Skip to main content
Security

Phishing Attack Compromises Multi-Sig Wallet via Malicious Contract Approval

Attackers deployed a verified contract to disguise fraudulent approvals, draining funds from a multi-signature wallet.
September 16, 20253 min

A central, clear, multi-faceted geometric object is encircled by a segmented white band with metallic accents, all set against a backdrop of detailed blue circuitry and sharp blue crystalline formations. This arrangement visually interprets abstract concepts within the cryptocurrency and blockchain domain
A clear sphere encases a white sphere marked with a dark line, positioned before a vibrant, geometric blue structure. This visual composition symbolizes the secure encapsulation of digital assets and protocols within the blockchain ecosystem

Briefing

A sophisticated phishing attack successfully drained $3.047 million in USDC from a 2-of-4 Safe multi-signature wallet on September 11, 2025. This incident highlights the critical risk of disguised malicious contract approvals within seemingly routine transactions. The attacker leveraged a fake, Etherscan-verified contract, mirroring the legitimate recipient’s address, to bypass user scrutiny and execute the illicit transfer. The immediate consequence for the affected user was a significant capital loss, with stolen funds rapidly converted to Ethereum and laundered via Tornado Cash.

A close-up view reveals a polished, metallic object, possibly a hardware wallet, partially encased within a vibrant blue, translucent framework. The entire structure is visibly covered in a layer of white frost, creating a striking contrast and suggesting extreme cold

Context

Prior to this incident, the digital asset landscape consistently faced advanced social engineering and contract manipulation tactics. Attack surfaces often include front-end interfaces, compromised administrative keys, and vulnerabilities in user authorization flows. The prevailing risk factors included the increasing sophistication of phishing schemes, which leverage legitimate-looking infrastructure to trick users into granting malicious approvals. This exploit leveraged a known class of vulnerability ∞ the deceptive embedding of malicious logic within standard transaction mechanisms.

A futuristic, multi-segmented white sphere is shown partially open, revealing a dense cluster of glowing blue, translucent cubic forms within its core. These internal cubes feature intricate white line patterns and symbols, suggesting complex data structures

Analysis

The attack initiated with the deployment of a fake, Etherscan-verified contract approximately two weeks before the exploit. This contract was meticulously crafted to mimic a legitimate batch payment function, lending it an undeserved air of authenticity. The attacker then exploited the Safe Multi Send mechanism, disguising a malicious approval within what appeared to be a standard transaction. The victim, interacting through the Request Finance app interface, unknowingly authorized transfers to this fraudulent contract.

This chain of events allowed the attacker to siphon $3.047 million in USDC, subsequently swapping the assets for Ethereum and funneling them through Tornado Cash to obscure the financial trail. The success of this attack underscores the attacker’s advanced preparation and the deceptive power of mimicking trusted on-chain entities.

A clear, faceted crystalline object is centrally positioned within a broken white ring, superimposed on a detailed, luminous blue circuit board. This imagery evokes the cutting edge of digital security and decentralized systems

Parameters

  • Targeted Entity ∞ 2-of-4 Safe multi-signature wallet
  • Attack Vector ∞ Sophisticated Phishing via Malicious Contract Approval
  • Financial Impact ∞ $3.047 Million USDC
  • BlockchainEthereum
  • Exploited Mechanism ∞ Safe Multi Send
  • Deception Method ∞ Fake, Etherscan-verified contract mimicking legitimate address
  • Facilitating Application ∞ Request Finance app interface
  • Attribution/Discovery ∞ ZachXBT, SlowMist founder Yu Xian, Scam Sniffer

The image presents a close-up of a futuristic device featuring a translucent casing over a dynamic blue internal structure. A central, brushed metallic button is precisely integrated into the surface

Outlook

Immediate mitigation requires users to exercise extreme vigilance when approving transactions, manually verifying all contract addresses and approval details before signing. Protocols must enhance their front-end security to detect and warn against suspicious contract interactions, even when originating from verified contracts. This incident establishes a new benchmark for phishing sophistication, demanding that security audits extend beyond code logic to include comprehensive assessments of user interaction flows and the potential for social engineering at the application layer. The contagion risk extends to any multi-signature wallet or DeFi protocol relying on user approvals via third-party interfaces.

The foreground features a deeply textured, bright blue digital asset, partially encased in a granular white layer, resembling cryptographic hashing or security protocol elements. This asset resides within a gleaming metallic structure, symbolizing a secure enclave or a specialized blockchain node, processing critical data packets

Verdict

This incident definitively signals a critical escalation in phishing attack sophistication, necessitating an immediate and fundamental shift towards rigorous manual transaction verification and enhanced application-layer security across the digital asset ecosystem.

Signal Acquired from ∞ CryptoSlate

Micro Crypto News Feeds

multi-signature wallet

Definition ∞ A multi-signature wallet is a type of digital wallet that requires multiple private keys to authorize a transaction.

social engineering

Definition ∞ Social engineering is a non-technical method of influencing people to give up confidential information or perform actions that benefit the attacker.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

multi-signature

Definition ∞ Multi-signature, often abbreviated as multisig, is a type of digital signature that requires more than one cryptographic key to authorize a transaction.

malicious contract

Definition ∞ A malicious contract is a piece of code, often a smart contract on a blockchain, designed with the intent to deceive, defraud, or harm users.

usdc

Definition ∞ USDC is a prominent stablecoin designed to maintain a fixed value relative to the US dollar.

ethereum

Definition ∞ Ethereum is a decentralized, open-source blockchain system that facilitates the creation and execution of smart contracts and decentralized applications (dApps).

deception

Definition ∞ Deception in financial contexts involves any act intended to mislead participants for illicit gain.

approvals

Definition ∞ Approvals are cryptographic signals that grant permission for a smart contract or another address to spend or interact with a user's digital assets.

phishing attack

Definition ∞ A phishing attack is a fraudulent attempt to obtain sensitive information, such as usernames, passwords, and financial details, by disguising oneself as a trustworthy entity in electronic communication.

Tags:

Tags: