Ethereum recently introduced the EIP-7702 update, which allows standard Ethereum wallets to operate similarly to smart contract wallets. The new capability makes transactions easier by enabling batch transactions and account recovery methods.
However, security experts have noted that attackers exploit this functionality to automate theft from wallets compromised through stolen private keys, dramatically increasing security threats to Ethereum users.
Table of Contents
How Criminals Exploit the Ethereum Update
The exploitation became apparent when hackers exploited the EIP-7702 feature to rapidly extract Ethereum from compromised wallets. Before this update, transferring stolen funds was manual, needing significant time and effort. With the new functionality, criminals simply set up automated smart contracts that immediately send all incoming Ethereum to their addresses.
Rahul Rumalla, Chief Product Officer at Safe, explained the situation clearly, saying:
“Although the intent behind EIP-7702 is positive, its misuse highlights the need for enhanced security measures.”
The convenience originally designed for users is ironically enabling faster and more systematic theft. Taylor Monahan, an established blockchain security expert, emphasized:
“It’s not really a problem related to 7702. It’s the same problem crypto has faced since its beginnings: end investors struggle to secure their private keys.”
97% of EIP-7702 Delegations Misused
Wintermute’s recent research shows the alarming extent of EIP-7702 misuse. Around 97% of wallet delegations analyzed – over 190,000 contracts – were associated with malicious purposes. Specifically, more than 105,000 contracts directly facilitate unauthorized transfers, a significant portion of all deployed delegations.
Highlighting this problem further, senior analyst Koffi from Base Network disclosed that over one million wallets interacted with suspicious contracts. However, clarifying confusion around the mechanism, Koffi stressed these wallets were compromised by the traditional theft of private keys, not directly via EIP-7702. He explicitly stated:
“These wallets were not hacked using 7702. The hacker obtained the private keys without doing anything related to 7702. Since they have the keys, they could transfer money out of these wallets by making regular transactions from each one.”
Criminal Operations and Automated Theft Tactics
Cybersecurity firm SlowMist’s founder, Yu Xian, highlighted the scale and method of the attacks, noting that organized groups behind these operations aren’t ordinary phishing scammers.
“The new mechanism EIP-7702 is primarily leveraged by coin-stealing entities, facilitating rapid transfers from wallets with compromised private keys or mnemonics.”
SlowMist also warned that users unknowingly delegating their accounts to malicious contracts via EIP-7702 are potentially at higher risk from phishing attacks. Criminals deploy copy-pasted automated scripts called “CrimeEnjoyor”, designed specifically to target wallets with exposed private keys, draining Ethereum swiftly upon detection.
In one noteworthy incident reported by Scam Sniffer, a victim lost nearly $150,000 to hackers exploiting a batch transaction linked to the known fraudulent service Inferno Drainer, illustrating the significant potential for substantial financial losses using this automated theft mechanism.
Criminals Target 79,000 Wallets – Earn Almost Nothing
Despite automation enabling rapid Ethereum theft, analysis by Wintermute suggests criminals haven’t yet profited substantially from this exploitation. Attackers spent approximately 2.88 ETH to authorize nearly 79,000 targeted addresses. Strikingly, a single address alone authorized about 52,000 contracts without successfully receiving stolen Ethereum.
The lack of funds received by this key address indicates either execution issues or challenges in transferring stolen cryptocurrency securely. Analysts are currently uncertain why these operations, though widespread, remain largely unprofitable. This complication adds further uncertainty in comprehending attackers’ true objectives and operational limitations.
