Multi-Signature Wallet Suffers $3m Loss from Sophisticated Phishing Exploit → Security

A close-up view reveals a high-tech device featuring a silver-grey metallic casing with prominent dark blue internal components and accents. A central, faceted blue translucent element glows brightly, suggesting active processing or energy flow within the intricate machinery

$A metallic, brushed aluminum housing with visible screw holes securely encases a translucent, deep blue, irregularly textured core. The blue object exhibits internal refractions and a rough, almost crystalline surface, suggesting a complex internal structure$

Briefing

An advanced phishing campaign successfully targeted a 2-of-4 Safe multi-signature wallet, orchestrating the unauthorized transfer of digital assets. The attacker exploited the Safe Multi Send mechanism, employing a meticulously crafted, fake Etherscan-verified contract to obscure a malicious approval within a seemingly routine transaction. This intricate social engineering attack resulted in the exfiltration of $3.047 million in USDC, which the perpetrator subsequently routed through Tornado Cash to obfuscate the funds’ origin.

A metallic, silver-toned electronic component, featuring intricate details and connection points, is partially enveloped by a translucent, vibrant blue, fluid-like substance. The substance forms a protective, organic-looking casing around the component, with light reflecting off its glossy surfaces, highlighting its depth and smooth contours against a soft grey background

Context

Prior to this incident, the prevailing threat landscape included increasing sophistication in phishing attacks, often targeting user approvals and leveraging trust in verified on-chain entities. The inherent complexity of multi-signature wallet interactions and the reliance on visual inspection for contract addresses created a fertile attack surface. Attackers frequently exploited the difficulty users face in discerning legitimate contract interactions from malicious ones, particularly when complex transaction bundles are involved.

An abstract composition features numerous faceted blue crystals and dark blue geometric shapes, interspersed with white spheres and thin metallic wires, all centered within a dynamic structure. A thick, smooth white ring partially encompasses this intricate arrangement, set against a clean blue-grey background

Analysis

The incident’s technical mechanics involved the attacker deploying a counterfeit contract weeks in advance, programmed with legitimate-looking batch payment functions and achieving Etherscan verification. The core system compromised was the user’s trust and the Safe Multi Send mechanism’s ability to bundle transactions, which the attacker leveraged to disguise a critical malicious approval. The attacker initiated two consecutive transactions where the victim approved transfers to an address designed to mimic a legitimate recipient, mirroring its first and last characters. This deceptive contract, combined with the Request Finance app interface for execution, allowed the malicious approval to execute under the guise of a standard operation, thereby circumventing the victim’s scrutiny and enabling the asset drain.

A close-up view reveals a complex arrangement of blue electronic pathways and components on a textured, light gray surface. A prominent circular metallic mechanism with an intricate inner structure is centrally positioned, partially obscured by fine granular particles

Parameters

Exploited Protocol/Wallet → 2-of-4 Safe Multi-signature Wallet
Attack Vector → Sophisticated Phishing via Malicious Contract Mimicry and Safe Multi Send
Financial Impact → $3.047 Million USDC
Blockchain Affected → Ethereum
Key Forensic Detail → Funds bridged to Ethereum, then laundered via Tornado Cash
Initial Detection → ZachXBT on September 11, 2025
Exploit Mechanism → Fake Etherscan-verified contract with mirrored address characters

The image displays a sophisticated, angular device featuring a metallic silver frame and translucent, flowing blue internal components. A distinct white "1" is visible on one of the blue elements

Outlook

Immediate mitigation steps for users include rigorous verification of all transaction details, even within seemingly legitimate interfaces, and a heightened awareness of contract address spoofing. This incident underscores the urgent need for enhanced wallet security features that provide clearer, human-readable breakdowns of complex transaction approvals. The broader ecosystem faces a contagion risk if similar sophisticated phishing techniques are not robustly countered, potentially leading to new security best practices centered on advanced transaction simulation and pre-signing analysis tools to detect hidden malicious approvals.

The image displays an abstract composition of frosted, textured grey-white layers partially obscuring a vibrant, deep blue interior. Parallel lines and a distinct organic opening within the layers create a sense of depth and reveal the luminous blue

Verdict

This incident decisively confirms the escalating threat of highly sophisticated social engineering tactics targeting the weakest link in digital asset security → human vigilance.

Signal Acquired from → cryptoslate.com