The CrimeEnjoyor Epidemic: How EIP-7702 Delegation Phishing Drained 450K+ Wallets — And How to Detect It On-Chain

Ethereum's Pectra upgrade brought EIP-7702 — a game-changer for account abstraction that lets externally owned accounts (EOAs) temporarily delegate execution to smart contracts. Better UX, batched transactions, gas sponsorship. One problem: over 97% of EIP-7702 delegations in the wild pointed to malicious sweeper contracts. The biggest family? A contract dubbed CrimeEnjoyor by Wintermute. This article breaks down the attack mechanics, explains why traditional phishing defenses fail against delegation-based attacks, and provides concrete detection patterns for defenders. What Changed With EIP-7702 Before Pectra, EOAs were simple: one private key, one signer, direct transaction execution. Smart contract wallets (ERC-4337) offered programmability but required deploying a new contract and migrating assets. EIP-7702 introduced type 0x04 transactions with an authorization tuple: authorization = ( chain_id , address , nonce , y_parity , r , s ) When signed, this tuple tells the network: "For