Ethereum’s latest upgrade, Pectra, and its core feature, EIP-7702, have unintentionally created new avenues for cybercriminals to exploit users’ wallets. Blockchain security analysts have flagged a concerning pattern of misuse by organized theft groups.
EIP-7702 makes it possible for EOAs to take advantage of smart contract wallet features such as mixing transactions, capping spending, using passkeys and restoring wallets. These updates aim to help customers, but criminals have quickly found ways to exploit them for crime on a big scale.
Criminal Gangs Leverage EIP-7702 to Drain ETH from Wallets
Cybercriminals are taking advantage of Pectra Upgrade‘s EIP-7702 by getting contracts created to move ETH from compromised wallets automatically. Instead of transferring money on their own, attackers take charge of sweeping ETH from their wallets.
Wintermute pointed out that 97% of examined EIP-7702 delegations were linked to contracts used in malicious ways. These sweepers forward any ETH that enters the compromised wallets directly to attacker-controlled addresses.
“Our Research team found that over 97% of all EIP-7702 delegations were authorized to multiple contracts using the same exact code. These are sweepers, used to automatically drain incoming ETH from compromised addresses,” Wintermute posted.
While EIP-7702 brings new convenience, it also introduces new risks
Our Research team found that over 97% of all EIP-7702 delegations were authorized to multiple contracts using the same exact code. These are sweepers, used to automatically drain incoming ETH from compromised… pic.twitter.com/xHp7zr4hC9
— Wintermute (@wintermute_t) May 30, 2025
Additionally, Koffi, a senior data analyst at Base Network, noted that over a million wallets interacted with suspicious contracts over the weekend. He explained that while EIP-7702 wasn’t used to hack the wallets themselves, it allowed criminals to streamline the draining of wallets already compromised through exposed private keys or mnemonic phrases.
Ethereum Faces Influx of Automated Attacks After Pectra Upgrade
The Pectra upgrade’s ability to automate wallet functions has become an attractive tool for cybercriminal organizations. Yu Xian, founder of SlowMist, emphasized that organized theft groups – not typical phishing operators – are the main players behind this trend.
“The most popular users of the new mechanism EIP-7702 are actually coin stealing gangs (not phishing gangs), which facilitate the automatic transfer of relevant funds from the wallet address of the leaked private key/mnemonic phrase,” Xian stated.
Automation through EIP-7702 has assisted cybercriminals in getting funds from various wallets without having to perform tasks manually. Certain contracts allow you to set up automatic ETH transfers whenever any funds come into your wallet.
Wintermute also discovered that a major portion—more than 55%—of the 190,000 contracts studied were tied to illegal activity. Almost 52,000 crypto transactions were given the signal from a single address; still, no proven profits were made with these attacks.
Warnings from the Crypto Community
Rahul Rumalla, CPO at Safe, claims that EIP-7702 was never intended as the one solution that would fix every problem. Even with these extra usability features, the crypto space needs to observe for any misuse of the new tools.
According to a Wintermute researcher, over 79,000 addresses successfully had attacks authorized. This cost the attackers a total of 2.88 ETH. Even though the overall sum is huge, no ETH tokens has gone to any of the target addresses. This further implies that while the tools are being prepared, thieves have yet to take massive profits.
Despite the scale of operations, CrimeEnjoyors on Ethereum haven't profited at all so far.
They've spent ~2.88 ETH to authorize 79k addresses. One address alone – 0x89383882fc2d0cd4d7952a3267a3b6dae967e704, accounts for 52k of those authorizations.
But, as per decompilation of… https://t.co/3awtBbpQSo pic.twitter.com/8ITBhDM5pz
— emparedado (@emparedad0) May 30, 2025
This event highlights the importance of safeguarding private keys and being watchful with new Ethereum network functionality. The way the crypto world is changing means new attacks are discovered with each new invention. It is important for users to keep monitoring security issues and guard their possessions from new threats.
What impressed me most about TRANXCHK.ONLINE was their process. As someone from a tech background, I appreciated their systematic, data-driven approach to asset tracing and recaavory. TRANXCHK.ONLINE utilized digital forensics, IP tracking, and third-party platforms to track my crypto transactions. No fluff—just clean, structured communication backed by visible progress. The experience felt more like working with a specialist cyber unit than a customer service department. Highly recommended for tech-minded individuals who value process and accountability
[…] Ethereum is still gearing towards making a fourth attempt to flip $2,700 into support. The coin has breached […]