Wintermute Flags Surge in EIP-7702 Wallet Exploit After Ethereum Pectra Upgrade

Highlights:

• Ethereum users are facing wallet draining attacks after the Pectra upgrade added the EIP-7702 feature.
• Wintermute warns about the wallet exploit and injects messages into risky smart contracts.
• Security teams have urged better tools to detect threats as wallet-draining scams spread.

Scammers are targeting Ethereum users after the network’s Pectra upgrade added EIP-7702. Through this feature, wallet owners can give control to smart contracts for some transactions. Although users can choose whether to use it, it has already attracted both users and attackers quickly.

Wintermute, a crypto market-making firm, reports that attackers are now using EIP-7702 to take ETH from wallets with exposed private keys. A kind of malicious contract, nicknamed a “sweeper,” captures any ETH users deposit to a compromised address and sends it to the attacker. Since the Pectra upgrade went live on May 7, users have initiated more than 12,000 EIP-7702 transactions, many of which show similar suspicious patterns.

While EIP-7702 brings new convenience, it also introduces new risks

Our Research team found that over 97% of all EIP-7702 delegations were authorized to multiple contracts using the same exact code. These are sweepers, used to automatically drain incoming ETH from compromised… pic.twitter.com/xHp7zr4hC9

— Wintermute (@wintermute_t) May 30, 2025

Wintermute reported that more than 97% of these EIP-7702 delegations use nearly identical code. This strongly suggests that attackers created most of these contracts for the same malicious purpose. Although the feature aims to offer flexible wallet functions, attackers are copying and reusing a single bytecode structure to drain funds from vulnerable addresses.

Wintermute Responds to EIP-7702 Wallet Exploit with Contract Warning Injection

To combat the EIP-7702 wallet exploit, Wintermute developed a tool called “CrimeEnjoyor.” Using this tool, Wintermute now marks on-chain verified malicious Ethereum contracts with visible warnings. When users access these contracts, they now find a clear notice saying that the contract is used to move ETH out of wallets and that they should not send any ETH.

The developers managed this by turning Ethereum Virtual Machine (EVM) bytecode into Solidity code that people can read. Developers made the code public to make sure the warning messages appeared in them. With this reminder, Wintermute aims to make it less likely for unsuspecting users to fall for malicious contracts.

Wintermute reported that a large number of EIP-7702 delegations are now tied to a single bytecode copy. The system helps users fully understand contracts and reduces the risks that automatic sweepers exploit. They believe that by tagging such contracts, any suspicious activity can be spotted more easily.

Even though EIP-7702 is a good feature, the lack of built-in confirmation has made it tough for users to identify safe contracts. If private keys become exposed, the contracts are capable of removing the newly deposited ETH from the wallet without further commands.

Security Firms Highlight Risk as Wallet Drainers Spread Across Ethereum

Security researchers have documented losses linked to the EIP-7702 feature. One Ethereum user lost over $146,000 after signing multiple malicious batched transactions on May 23. The incident was linked to a scam known as Inferno Drainer, which is often used in phishing campaigns.

After analysis, we found that the phishing case is a new phishing trick, carried out by the well-known phishing group #InfernoDrainer.

Unlike typical phishing, the delegated address is not a phishing address, but MetaMask: EIP-7702 Delegator… https://t.co/OpJg73XwzT pic.twitter.com/3dJOeltgMT

— SlowMist (@SlowMist_Team) May 27, 2025

Firms like Scam Sniffer and SlowMist have pointed out that attackers are quickly able to use EIP-7702 to their advantage. They want the Ethereum community to do more to explain how contract delegation works. Moreover, they want the community to add better warnings for users. Wintermute urged users and builders to bring attention to any suspicious contracts they encounter.

Apart from EIP-7702, the Pectra upgrade brought other changes as well. EIP-725 increased the amount of ETH validators can stake from 32 to 2,048. In addition, EIP 7691 aims to help the layer-2 networks on Ethereum by increasing data blob limits and lowering transaction fees.