Ethereum’s EIP-7702 Feature Exploited by Crypto Theft Gangs After Pectra Upgrade
Ethereum’s latest technical advancement, EIP-7702, was designed to make wallets smarter and more secure—but cybercriminals are now turning that same feature into a tool for automated theft. Following Ethereum’s Pectra upgrade, the newly introduced smart wallet functionality is being rapidly adopted by wallet providers—and, alarmingly, by organized crypto theft groups.
Smart Wallet Innovation Now Weaponized
EIP-7702 enables regular Ethereum wallets—known as externally owned accounts (EOAs)—to act temporarily like smart contract wallets. This allows for advanced features such as transaction batching, spending limits, wallet recovery, and passkey integration, all while keeping the user’s wallet address unchanged.
However, instead of enhancing user safety, malicious actors are exploiting this flexibility to drain compromised wallets faster and more efficiently. According to analysts at crypto trading firm Wintermute, 97% of EIP-7702 wallet delegations observed so far have been used to deploy contracts designed specifically for fund extraction.
Automated Theft at Scale
Rather than manually moving funds from one compromised wallet at a time, attackers are using delegated contracts to automatically transfer any incoming ETH to their own addresses. These contracts—often cloned from a single codebase—essentially act as digital sweepers, grabbing funds the moment they appear.
Wintermute’s analysis found that out of roughly 190,000 delegated contracts reviewed, over 105,000 were tied to suspicious or outright malicious activity. This mass-scale automation streamlines theft for attackers who already possess exposed wallet keys, making it easier than ever to empty hundreds of wallets with a single command.
Criminal Networks, Not Lone Actors
Koffi, a senior analyst at Base Network, revealed that over a million wallets interacted with these suspicious contracts over just one weekend. He clarified that the exploit doesn’t involve hacking the wallets—rather, it exploits EIP-7702’s features to automate theft once a wallet has already been compromised.
Last weekend, more than a million wallets authorized a group of unknown contracts using EIP-7702.
— Kofi (@0xKofi) May 30, 2025
The Wintermute team discovered that a hacker was behind this activity. The contracts that were authorized are designed to drain funds from wallets with leaked private keys. https://t.co/jBh1hJZHBQ
One of the more troubling developments is the inclusion of a “receive” function in malicious contracts, which instantly forwards any ETH received to an attacker’s address—no manual trigger needed.
Yu Xian, founder of blockchain security firm SlowMist, emphasized that these are not simple phishing schemes but organized theft operations. “The new mechanism EIP-7702 is used most by coin stealing groups—not phishing groups—to automatically transfer funds from wallet addresses with leaked private keys or mnemonics,” he said.
So Far, No Confirmed Payouts
Despite the scale of the operation, it’s unclear if attackers have profited significantly—yet. A Wintermute researcher noted that one address authorized over 52,000 wallets but had not received any ETH. In total, attackers have spent around 2.88 ETH setting up more than 79,000 addresses—raising questions about the efficiency or ultimate goal of the operation.
