Multi-Sig Wallet Drained by Sophisticated Phishing Attack on Request Finance ∞ Security

A detailed perspective showcases a high-tech module, featuring a prominent circular sensor with a brushed metallic surface, enveloped by a translucent blue protective layer. Beneath, multiple dark gray components are stacked upon a silver-toned base, with a bright blue connector plugged into its side

A sleek, silver-edged device, resembling a hardware wallet, is embedded within a pristine, undulating white landscape, evoking a secure digital environment. Its screen and surrounding area are adorned with translucent, blue-tinted ice shards, symbolizing cryptographic primitives and immutable ledger entries

Briefing

A sophisticated phishing attack successfully compromised an unidentified investor’s 2-of-4 Safe multi-signature wallet, resulting in the unauthorized transfer of assets. The primary consequence involved the draining of over $3 million in USDC, which the attacker rapidly converted to Ethereum and routed through Tornado Cash. This incident highlights a critical vulnerability in user transaction verification processes and the evolving tactics of threat actors. The total financial impact of the exploit stands at $3.047 million in USDC.

The image displays a complex arrangement of electronic components and abstract blue elements on a dark surface. A central dark grey rectangular module, adorned with silver circuit traces, connects to multiple translucent blue strands that resemble data conduits

Context

Prior to this incident, the digital asset landscape has consistently faced persistent phishing threats targeting user approvals and wallet permissions. The prevailing attack surface includes interfaces where users authorize transactions, making them susceptible to social engineering and malicious contract interactions. A known class of vulnerability involves attackers deploying seemingly legitimate, Etherscan-verified contracts to masquerade as trusted entities, a tactic this exploit effectively leveraged.

The image presents a detailed view of a translucent blue, intricately shaped component, featuring bright blue illuminated circular elements and reflective metallic parts. This futuristic design suggests a high-tech system, with multiple similar components visible in the blurred background

Analysis

The attack initiated with the attacker deploying a fake, Etherscan-verified contract weeks in advance, programmed with deceptive “batch payment” functions. The specific system compromised was the victim’s multi-signature wallet, facilitated through the Request Finance app interface. The attacker crafted the fraudulent contract to mirror the legitimate recipient’s address, using identical first and last characters.

This enabled the malicious approval to be disguised within the Safe Multi Send mechanism, appearing as a routine authorization. The chain of cause and effect shows the attacker’s strategic preparation, exploiting the victim’s trust and the complexity of transaction details to gain unauthorized control over funds.

A macro shot captures a frosty blue tubular object, its opening rimmed with white crystalline deposits. A large, clear water droplet floats suspended in the air to the left, accompanied by a tiny trailing droplet

Parameters

Protocol/Wallet Targeted ∞ Unidentified investor’s 2-of-4 Safe multi-signature wallet
Vulnerability Type ∞ Sophisticated Phishing, Malicious Contract Approval
Financial Impact ∞ $3.047 Million USDC
Blockchain Affected ∞ Ethereum
Attack Vector Detail ∞ Fake Etherscan-verified contract mimicking legitimate address, exploiting Safe Multi Send mechanism
On-Chain Forensics ∞ Funds swapped to Ethereum and routed to Tornado Cash
Initial Flagging ∞ ZachXBT on September 11, 2025
App Interface Exploited ∞ Request Finance app

A textured, white sphere is centrally positioned, encased by a protective structure of translucent blue and metallic silver bars. The intricate framework surrounds the sphere, highlighting its secure containment within a sophisticated digital environment

Outlook

Immediate mitigation steps for users involve heightened scrutiny of all transaction approval requests, particularly when interacting with multi-send mechanisms. Users must verify the full contract address and not solely rely on partial matching. This incident will likely establish new security best practices emphasizing enhanced client-side validation and improved user interface transparency for complex transaction types. The contagion risk extends to any protocol or user relying on similar multi-send or batch transaction functionalities without robust, explicit authorization checks.

The image displays a close-up perspective of two interconnected, robust electronic components against a neutral grey background. A prominent translucent blue module, possibly a polymer, houses a brushed metallic block, while an adjacent silver-toned metallic casing features a circular recess and various indentations

Verdict

This incident underscores the critical necessity for advanced user education and robust protocol-level safeguards against increasingly sophisticated social engineering and contract impersonation tactics.

Signal Acquired from ∞ cryptoslate.com