Multi-Sig Wallet Drained by Sophisticated Phishing Attack via Fake Contract → Security

A translucent, frosted rectangular module displays two prominent metallic circular buttons, set against a dynamic backdrop of flowing blue and reflective silver elements. This sophisticated interface represents a critical component in secure digital asset management, likely a hardware wallet designed for cold storage of private keys

Briefing

A sophisticated phishing attack successfully compromised a 2-of-4 Safe multi-signature wallet, resulting in the theft of $3.047 million in USDC. The attacker exploited the Safe Multi Send mechanism by disguising a malicious approval within what appeared to be a routine transaction. This incident highlights the critical vulnerability of even robust security setups to refined social engineering tactics.

A sophisticated, multi-component device showcases transparent blue panels revealing complex internal mechanisms and a prominent silver control button. The modular design features stacked elements, suggesting specialized functionality and robust construction

Context

The prevailing attack surface for high-value digital assets includes sophisticated social engineering and contract impersonation. Multi-signature wallets offer enhanced security through requiring multiple approvals for transactions. These systems remain susceptible to meticulously crafted phishing attempts that exploit user trust and interface vulnerabilities.

A high-tech, dark blue device showcases a prominent central brushed metal button and a smaller button on its left. A glowing blue circuit board pattern is visible beneath a transparent layer, with a translucent, wavy data stream flowing over the central button

Analysis

The attacker deployed a fake, Etherscan-verified contract weeks prior, embedding it with legitimate-looking batch payment functions. The exploit unfolded through two consecutive transactions via the Request Finance app interface. The victim unknowingly approved transfers to an address that mimicked the intended recipient, enabled by the attacker crafting the fraudulent contract to mirror the legitimate one’s first and last characters.

This subtle impersonation bypassed user scrutiny, allowing the malicious approval to execute under the guise of a standard operation. The illicitly acquired funds were subsequently funneled into Tornado Cash.

A close-up shot displays a highly detailed, silver-toned mechanical device nestled within a textured, deep blue material. The device features multiple intricate components, including a circular sensor and various ports, suggesting advanced functionality

Parameters

Targeted Asset → $3.047 Million USDC
Exploited System → 2-of-4 Safe Multi-signature Wallet
Attack Vector → Sophisticated Phishing, Contract Spoofing, Disguised Approval
Facilitating Mechanism → Safe Multi Send
Blockchain Affected → Ethereum
Attacker Funds Destination → Tornado Cash
Initial Detection → ZachXBT (September 11, 2025)
Compromised Interface → Request Finance App

A prominent clear spherical object with an internal white circular panel featuring four distinct circular indentations dominates the center, set against a blurred backdrop of numerous irregularly shaped, faceted blue and dark grey translucent cubes. The central sphere, a visual metaphor for a core protocol or secure enclave, embodies a sophisticated governance mechanism, possibly representing a decentralized autonomous organization DAO or a multi-signature wallet's operational interface

Outlook

Users of multi-signature wallets must implement heightened scrutiny of all transaction approval requests, verifying contract addresses independently. Protocols should enhance their front-end security to detect and flag suspicious contract interactions, even those with verified statuses. This incident establishes a new benchmark for advanced phishing tactics, necessitating improved user education and robust pre-transaction verification tools across the ecosystem.

The image displays a close-up of a sleek, translucent blue object with a prominent brushed metallic band. A small, circular, luminous blue button or indicator is embedded in the center of the metallic band

Verdict

This exploit serves as a critical reminder that human vigilance remains the final frontier against advanced social engineering, even with multi-layered technical security controls.

Signal Acquired from → cryptoslate.com