Hackers are abusing the new EIP-7702 feature introduced in the Ethereum Pectra Upgrade to automate the transfer of ETH from wallets with stolen private keys. According to blockchain security researchers, attackers are using EIP-7702 to deploy smart contracts that drain funds without manual action.
The EIP-7702 standard allows externally owned accounts (EOAs) to temporarily act as smart wallets. These smart wallets can batch transactions, set spending limits, support passkeys, and enable recovery functions—without changing the wallet address.
However, data shows that these functions are being misused. Instead of improving wallet usability, the EIP-7702 update has become a tool for crypto theft. Attackers use it to create contracts that automatically forward ETH to their own addresses once funds enter a compromised wallet.
105,000 Wallet Delegations Linked to Theft via Ethereum Pectra Upgrade
A new report by Wintermute, a crypto trading firm, revealed that out of nearly 190,000 EIP-7702 wallet delegations, over 105,000 were used for ETH drain operations. The contracts had identical code designed to sweep ETH automatically.
Wintermute found that 97% of wallet delegations under EIP-7702 led to malicious contract activity. These contracts allowed hackers to drain funds from wallets exposed through stolen private keys or leaked mnemonics.
Koffi, a senior data analyst at Base Network, confirmed that over 1 million wallets interacted with suspicious contracts over the weekend. He added that EIP-7702 was not used to hack wallets but to automate theft from wallets already compromised.
One implementation included a receive function that triggered automatic ETH transfers as soon as any funds arrived. The wallet user had no control once the contract was deployed.
Criminal Groups Use EIP-7702 for Large-Scale ETH Draining
Yu Xian, founder of SlowMist, a blockchain security firm, said organized theft groups—not phishing operators—are behind the recent activity. He said,
“The new mechanism EIP-7702 is used most by coin stealing groups (not phishing groups) to automatically transfer funds from wallet addresses with leaked private keys/mnemonics.”
Wintermute added that these organized actors spent around 2.88 ETH to authorize more than 79,000 addresses. One address executed nearly 52,000 authorizations, although the destination address has not received any funds so far.
Blockchain data from Dune Analytics confirmed that most of these transactions are linked to automated wallet delegations. The contract setups appear nearly identical and are created to perform fast ETH drains from exposed wallets using EIP-7702.
Stolen Private Keys Remain the Main Entry Point for EIP-7702 Exploits
EIP-7702 has not caused private key leaks. Instead, attackers are using its automation tools to drain wallets that are already exposed. These include keys from earlier phishing campaigns, leaks, or compromised seed phrases.
The smart wallet functionality provided by Ethereum Pectra Upgrade is not the point of attack. It simply speeds up how stolen funds are collected. Contracts created through EIP-7702 make fund transfers instant and do not require any further approval once deployed.
According to researchers, the number of wallets affected and the scale of smart contract deployments indicate a coordinated campaign. Every transaction uses minimal gas, and each contract follows a repeatable pattern.
