Security

Phishing Attack Compromises Multi-Sig Wallet via Malicious Contract Approval

Attackers deployed a verified contract to disguise fraudulent approvals, draining funds from a multi-signature wallet.
September 16, 20253 min

A futuristic, abstract image showcases a central white and grey mechanical structure with radiating transparent blue tubes. These conduits are filled with glowing blue digital patterns, suggesting rapid data transmission within an advanced system
A close-up view reveals a high-tech device featuring a silver-grey metallic casing with prominent dark blue internal components and accents. A central, faceted blue translucent element glows brightly, suggesting active processing or energy flow within the intricate machinery

Briefing

A sophisticated phishing attack successfully drained $3.047 million in USDC from a 2-of-4 Safe multi-signature wallet on September 11, 2025. This incident highlights the critical risk of disguised malicious contract approvals within seemingly routine transactions. The attacker leveraged a fake, Etherscan-verified contract, mirroring the legitimate recipient’s address, to bypass user scrutiny and execute the illicit transfer. The immediate consequence for the affected user was a significant capital loss, with stolen funds rapidly converted to Ethereum and laundered via Tornado Cash.

A transparent blue, possibly resin, housing reveals internal metallic components, including a precision-machined connector and a fine metallic pin extending into the material. This sophisticated assembly suggests a specialized hardware device designed for high-security operations

Context

Prior to this incident, the digital asset landscape consistently faced advanced social engineering and contract manipulation tactics. Attack surfaces often include front-end interfaces, compromised administrative keys, and vulnerabilities in user authorization flows. The prevailing risk factors included the increasing sophistication of phishing schemes, which leverage legitimate-looking infrastructure to trick users into granting malicious approvals. This exploit leveraged a known class of vulnerability → the deceptive embedding of malicious logic within standard transaction mechanisms.

An abstract, dark, multi-layered object with intricate, organic-like cutouts is depicted, covered and surrounded by a multitude of small, glowing blue and white particles. These particles appear to flow dynamically across its surface and through its internal structures, creating a sense of movement and digital interaction

Analysis

The attack initiated with the deployment of a fake, Etherscan-verified contract approximately two weeks before the exploit. This contract was meticulously crafted to mimic a legitimate batch payment function, lending it an undeserved air of authenticity. The attacker then exploited the Safe Multi Send mechanism, disguising a malicious approval within what appeared to be a standard transaction. The victim, interacting through the Request Finance app interface, unknowingly authorized transfers to this fraudulent contract.

This chain of events allowed the attacker to siphon $3.047 million in USDC, subsequently swapping the assets for Ethereum and funneling them through Tornado Cash to obscure the financial trail. The success of this attack underscores the attacker’s advanced preparation and the deceptive power of mimicking trusted on-chain entities.

A sophisticated metallic blue device is depicted, partially open to reveal its intricate internal workings. Finely detailed silver mechanisms, gears, and white fiber-optic-like connections are visible within its structure, with a distinctive light blue, bubbly, foam-like substance emanating from one end

Parameters

  • Targeted Entity → 2-of-4 Safe multi-signature wallet
  • Attack Vector → Sophisticated Phishing via Malicious Contract Approval
  • Financial Impact → $3.047 Million USDC
  • BlockchainEthereum
  • Exploited Mechanism → Safe Multi Send
  • Deception Method → Fake, Etherscan-verified contract mimicking legitimate address
  • Facilitating Application → Request Finance app interface
  • Attribution/Discovery → ZachXBT, SlowMist founder Yu Xian, Scam Sniffer

The image displays a sleek, translucent device with a central brushed metallic button, surrounded by a vibrant blue luminescence. The device's surface exhibits subtle reflections, highlighting its polished, futuristic design, set against a dark background

Outlook

Immediate mitigation requires users to exercise extreme vigilance when approving transactions, manually verifying all contract addresses and approval details before signing. Protocols must enhance their front-end security to detect and warn against suspicious contract interactions, even when originating from verified contracts. This incident establishes a new benchmark for phishing sophistication, demanding that security audits extend beyond code logic to include comprehensive assessments of user interaction flows and the potential for social engineering at the application layer. The contagion risk extends to any multi-signature wallet or DeFi protocol relying on user approvals via third-party interfaces.

A central white sphere is meticulously held by a complex, metallic framework. This entire assembly is embedded within a textured, blue, ice-like matrix

Verdict

This incident definitively signals a critical escalation in phishing attack sophistication, necessitating an immediate and fundamental shift towards rigorous manual transaction verification and enhanced application-layer security across the digital asset ecosystem.

Signal Acquired from → CryptoSlate

Micro Crypto News Feeds

multi-signature wallet

Definition ∞ A multi-signature wallet is a type of digital wallet that requires multiple private keys to authorize a transaction.

social engineering

Definition ∞ Social engineering is a non-technical method of influencing people to give up confidential information or perform actions that benefit the attacker.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

multi-signature

Definition ∞ Multi-signature, often abbreviated as multisig, is a type of digital signature that requires more than one cryptographic key to authorize a transaction.

malicious contract

Definition ∞ A malicious contract is a piece of code, often a smart contract on a blockchain, designed with the intent to deceive, defraud, or harm users.

usdc

Definition ∞ USDC is a prominent stablecoin designed to maintain a fixed value relative to the US dollar.

ethereum

Definition ∞ Ethereum is a decentralized, open-source blockchain system that facilitates the creation and execution of smart contracts and decentralized applications (dApps).

deception

Definition ∞ Deception in financial contexts involves any act intended to mislead participants for illicit gain.

approvals

Definition ∞ Approvals are cryptographic signals that grant permission for a smart contract or another address to spend or interact with a user's digital assets.

phishing attack

Definition ∞ A phishing attack is a fraudulent attempt to obtain sensitive information, such as usernames, passwords, and financial details, by disguising oneself as a trustworthy entity in electronic communication.

Tags:

Tags: