On June 2, according to TheBlock, Wintermute recently issued a warning that the EIP-7702 feature in the Ethereum Pectra upgrade (account abstraction improvement) is being maliciously abused, with over 80% of authorizations used for automated attacks. The blockchain security company Scam Sniffer recently monitored a user losing nearly $150,000 due to a phishing attack, with attackers deploying a copy-paste contract named "CrimeEnjoyor" that can automatically empty wallets with leaked private keys. EIP-7702, proposed by Ethereum founder Vitalik Buterin, aims to enhance user experience by temporarily giving wallets smart contract functionality, including batch processing of multiple transactions, Gas fee sponsorship, using biometric/social verification, and setting single transaction limits.
According to Wintermute's Dune dashboard, the vast majority of EIP-7702 authorizations flow to malicious contracts with similar functions. Security expert Taylor Monahan pointed out that EIP-7702 makes emptying addresses "cheaper and easier". Wintermute commented, "It's both funny and cruel that the same copied bytecode occupies most of the EIP-7702 authorizations."
BlockBeats previously reported that Slow Mist founder Yu Xin stated that the largest users of Ethereum's new mechanism EIP-7702 are theft gangs (rather than phishing organizations). EIP-7702 allows automatic transfer of funds from wallets with leaked private keys or seed phrases, with over 97% of EIP-7702 delegations pointing to theft contracts.
