Crypto market maker Wintermute revealed a fresh threat to Ethereum users.
The firm created a tool named CrimeEnjoyor that places warnings inside malicious smart contracts.These contracts can empty wallets once they detect private keys have been exposed.
Wintermute posted about the discovery on X(Twitter), saying the alerts tell users “NOT SEND ANY ETH” to the problematic addresses.
The Threat to User Wallets
Malicious actors have found a way to use a new Ethereum feature to attack accounts. After the Pectra upgrade introduced EIP-7702, wallets can temporarily hand control over to smart contracts.
Attackers write simple contracts that watch for incoming funds and sweep them instantly. Wintermute’s team noticed that most of these sweeper contracts share the same code.
CrimeEnjoyor Exposes the Malicious Code
Wintermute named the most common sweeper contract “CrimeEnjoyor.” By reverse-engineering the bytecode of these harmful contracts, the team turned them into human-readable Solidity code.
They then verified the code publicly, making it easier to spot and tag. In doing so, over 97% of all EIP-7702 delegations, where wallets allow contracts to act on their behalf, were linked to just a few copies of this sweeper code.
Why EIP-7702 Opened a Door for Hackers?
The Pectra hard fork, backed by Ethereum co-founder Vitalik Buterin, aimed to improve user experience. Delegations allow wallets to batch multiple tasks, such as sending numerous transactions at once or letting another service cover gas fees.
Though this makes Ethereum easier to use, it also means users must trust the contract they delegate to. Attackers spotted that new users might not know how to check if a contract is safe before approving it.
Widespread Misuse of Delegations
Wintermute’s research shows that more than 80% of all EIP-7702 delegations lead to nearly identical sweeper contracts.
Once a private key leaks, these contracts automatically collect any ETH sent in. The simplicity of CrimeEnjoyor makes it quick to copy and reuse. As a result, the threat can spread fast across many addresses.
How the Warning Appears?
Whenever a user views or interacts with a known sweeper contract, CrimeEnjoyor prints a clear warning. It states that “bad guys” use this contract to drain ETH and urges people not to send any funds.
By embedding this alert directly into the contract, Wintermute hopes users will pause before sending money to a dangerous address.
Protecting New Users
Since EIP-7702 is optional, ordinary token transfers remain unchanged. Users who do not choose to delegate face no additional risk from these sweepers.
However, new or inexperienced wallet holders might accept delegations without realising the danger. Wintermute believes that labelling harmful contracts helps separate them from trusted services, reducing costly mistakes.
With Pectra live, Ethereum’s usability has improved, but risks have followed. Wintermute’s CrimeEnjoyor aims to stem one of the newest attacks.
Also Read: Ethereum Rockets 41% In Seven Days Post Pectra Update, Tops $2,700 For First Time Since February