Multi-Sig Wallet Drained by Sophisticated Phishing Attack via Fake Contract ∞ Security

The image displays an abstract composition of metallic, cylindrical objects interspersed with voluminous clouds of white and blue smoke. A glowing, textured sphere resembling the moon is centrally positioned among the metallic forms

Briefing

A sophisticated phishing attack successfully compromised a 2-of-4 Safe multi-signature wallet, resulting in the theft of $3.047 million in USDC. The attacker exploited the Safe Multi Send mechanism by disguising a malicious approval within what appeared to be a routine transaction. This incident highlights the critical vulnerability of even robust security setups to refined social engineering tactics.

A high-tech, dark blue device showcases a prominent central brushed metal button and a smaller button on its left. A glowing blue circuit board pattern is visible beneath a transparent layer, with a translucent, wavy data stream flowing over the central button

Context

The prevailing attack surface for high-value digital assets includes sophisticated social engineering and contract impersonation. Multi-signature wallets offer enhanced security through requiring multiple approvals for transactions. These systems remain susceptible to meticulously crafted phishing attempts that exploit user trust and interface vulnerabilities.

A prominent Ethereum coin is centrally positioned on a metallic processor, which itself is integrated into a dark circuit board featuring glowing blue pathways. Surrounding the processor and coin is an intricate, three-dimensional blue network resembling a chain or data flow

Analysis

The attacker deployed a fake, Etherscan-verified contract weeks prior, embedding it with legitimate-looking batch payment functions. The exploit unfolded through two consecutive transactions via the Request Finance app interface. The victim unknowingly approved transfers to an address that mimicked the intended recipient, enabled by the attacker crafting the fraudulent contract to mirror the legitimate one’s first and last characters.

This subtle impersonation bypassed user scrutiny, allowing the malicious approval to execute under the guise of a standard operation. The illicitly acquired funds were subsequently funneled into Tornado Cash.

The image presents a detailed, close-up view of a complex, futuristic-looking machine core, characterized by interlocking metallic rings and white structural elements. At its heart, a dynamic cluster of white, spiky particles appears to be actively manipulated or generated, surrounded by intricate mechanical components

Parameters

Targeted Asset ∞ $3.047 Million USDC
Exploited System ∞ 2-of-4 Safe Multi-signature Wallet
Attack Vector ∞ Sophisticated Phishing, Contract Spoofing, Disguised Approval
Facilitating Mechanism ∞ Safe Multi Send
Blockchain Affected ∞ Ethereum
Attacker Funds Destination ∞ Tornado Cash
Initial Detection ∞ ZachXBT (September 11, 2025)
Compromised Interface ∞ Request Finance App

The image displays a stylized scene featuring towering, jagged ice formations, glowing deep blue at their bases and stark white on top, set against a light grey background. A prominent metallic structure, resembling a server or hardware wallet, is integrated with the ice, surrounded by smaller icy spheres and white, cloud-like elements, all reflected on a calm water surface

Outlook

Users of multi-signature wallets must implement heightened scrutiny of all transaction approval requests, verifying contract addresses independently. Protocols should enhance their front-end security to detect and flag suspicious contract interactions, even those with verified statuses. This incident establishes a new benchmark for advanced phishing tactics, necessitating improved user education and robust pre-transaction verification tools across the ecosystem.

A clear, faceted, crystalline object rests on a dark surface, partially enclosing a dark blue, textured component. A central metallic gear-like mechanism is embedded within the blue material, from which a black cable extends across the foreground towards a blurred, multi-toned mechanical device in the background

Verdict

This exploit serves as a critical reminder that human vigilance remains the final frontier against advanced social engineering, even with multi-layered technical security controls.

Signal Acquired from ∞ cryptoslate.com