Ethereum’s EIP-7702 Upgrade Exploited by “CrimeEnjoyor” Wallet-Sweeping Scam
Over 80% of Ethereum’s new EIP-7702 delegations are being hijacked by cloned “CrimeEnjoyor” contracts that sweep compromised wallets, according to an analysis by research firm Wintermute.
The feature, part of Ethereum’s Pectra upgrade, was meant to improve UX by letting wallets act like smart contracts, but is now widely abused by wallet-draining scripts.
Security firms like Scam Sniffer and SlowMist have warned users and wallet providers to implement immediate safeguards, after reports of users losing up to US$150,000 in a single attack.

Ethereum’s newest account abstraction feature is being weaponised at scale. According to a new analysis by crypto trading firm Wintermute, the vast majority of delegations under Ethereum’s freshly implemented EIP-7702 standard are being exploited by attackers using automated wallet-draining contracts.

The update, rolled out as part of the Pectra hard fork and proposed by Ethereum co-founder Vitalik Buterin, allows wallets to temporarily act like smart contracts, and therefore streamline user experience, mostly by enabling features like batched transactions, gas sponsorship, spending limits, and authentication methods, all within a single delegation. 

Related: Trump’s CFTC Nominee Unveils $3.4M in Crypto Assets and Industry Ties

But malicious actors have seized on the flexibility. According to Wintermute’s analysis, more than 80% of EIP-7702 delegations now point to duplicated contracts designed to sweep vulnerable wallets. The firm dubbed the dominant exploit pattern “CrimeEnjoyor”, a contract whose simplicity and efficiency have made it the go-to payload for attackers. 

The CrimeEnjoyor contract is short, simple, and widely reused. This one copy-pasted bytecode now accounts for the majority of all EIP-7702 delegations. It’s funny, bleak, and fascinating at the same time.

Wintermute.

Risk of Losing All Funds

Moreover, blockchain security firm Scam Sniffer flagged a wallet that lost nearly US$150K (AU$232K) in a malicious bundled transaction linked to Inferno Drainer, a persistent scam-as-a-service targeting EVM-compatible chains.

ALERT: An address upgraded to EIP-7702 lost $146,551 through malicious batched transactions in phishing attack. pic.twitter.com/7GbamqOZVI

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) May 24, 2025

The firm recommends users double-check all signature requests and never rush into signing transactions.

Similarly, SlowMist urged wallet providers to integrate EIP-7702 safeguards immediately:

Wallet service providers should quickly support EIP-7702 transactions and, when users sign delegations, should prominently display the target contract to reduce the risk of phishing attacks.

SlowMist.

Related: Real-World Asset NFTs Could Rescue Collapsing NFT Lending, DappRadar Says

The post Ethereum’s EIP-7702 Upgrade Exploited by “CrimeEnjoyor” Wallet-Sweeping Scam appeared first on Crypto News Australia.

Leave a Reply

Your email address will not be published. Required fields are marked *

Filed under: Bitcoin - @ June 2, 2025 2:24 am