Crypto Thieves Are Having a Field Day with Ethereum’s New Upgrade! 😂💰

by

Oh, what a jolly mess we have here! Ethereum has rolled out its shiny new smart wallet feature, EIP-7702, and guess who’s taken a keen interest? That’s right, the cheeky cybercriminals! After the Pectra upgrade, wallet providers have been busy integrating these features, but it seems the bad guys are having a right laugh! 🤭

According to the clever folks at Wintermute, a crypto trading firm, a whopping 97% of EIP-7702 wallet delegations have been hijacked by attackers to create contracts that suck funds from unsuspecting users like a vacuum cleaner on steroids! 🧹💸

Hackers Use Ethereum’s EIP-7702 to Automate Mass Wallet Drainings

Now, EIP-7702 lets externally owned accounts (EOAs) play dress-up as smart contract wallets. It’s like giving a toddler a shiny new toy! This upgrade brings along features like transaction batching, spending limits, passkey integration, and wallet recovery—all without changing wallet addresses. How convenient! Or is it? 🤔

While these upgrades are meant to make life easier, the naughty ones are using them to speed up their little fund-snatching escapades. Instead of manually moving ETH from each compromised wallet, they’ve got contracts that automatically whisk away any received ETH to their own sneaky addresses. Poof! 💨

“No doubt attackers are one of the early adopters of new capabilities. 7702 was never meant to be a silver bullet and it does have great use cases,” said Rahul Rumalla, Chief Product Officer at Safe. Well, isn’t that just delightful? 🙄

Wintermute’s analysis reveals that most of these wallet delegations point to identical codebases designed to “sweep” ETH from compromised wallets. It’s like a conga line of theft! 🎉

These sweepers are like little elves, automatically transferring any incoming funds to the attackers’ pockets. Out of nearly 190,000 delegated contracts examined, more than 105,000 were linked to some rather shady business. Shocking, isn’t it? 😱

Koffi, a senior data analyst at Base Network, shared that over a million wallets had a little chat with suspicious contracts last weekend. How cozy! ☕️

He clarified that attackers didn’t use EIP-7702 to hack the wallets but to streamline their thievery from wallets with already exposed private keys. Clever little rascals! 🦊

In case it wasn’t clear:

These wallets were not hacked using 7702. The hacker obtained the private keys without doing anything related to 7702.

And, since they have the keys, they could transfer money out of these wallets by making regular transactions from each one.…

— Kofi (@0xKofi) May 31, 2025

The analyst further explained that one standout implementation includes a receive function that triggers ETH transfers the moment funds land in the wallet, making manual withdrawals as outdated as a floppy disk! 💾

Yu Xian, founder of blockchain security firm SlowMist, confirmed that the culprits are organized theft groups, not your average phishing operators. EIP-7702’s automation capabilities make it a tempting treat for large-scale exploits. 🍭

“The new mechanism EIP-7702 is used most by coin stealing groups (not phishing groups) to automatically transfer funds from wallet addresses with leaked private keys/mnemonics,” he stated. How charming! 🙃

Despite the scale of this operation, there are no confirmed profits so far. Quite the anticlimax! 🎭

A researcher at Wintermute noted that attackers have spent about 2.88 ETH authorizing over 79,000 addresses. One address alone executed nearly 52,000 authorizations, yet the target address has not received a single penny. Talk about a flop! 🎢

Read More

2025-05-31 19:26