Crypto Theft Exploits EIP-7702 Mechanism
- Groups exploit Ethereum’s EIP-7702 for unauthorized transfers.
- Wintermute detects 97% delegated wallet misuse.
- Security analysts demand urgent EIP-7702 revisions.

Experts point to the need for immediate action to prevent broader damage from EIP-7702’s vulnerabilities, emphasizing swift enhancements to restore user security.
Researchers have uncovered significant breaches using EIP-7702, mainly involving groups rather than isolated phishing attempts. Affected users reportedly experienced unauthorized fund transfers, leveraging EIP-7702’s functionality to systematically drain crypto assets.
Yu Xian, founder of SlowMist, collaborates with Wintermute to track these coordinated attacks. They found that 97% of delegated actions exploited the EIP-7702 structure to drain user funds, with evidently no single profit reported yet from exploited addresses.
“The new mechanism EIP-7702 is used most by coin stealing groups (not phishing groups) to automatically transfer funds from wallet addresses with leaked private keys/mnemonics.” – Yu Xian, Founder, SlowMist
Impacts are evident in the fragmented trust within Ethereum’s user base. Attackers have reportedly spent 2.88 ETH across numerous addresses, indicating a potential rise in future attempts. As the attacks evolve, consequential impacts on Ethereum and user credibility emerge.
Financial implications include reinforced scrutiny of Ethereum’s security protocols. The Theft group’s ongoing operations, even with Inferno Drainer’s claimed shutdown, suggest expanded vulnerabilities. Past phishing scams cost millions, underscoring serious financial risk.
Continued attacks signal urgent calls for EIP-7702 redesign. Historical data, such as Scam Sniffer’s 2025 report, indicate a 26% uptick in phishing victims, emphasizing the overt risk scaling within crypto markets. Solutions require expedited tactical measures to counteract security breaches.