Ethereum’s latest upgrade, Pectra, was meant to bring greater functionality to the network, especially through features like EIP 7702. But just weeks after going live, it’s already being exploited at scale.
In response, crypto market maker Wintermute has launched a new tool called “CrimeEnjoyor” aimed at alerting users of malicious wallet draining contracts.
However, new findings suggest the threat is far from contained, as sophisticated attackers continue to abuse EIP 7702 with precision, putting Ethereum’s security architecture under pressure.
Wintermute’s “CrimeEnjoyor” Injects On-Chain Warnings into Malicious Contracts
Wintermute has stepped forward with a creative defence mechanism against a growing wave of Ethereum scams.
Their new tool, called “CrimeEnjoyor,” is designed to inject warning messages directly into verified malicious smart contracts that exploit Ethereum’s EIP 7702.
This Ethereum Improvement Proposal, introduced in the Pectra upgrade, allows users to delegate control of their wallets to smart contracts temporarily. While this was designed as a flexible upgrade, it has opened the door for bad actors.
“CrimeEnjoyor” works by reverse-engineering malicious contracts, translating Ethereum Virtual Machine bytecode back into human-readable Solidity code.
Once verified, these contracts are modified with embedded warnings that state the contract is used by bad actors to automatically sweep all incoming ETH and tell users not to send any ETH.
This warning becomes visible to those interacting with the contract, especially through blockchain explorers.
Wintermute reported that more than 97% of EIP 7702 delegations currently in use are associated with these sweeper contracts, smart contracts designed to automatically drain ETH from compromised wallets.
The most disturbing part is that the vast majority of these contracts share nearly identical code, copy pasted across hundreds of instances, suggesting coordinated large scale exploitation.
While this public tagging approach won’t prevent all attacks, it brings much-needed visibility to these schemes.
By making the malicious intent of these contracts obvious on chain, CrimeEnjoyor adds friction to an otherwise silent threat vector. However, as Wintermute admits, the battle is far from over.
Attackers are still outpacing users’ awareness, particularly as delegating contracts continues to be misused.
EIP 7702 Exploits Continue as Sophisticated Theft Gangs Drain ETH
Despite Wintermute’s intervention, new revelations show that the threat of EIP 7702 exploitation remains widespread. According to SlowMist security researcher Yu Xian, organised coin theft groups are now systematically abusing this upgrade to execute unauthorised transfers.
Over 97% of EIP 7702 delegations currently on chain are involved in wallet draining activities. These are not typical phishing scams. Instead, these are coordinated operations involving compromised private keys, auto executing contracts, and sweeping mechanisms.
One recent victim lost $146,550 after unknowingly signing EIP 7702 transactions linked to such contracts. This case highlights how subtle these attacks can be.
The malicious code does not demand funds explicitly. It simply waits for ETH to arrive, then drains it instantly. Once the user delegates wallet access, even temporarily, the result is instant loss.
This trend is deeply concerning. EIP 7702 was intended to increase flexibility, especially for wallets acting as smart accounts. But without strong verification systems or clear user interface safeguards, most users have no way of distinguishing safe contracts from malicious ones.
With more contracts reusing the same bytecode, it is becoming harder for casual users to tell legitimate tools from hidden threats.
Security firms and analysts are now sounding the alarm. Coincu has warned that regulatory scrutiny could follow if major losses continue.
Given that the ETH price has surged over 36% in the last 30 days and is trading around $2,495 at the time of writing, the stakes are higher than ever. The risks now extend beyond technical flaws. They are becoming systemic threats.
The Ethereum ecosystem, for all its decentralised promise, may need to consider solutions such as curated allowlists, stronger contract verification, or native warnings at the interface level.
Conclusion
Wintermute’s “CrimeEnjoyor” is a clever and necessary response to an urgent threat, but it only scratches the surface of a deeper issue. EIP 7702, though promising in design, is rapidly becoming a liability due to widespread misuse by coordinated theft groups.
Without structural fixes and better user protections, the Ethereum community risks turning innovation into a vector for exploitation.
Until more robust defences are in place, the best users can do is remain vigilant and take warnings seriously when they appear.