Ethereum’s journey toward account abstraction just hit a speed bump. The latest upgrade proposal, EIP-7702, which aims to modernize how Ethereum accounts interact with smart contracts, has shown some concerning behavior in the wild, enough to raise red flags from crypto trading firm Wintermute.
On May 30, 2025, the company published findings that shine a light on how the proposal might unintentionally be paving the way for new on-chain attack patterns.
Majority of EIP-7702 contracts linked to automated drainers
According to Wintermute’s analysis, a whopping 97% of the delegations using EIP-7702 features are routed through malicious smart contracts the firm refers to as “CrimeEnjoyor.”
These delegate contracts are set up to automatically sweep any ETH sent to them, typically from compromised externally owned accounts (EOAs).
These exploit paths are part of a broader concern that leaked private keys (an ever-present threat) are being paired with new Ethereum standards to supercharge how fast funds can be drained.
The goal behind EIP-7702, led by Ethereum co-founder Vitalik Buterin and collaborators, is to make accounts behave more like smart contracts temporarily during a transaction.
It draws from existing standards like ERC-4337 and EIP-3074, which together aim to reduce friction in using Ethereum apps. While the move is technically promising, as seen in QuickNode’s breakdown from May 2024, Wintermute’s findings are a reminder that flexibility can sometimes introduce risk.
“CrimeEnjoyor” label added to improve transparency
To help others spot the issue, Wintermute took the extra step of decompiling the underlying bytecode and publishing it as Solidity code labeled “CrimeEnjoyor.”
The public version now comes with a bold warning for users not to send ETH to the address. This makes it easier for block explorers and analysts to flag bad actors before they cause further damage.
Wintermute has also updated its Dune dashboard, categorizing these contracts under a “Crime” tag to help distinguish them from trusted services like Uniswap, MetaMask, or TrustWallet.
