Pick update infitra phishing automated in Ethereum
Ethereum’s recent pecto update (ETH) has opened the door to new risks, according to the Winermute platform analysis, since the implementation of the 7702 improvement proposal (EIP-7702), which allows to delegate actions to intelligent contracts to facilitate transactions, is being exploited by hackers.
According to the source indicated, the attackers They use automated mechanisms to drain funds of compromised accounts, leaving users vulnerable to scams such as Phishing.
EIP-7702: A tool under attack
In accordance with the Wintermute report, a firm specialized in cryptocurrency markets, reveals that more than 97% of the delegations made through the EIP-7702 are linked to identical contracts, identified as “crimeenjoyor.” These contracts, known as «Sweepers»Or barredores, they are designed to automatically extract the ETHER from compromised addressesfacilitating phishing attacks and exposing the vulnerability that the pertra update has brought to Ethereum.
This distribution of contracts of contracts in Ethereum can be observed in the following graph set in the Wintermute report:
The EIP-7702, introduced into Ethereum with Pin on May 7, allows Ethereum users to delegate functions to intelligent contracts, which are programs that execute actions automatically on the network. For example, a user can authorize a contract to make transactions in his name, simplifying processes such as asset exchange.
However, that ease has been used by malicious actors. The “Sweepers»Identified by Wintermute operate in multiple contracts, indicating a coordinated strategy to attack unsuspecting users and empty their Ether reserves.
Unlike previous scams that required multiple signature confirmations by users, these new attacks take advantage of A single transaction groupedwhich makes them more difficult to detect and faster to execute for hackers.
The term “a single grouped transaction” refers to a functionality that introduces the EIP-7702 in Ethereum. Several actions or permits, which previously required multiple approvals by the user (such as signing several separate transactions), now they can combine in a single transaction that the user approves with a single firm.
In such a way, if a user falls into a trap, like a false link that makes you delegate permissions from the user’s walletEther funds of their portfolio can be quickly transferred to the attackers without being able to do anything to avoid it. These risks detected by Wintermute had already been informed by cryptootics, since users had warned About them after the first day of the Pin Implementation in Ethereum.
How do phishing scams linked to the EIP-7702 arrive?
As detailed by the security educator in the Wiimee cryptocurrency ecosystem in X, phishing attacks related to the EIP-770 begin when a user accesses a fraudulent website, often through a deceptive link received by mail or social networks, which invites him to perform actions such as “MINTE” or “claim” active. Clicking, the user connects his purse, such as Metamk, and is asked to approve a grouped transaction that combines dangerous permits: grants total control over their assets and allows you to spend their tokens.
Once the user confirms that transaction in his Wallet, Wiimee continued, the attackers can quickly drain their funds, taking advantage of the ease offered by the EIP-7702 to execute multiple actions in a single step.
Crimeenjoyor: An effort without profits for attackers?
Despite what was previously said by the Wintermute team, a researcher of that same platform, known as X as an employment, said that Crimeenjoyor contracts in Ethereum, despite its wide activity, They would not have generated economic benefits For attackers.
According to their analysis, near “2.88 Ether to authorize 79,000 addresses” have been spent, and the decompilation of the code reveals that stolen funds should be directed to a specific address (0x6f6BD3907428AE93BC58ACA9EC25AE3A80110428), which, until June 2, 2025, ““has not registered any income from Ether “.
This pattern of lack of profits is repeated in other similar contracts, suggesting that the vulnerabilities introduced by the EIP-7702, although worrying, have not been effective for the exploiters, in accordance with the provisions of the Wintermute researcher.
However, SCAM Sniffer data, a platform dedicated to digital asset security, said a user on May 24, a user, product of this same type of phishing, had stolen almost 150,000 dollars, so, in some cases, according to this analysis, the attackers would have been able to materialize the theft by vulnerability of the EIP-7702.
