THREAT REPORT - WALLET DRAINER

EIP-7702 delegation drainers: one signature, your whole account gone

Ethereum's Pectra upgrade let a normal account temporarily "set code" and act like a smart contract. Within days, drainers turned that into a one-signature theft. Sign a fake "wallet upgrade," and a sweeper bot owns your account. One victim lost $1.54 million in a single transaction.

SB

SafeBrowz Threat Research Security ResearchJune 14, 20269 min read

What EIP-7702 actually does

EIP-7702 is a real, legitimate Ethereum feature. It went live as part of the Pectra upgrade on May 7, 2025. Before it, an externally owned account (the kind a seed phrase controls) could only send simple transactions. EIP-7702 lets that account temporarily "set code," meaning it can point to a smart contract and behave like one for a transaction or longer.

The intended uses are good. Batch a token approval and a swap into one click. Sponsor someone's gas so they can transact without holding ETH. Let a wallet add session keys or recovery features. Revoke.cash even uses it to let you cancel dozens of token approvals in a single transaction.

The catch is the size of the permission. When you authorize an EIP-7702 delegation, you are not approving one token or one spender. You are telling the network that a contract now speaks for your entire account. If that contract is hostile, it does not need a second signature. It already has everything.

How the CrimeEnjoyor sweeper drains an account

Wintermute, a major crypto market maker, tracks EIP-7702 delegations on a public Dune dashboard. Their finding is stark: the overwhelming majority of delegations on mainnet, around 97%, resolve to one identical chunk of bytecode. The community labeled it CrimeEnjoyor, with near-identical clones tracked as CrimeEnjoyor2 and AdvancedCrimeEnjoyor. It is short, copy-pasted, and redeployed thousands of times.

The logic is brutally simple. Once your account delegates to the sweeper, the contract watches the account. Any ETH that lands, from a refund, a sale, a friend, an exchange withdrawal, is instantly forwarded to the attacker's address. There is no popup, no second confirmation, no chance to react. The account becomes a pass-through pipe to the thief.

Two paths get a victim there. In the first, attackers already have a leaked or phished private key and use EIP-7702 to plant the sweeper so they can scoop every future deposit automatically. In the second, and the one this post is about, the victim is tricked into signing the delegation themselves on a phishing site.

What the phishing page looks like

The delegation request is dressed up as something helpful. The common disguises in 2026:

• "Upgrade your wallet." A page claims your wallet needs a one-time upgrade to a "smart account" for lower fees or new features. The "upgrade" is the delegation.
• "Gasless setup" or "enable batch transactions." Framed as a convenience toggle. Sign once, never pay gas again. What you actually sign is a set-code authorization.
• "Authorize the AI trading assistant." A fake bot or yield product asks you to "authorize" it so it can act on your behalf. It can, completely.
• A fake swap that batches a hidden delegation. The $1.54M loss came from a page mimicking a familiar DeFi interface. The victim approved what looked like a routine batched swap. Bundled inside were hidden transfers and the malicious authorization.

A domain like uniswap-delegate.com is a real example of this scam class. It impersonates a known DeFi brand on a domain that is not the official one, and it scans as DANGER. So does a fake "wallet upgrade" lookalike like metamask-delegate.com. (Try both in the checker below.) The genuine surfaces are uniswap.org, metamask.io, and the EIP itself at eips.ethereum.org.

Why this is different from a Permit2 approval

People who follow crypto security already know to be careful with signatures. The reflex from the last two years is "watch out for Permit2." That reflex is correct, but EIP-7702 is a bigger handover, and treating them as the same understates the danger.

A Permit2 signature approves a spender for specific tokens. A malicious Permit2 sign lets the attacker move the tokens you approved, which is bad, but it is scoped to those tokens. You can revoke the approval. Other assets in the wallet that you never approved stay out of reach of that one signature.

EIP-7702 has no such fence. The delegation does not name a token. It names a contract that now acts as your account. Everything the account can do, the sweeper can do. Future deposits included. That is why the same phishing trick that used to cost a few approved tokens can now cost an entire wallet in one click.

Check exactly what you are signing

An EIP-7702 authorization is not a normal transfer and it does not look like a Permit2 message. Train your eye for these tells before you confirm anything:

• The word "delegate," "authorize," "set code," or "upgrade." Any of these on a wallet prompt or a page you did not navigate to yourself is a stop sign.
• A transaction type 0x04 (SetCode). EIP-7702 authorizations ride in this transaction type. If your wallet or the explorer shows a SetCode / type 0x04 authorization you did not intend, reject it.
• An authorization naming a contract address, not a token. A normal approval names a token and a spender. A delegation names a contract that will become your account. If you cannot say what that contract is, do not sign.
• "One-time" framing with urgency. "Upgrade now," "enable before your wallet is deprecated," a countdown. Real wallet upgrades happen inside the wallet app, on your schedule, never on a random website.

The honest rule is the simplest one: a legitimate dApp does not need to delegate your whole account to a contract you have never heard of. Swaps, mints, and approvals do not require it. If a site insists on a delegation to "continue," close the tab.

How to check and revoke a delegation you already signed

Move fast, and check before you panic.

Inspect your delegations. Open revoke.cash and go to the delegations tab on your account page. It shows whether your account currently delegates to a contract and which one. You can also read your account's recent transactions on etherscan.io and look for a SetCode (type 0x04) authorization you did not make.

Revoke it. Restoring your account to normal means sending an EIP-7702 transaction that re-delegates to the zero address, which resets the code. Most wallets handle this inside the wallet rather than from an external dApp, so do it from your wallet's own interface, and check your wallet provider's official guidance. Until the delegation is cleared, treat every future deposit to that account as exposed.

If your funds already moved, or you suspect the key itself is compromised, move everything to a fresh wallet. A sweeper auto-forwards new deposits, so a delegated account is not safe to keep using even after a revoke if you are unsure. Generate a brand-new seed on a clean device and migrate what is left. Our wallet-drained recovery guide has the full 24-hour and 7-day checklist. Be wary of anyone promising guaranteed "fund recovery" for a fee, that is a second scam stacked on the first.

If you are in the US, report the scam site and the theft to FBI IC3. Reports rarely recover moved crypto, but they speed up takedowns of the phishing domains.

Why the same trick keeps working

EIP-7702 is new, and "smart account upgrade" sounds like a real thing because it is a real thing. That gap between a genuine feature and a familiar-sounding lie is exactly what drainers exploit. The phishing operations behind this are not amateurs, drainer-as-a-service crews like Lucifer and the affiliates that scattered after Pink Drainer shut down industrialized signature phishing long before Pectra, and they bolted EIP-7702 onto the same playbook in days.

They also buy attention. The $400K Uniswap Google Ads drainer showed how a top search ad can put a lookalike DeFi site above the real one. Swap the payload from a Permit2 trap to an EIP-7702 delegation and the same ad sends victims to a worse outcome. The defensive habit that matters does not change: reach DeFi sites from a bookmark, not from an ad, a DM, or a search result, and read every signature.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI. The key idea for this scam is that we flag the phishing page that hosts the delegation request, before your wallet ever pops the signature. The block happens at the website, not inside the transaction.

• Layer 1 - Local detection: 60+ URL patterns and a 550+ brand database run in the browser before the page renders. A fake "wallet upgrade" page trips several signals at once: a DeFi or wallet brand keyword (Uniswap, MetaMask, and others) sitting on a domain that is not the official one, a connect-wallet plus "upgrade / delegate / authorize" prompt, and lookalike or newly registered hosts. A domain like uniswap-delegate.com is flagged red outright.
• Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLD lists server-side. Fresh delegation-phishing domains surface on these feeds within hours of going live, and a brand-new domain with no history is itself a weighted signal.
• Layer 3 - AI deep scan (Premium): AI content analysis (via our proxy, 100+ languages) catches novel variants no blocklist has yet. It reads the page intent, a fake "smart account upgrade," a "gasless setup" toggle, a brand-on-wrong-domain mismatch, and, server-side, an obfuscated drainer script bundle, then returns a danger verdict in seconds instead of believing the page's reassuring "one-time upgrade" copy.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

Frequently asked questions

What is the EIP-7702 scam?

EIP-7702 is a legitimate Ethereum feature, shipped in the Pectra upgrade in May 2025, that lets a normal account delegate its code to a smart contract. The scam tricks you into signing one EIP-7702 delegation, disguised as a "wallet upgrade," a "gasless setup," or an "authorize the AI assistant" prompt, that hands your entire account to an attacker-controlled sweeper contract. Wintermute reports that roughly 97% of EIP-7702 mainnet delegations point to the same copy-pasted sweeper, nicknamed CrimeEnjoyor, which auto-forwards any funds in or arriving to the account straight to the thief.

What is CrimeEnjoyor?

CrimeEnjoyor is the community nickname for the single most-reused malicious sweeper contract abusing EIP-7702. Wintermute identified it on their public Dune dashboard: roughly 97% of EIP-7702 delegations on Ethereum mainnet resolve to this one copy-pasted bytecode, redeployed thousands of times, with near-identical clones tracked as CrimeEnjoyor2 and AdvancedCrimeEnjoyor. Once your account delegates to it, the contract instantly forwards any ETH that lands in the account to the attacker, with no further confirmation needed.

How is EIP-7702 different from a Permit2 signature attack?

A Permit2 signature approves a spender for specific tokens, so a malicious Permit2 sign is scoped to the tokens you approved, and you can revoke that approval. An EIP-7702 delegation is far broader: it does not name a token, it names a contract that becomes your whole account. Everything the account can do, the delegated sweeper can do, including draining future deposits. Permit2 risks specific tokens; EIP-7702 risks the entire account in one signature.

How do I check if my wallet has a malicious EIP-7702 delegation?

Open revoke.cash and go to the delegations tab on your account page, which shows whether your account currently delegates to a contract and which one. You can also open your account on etherscan.io and look for a SetCode authorization (transaction type 0x04) you did not make. If you find a delegation you do not recognize, revoke it, and treat any future deposits to that account as exposed until it is cleared.

How do I revoke an EIP-7702 delegation?

Restoring your account to normal means sending an EIP-7702 transaction that re-delegates to the zero address, which resets the code. Most wallets handle this from inside the wallet app rather than from an external dApp, so do it through your wallet's own interface and follow your wallet provider's official guidance. If you suspect your private key itself was phished or your funds already moved, do not keep using the account, generate a brand-new seed on a clean device and move everything to a fresh wallet.

Will a real dApp ever ask me to delegate or upgrade my whole account?

A legitimate dApp does not need to delegate your entire account to a contract you have never heard of in order to do a swap, a mint, or a token approval. Genuine smart-account upgrades happen inside your wallet app, on your schedule, not on a random website with urgency framing. Any site that asks you to "set code," "delegate," "authorize," or "upgrade your wallet" to continue should be treated as a drainer. Read every signature, and paste any suspicious URL into the SafeBrowz checker on this page before you sign.

Last updated 2026-06-14