.