Ethereum Pectra Upgrade is Largely Benefitting Crypto Theft Gangs

Ethereum’s recently introduced smart wallet feature, EIP-7702, is under scrutiny after blockchain security researchers uncovered cybercriminals’ misuse of it. Following the Pectra upgrade, several wallet providers have begun integrating EIP-7702 features.

Analysts at Wintermute, a crypto trading firm, noted that attackers used 97% of EIP-7702 wallet delegations to deploy contracts designed to drain funds from unsuspecting users.

Hackers Use Ethereum’s EIP-7702 to Automate Mass Wallet Drainings

EIP-7702 temporarily allows externally owned accounts (EOAs) to operate as smart contract wallets. The upgrade enables features like transaction batching, spending limits, passkey integration, and wallet recovery—all without changing wallet addresses.

While these upgrades aim to enhance usability, malicious actors are leveraging the standard to speed up fund extractions.

Instead of moving ETH manually from each compromised wallet, attackers now authorize contracts that automatically forward any received ETH to their own addresses.

“No doubt attackers are one of the early adopters of new capabilities. 7702 was never meant to be a silver bullet and it does have great use cases,” Rahul Rumalla, Chief Product Officer at Safe, said.

Wintermute’s analysis shows that most of these wallet delegations point to identical codebases designed to “sweep” ETH from compromised wallets.

These sweepers automatically transfer any incoming funds to attacker-controlled addresses. Out of nearly 190,000 delegated contracts examined, more than 105,000 were linked to illicit activity.

Koffi, a senior data analyst at Base Network, explained that over a million wallets interacted with suspicious contracts last weekend.

He clarified that attackers didn’t use EIP-7702 to hack the wallets but to streamline theft from wallets with already exposed private keys

The analyst furthered that one standout implementation includes a receive function that triggers ETH transfers the moment funds land in the wallet, eliminating the need for manual withdrawal.

Yu Xian, founder of blockchain security firm SlowMist, confirmed that the perpetrators are organized theft groups, not typical phishing operators. He noted that EIP-7702’s automation capabilities make it particularly attractive for large-scale exploits.

“The new mechanism EIP-7702 is used most by coin stealing groups (not phishing groups) to automatically transfer funds from wallet addresses with leaked private keys/mnemonics,” he stated.

Despite the scale of the operation, there are no confirmed profits so far.

A researcher at Wintermute noted that attackers have spent about 2.88 ETH authorizing over 79,000 addresses. One address alone executed nearly 52,000 authorizations, yet the target address has not received any funds.