New Wintermute Tool Exposes Ethereum’s Dark Side  

Wintermute has launched ‘CrimeEnjoyor,’ a tool that will flag malicious Ethereum smart contracts exploiting the Ethereum Improvement Proposal-7702 (EIP-7702) feature. 

EIP-7702, introduced in the Pectra update, allows temporary delegation of wallet control but has been exploited to siphon assets from already compromised wallets. 

CrimeEnjoyor identifies these malicious, faulty contracts and improves transparency as well as user protection on Ethereum’s network.

Scammers Target Ethereum’s New Wallet Feature

The Pectra upgrade, launched on May 7, 2025, introduced EIP-7702, which allows users to delegate wallet control to smart contracts for easy operations like gasless transactions or batch operations.

Following the upgrade, attackers have targeted this feature to exploit wallets with leaked private keys. 

Wintermute’s research reveals that around 94% to 97% of EIP-7702 delegations comprise the identical “sweeper” code that automatically transfers ETH from compromised wallets when deposited.

A recent hack saw a trader lose $146,550 to such an attack as evidence of the risk for users with compromised keys. Legitimate projects like Uniswap, Jumper Exchange, and Euler Finance use EIP-7702 responsibly, accounting for 95% of non-malicious flows, but the increase of malicious contracts requires urgent action.

Wintermute Tool Decodes Ethereum’s Risky Code  

CrimeEnjoyor prevents those risks by identifying malicious EIP-7702 contracts and alert traders and users by sending a warning: “used by bad guys to automatically sweep all incoming ETH” and “do not send any ETH.” 

Wintermute converts the Ethereum Virtual Machine (EVM) bytecode of these contracts into human-readable Solidity code, allowing public verification of their malicious intentions. This process also ensures transparency, allowing users and developers to assess risks before interacting with flagged contracts.

The tool prioritizes user protection, most importantly for those vulnerable to phishing scams that expose private keys. By sending warnings directly into contract code, CrimeEnjoyor provides real-time alerts, setting a new benchmark for proactive security in blockchain ecosystems.

Ethereum’s Fight Against Scams Gets a Boost  

CrimeEnjoyor’s alerts are intended to reduce losses, especially for less experienced users prone to phishing attacks. According to reports from CoinChapter, more than 105,000 of 190,000 EIP-7702 delegated contracts are linked to illicit activity.

These malicious contracts are said to complicate the recovery of funds from compromised wallets, hence the urgent need and importance for tools like CrimeEnjoyor.

Legitimate addresses like Uniswap and Trust Wallet, which account for 95% of clean EIP-7702 traffic, reveal the feature’s potential when used securely. Wintermute’s transparent approach, with publicly verifiable code, has earned praise for fostering trust and accountability within Ethereum’s ecosystem.

Wintermute’s Call for Smarter Ethereum Protections  

CrimeEnjoyor marks a major milestone toward securing Ethereum, but the dependence on compromised private keys for EIP-7702 exploits shows the need for overall protections. Wintermute advocates for improved verification protocols and user education to prevent phishing and related threats. 

As Ethereum evolves, tools like CrimeEnjoyor and community-driven initiatives will be essential to differentiate between legitimate infrastructure and malicious schemes.

Since the Pectra upgrade, 12,329 EIP-7702 transactions have been recorded, per TradingView,  proof of the growing adoption alongside increased risks.