Ethereum users are set to receive enhanced warnings about a new type of attack that can drain their wallets. Crypto market maker Wintermute has announced the creation of “CrimeEnjoyor,” a code designed to inject warnings into verified malicious contracts.
According to 
Wintermute’s May 30 X post, CrimeEnjoyor prints a warning within malicious Ethereum contracts that are “designed to auto-sweep funds” from wallets with leaked private keys.
The warning message clearly states that the malicious contract “is used by bad guys to automatically sweep all incoming ETH” and strongly advises users to “NOT SEND ANY ETH.”
These malicious contracts exploit a feature introduced in Ethereum’s Pectra upgrade, specifically Ethereum Improvement Proposal-7702 (EIP-7702). This proposal allows users to temporarily delegate control of their wallets to smart contracts, but is being abused by malicious actors, according to Wintermute.
Wintermute’s research team discovered that “over 97% of all EIP-7702 delegations were authorized to multiple contracts using the same exact code,” which they identified as sweepers used to automatically drain incoming ETH from compromised addresses.
To implement CrimeEnjoyor, Wintermute reversed the Ethereum Virtual Machine bytecode of these malicious contracts into human-readable Solidity code and publicly verified it, allowing the warning to be displayed.
“This one copy-pasted bytecode now accounts for the majority of all EIP-7702 delegations. It’s funny, bleak, and fascinating at the same time.”
EIP-7702 is optional, but transparency tools needed
It’s important to note that EIP-7702 is an opt-in feature and is not required for basic Ethereum operations like native token transfers.
Wintermute emphasizes that while EIP-7702 expands Ethereum’s capabilities, the lack of inherent verification mechanisms makes it challenging to distinguish legitimate infrastructure from malicious exploitation, especially for new users.
“With more compromised contracts tagged, more activity can be surfaced and more users can be protected.”
According to blockchain security firm Scam Sniffer, one Ethereum user already lost $146,550 on May 23 by signing several malicious batched transactions that leveraged EIP-7702.
Since the Pectra upgrade went live on Ethereum on May 7, a total of 12,329 EIP-7702 transactions have been made.
Besides EIP-7702, Pectra also introduced EIP-725, which increased the validator staking limit, and EIP-7691, which aims to improve scalability on Ethereum layer 2s and reduce transaction fees.