Multi-Signature Wallet Suffers $3m Loss from Sophisticated Phishing Exploit → Security

A futuristic, rectangular device with rounded corners is prominently displayed, featuring a translucent blue top section that appears frosted or icy. A clear, domed element on top encapsulates a blue liquid or gel with a small bubble, set against a dark grey/black base

A close-up shot displays a highly detailed, silver-toned mechanical device nestled within a textured, deep blue material. The device features multiple intricate components, including a circular sensor and various ports, suggesting advanced functionality

Briefing

An advanced phishing campaign successfully targeted a 2-of-4 Safe multi-signature wallet, orchestrating the unauthorized transfer of digital assets. The attacker exploited the Safe Multi Send mechanism, employing a meticulously crafted, fake Etherscan-verified contract to obscure a malicious approval within a seemingly routine transaction. This intricate social engineering attack resulted in the exfiltration of $3.047 million in USDC, which the perpetrator subsequently routed through Tornado Cash to obfuscate the funds’ origin.

A bright white sphere is surrounded by numerous shimmering blue crystalline cubes, forming a central, intricate mass. White, smooth, curved conduits and thin dark filaments emanate from this core, weaving through a blurred background of similar blue and white elements

Context

Prior to this incident, the prevailing threat landscape included increasing sophistication in phishing attacks, often targeting user approvals and leveraging trust in verified on-chain entities. The inherent complexity of multi-signature wallet interactions and the reliance on visual inspection for contract addresses created a fertile attack surface. Attackers frequently exploited the difficulty users face in discerning legitimate contract interactions from malicious ones, particularly when complex transaction bundles are involved.

A sleek, metallic structure, possibly a hardware wallet or node component, features two embedded circular modules depicting a cratered lunar surface in cool blue tones. The background is a blurred, deep blue, suggesting a cosmic environment with subtle, bright specks

Analysis

The incident’s technical mechanics involved the attacker deploying a counterfeit contract weeks in advance, programmed with legitimate-looking batch payment functions and achieving Etherscan verification. The core system compromised was the user’s trust and the Safe Multi Send mechanism’s ability to bundle transactions, which the attacker leveraged to disguise a critical malicious approval. The attacker initiated two consecutive transactions where the victim approved transfers to an address designed to mimic a legitimate recipient, mirroring its first and last characters. This deceptive contract, combined with the Request Finance app interface for execution, allowed the malicious approval to execute under the guise of a standard operation, thereby circumventing the victim’s scrutiny and enabling the asset drain.

A futuristic device with a transparent blue shell and metallic silver accents is displayed on a smooth, gray surface. Its design features two circular cutouts on the top, revealing complex mechanical components, alongside various ports and indicators on its sides

Parameters

Exploited Protocol/Wallet → 2-of-4 Safe Multi-signature Wallet
Attack Vector → Sophisticated Phishing via Malicious Contract Mimicry and Safe Multi Send
Financial Impact → $3.047 Million USDC
Blockchain Affected → Ethereum
Key Forensic Detail → Funds bridged to Ethereum, then laundered via Tornado Cash
Initial Detection → ZachXBT on September 11, 2025
Exploit Mechanism → Fake Etherscan-verified contract with mirrored address characters

A close-up perspective showcases a futuristic device, primarily composed of translucent blue material, featuring a central silver button labeled 'PUSH' set within a rectangular silver base. The device's sleek design and visible internal structures highlight its advanced engineering

Outlook

Immediate mitigation steps for users include rigorous verification of all transaction details, even within seemingly legitimate interfaces, and a heightened awareness of contract address spoofing. This incident underscores the urgent need for enhanced wallet security features that provide clearer, human-readable breakdowns of complex transaction approvals. The broader ecosystem faces a contagion risk if similar sophisticated phishing techniques are not robustly countered, potentially leading to new security best practices centered on advanced transaction simulation and pre-signing analysis tools to detect hidden malicious approvals.

A prominent clear spherical object with an internal white circular panel featuring four distinct circular indentations dominates the center, set against a blurred backdrop of numerous irregularly shaped, faceted blue and dark grey translucent cubes. The central sphere, a visual metaphor for a core protocol or secure enclave, embodies a sophisticated governance mechanism, possibly representing a decentralized autonomous organization DAO or a multi-signature wallet's operational interface

Verdict

This incident decisively confirms the escalating threat of highly sophisticated social engineering tactics targeting the weakest link in digital asset security → human vigilance.

Signal Acquired from → cryptoslate.com