Wintermute Develops Tool to Alert Users of Malicious Ethereum Contracts

Crypto market maker Wintermute has developed a tool that injects on-chain warnings into malicious wallet-draining contracts to alert users. The new tool comes as Ethereum users face a new wallet-draining threat that exploits a feature in the network’s latest upgrade.

On May 30, Wintermute revealed it had developed “CrimeEnjoyor,” a code that injects visible warnings into verified malicious Ethereum contracts. The move targets contracts designed to auto-drain wallets when private keys are compromised. The injected message clearly states that the contract “is used by bad guys to automatically sweep all incoming ETH” and prominently advises users to “NOT SEND ANY ETH.”

The malicious contracts exploit Ethereum Improvement Proposal-7702 (EIP-7702), a feature introduced in the recent Pectra upgrade. EIP-7702 allows wallet owners to temporarily delegate control of their wallets to smart contracts—an opt-in feature meant to expand Ethereum’s capabilities. However, Wintermute’s research team found troubling patterns. According to their analysis, over 97% of EIP-7702 delegations were being used in identical sweeping contracts designed to automatically drain ETH from compromised addresses.

To inject warnings, the team reverse-engineered the contracts’ Ethereum Virtual Machine (EVM) bytecode into readable Solidity code and then publicly verified it. As a result, the modified warning now appears inside most of the malicious contracts. Wintermute hopes that tagging compromised contracts will help surface suspicious activity and better protect the ecosystem.

Ask Aime: Are malicious Ethereum wallets being targeted by a new security feature?

The risks are real. On May 23, one Ethereum user lost $146,550 after unknowingly signing a batch of malicious EIP-7702 transactions. Since Ethereum’s Pectra upgrade went live on May 7, users have executed 12,329 EIP-725 transactions. Pectra also introduced other significant changes: EIP-725 raised the validator staking limit from 32 ETH to 2,048 ETH, and EIP-7691 increased data blob capacity to improve scalability and lower fees on Ethereum layer-2 networks.

Last month, Vitalik Buterin unveiled a new proposal aimed at making it significantly easier for everyday users to run Ethereum nodes, by reducing the hardware and storage requirements currently needed to sync with the network. The Ethereum mastermind suggested a shift in how nodes store and retrieve data, moving from full data replication to a more flexible, user-centric model. Under this approach, nodes would store only the data relevant to the user, rather than Ethereum’s entire global state, which currently exceeds 1.3 terabytes.