-
Following recent enhancements in Ethereum, a new exploit is emerging as hackers utilize the EIP-7702 feature to drain wallets with stolen keys.
-
This alarming trend underscores how cybercriminals are swiftly adopting Ethereum’s innovations for illicit activities.
-
Research indicates that over 100,000 smart contracts are now associated with these malicious practices, raising significant security concerns.
The emergence of Ethereum’s EIP-7702 feature is being exploited by hackers to automate theft from compromised wallets, posing significant security risks to users.
Hackers Use Ethereum’s EIP-7702 to Automate Mass Wallet Drainings
EIP-7702 allows externally owned accounts (EOAs) to function as smart contract wallets. By enabling features like transaction batching and wallet recovery, this upgrade significantly enhances usability. However, it also creates opportunities for malicious actors to expedite fund extraction, turning a useful technology into a tool for crime.
Prior to EIP-7702, transferring Ethereum manually from compromised wallets required time and effort. Now, attackers merely authorize contracts that promptly forward any incoming Ethereum to their own addresses, effectively automating their heist operations.
“Although the intent behind EIP-7702 is positive, its misuse highlights the need for enhanced security measures,” stated Rahul Rumalla, Chief Product Officer at Safe.
A recent study by Wintermute shows that a staggering 97% of wallet delegations involving EIP-7702 have been utilized for deploying contracts specifically designed to drain Ethereum from unsuspecting users.
This alarming trend indicates that out of approximately 190,000 delegated contracts analyzed, more than 105,000 are linked to malicious activities. Koffi, a senior analyst at Base Network, revealed that over a million wallets interacted with questionable contracts recently, illustrating the scale of the issue.
Importantly, Koffi clarified that while these wallets may be exploited, they weren’t compromised via EIP-7702; the attackers simply leveraged already exposed private keys.
In contentious clarification, Koffi stated:
“These wallets were not hacked using 7702. The hacker obtained the private keys without doing anything related to 7702. Since they have the keys, they could transfer money out of these wallets by making regular transactions from each one.”
—Kofi (@0xKofi) May 31, 2025
This implementation drastically reduces the transaction time required for withdrawn funds, allowing criminals to capitalize on any incoming ETH instantly. Yu Xian, founder of the cybersecurity firm SlowMist, emphasized that these organized theft groups are not typical phishing operations, noting that the automated nature of EIP-7702 allows for large-scale exploits.
“The new mechanism EIP-7702 is primarily leveraged by coin-stealing entities, facilitating rapid transfers from wallets with compromised private keys or mnemonics,” he elaborated.
Despite the extensive operations facilitated by these features, data suggests that the attackers have not yet turned a profit, indicating either delays in execution or challenges in successfully retrieving funds.
A researcher from Wintermute reported that approximately 2.88 ETH has been allocated to authorize more than 79,000 addresses involved in this illicit activity. Notably, one address was accountable for nearly 52,000 authorizations, but the target address has not received any ETH thus far, further complicating the analysis of these attacks.
Conclusion
As Ethereum continues to evolve with innovative features like EIP-7702, the rapid adaptation by malicious entities highlights the urgent need for enhanced security and monitoring. Users are advised to remain vigilant and consider implementing additional protective measures to safeguard their investments from potential breaches.
