Security

Phishing Attack Compromises Multi-Sig Wallet via Malicious Contract Approval

Attackers deployed a verified contract to disguise fraudulent approvals, draining funds from a multi-signature wallet.
September 16, 20253 min

The image presents a detailed, close-up view of a complex, futuristic-looking machine core, characterized by interlocking metallic rings and white structural elements. At its heart, a dynamic cluster of white, spiky particles appears to be actively manipulated or generated, surrounded by intricate mechanical components
The image displays a sophisticated, angular device featuring a metallic silver frame and translucent, flowing blue internal components. A distinct white "1" is visible on one of the blue elements

Briefing

A sophisticated phishing attack successfully drained $3.047 million in USDC from a 2-of-4 Safe multi-signature wallet on September 11, 2025. This incident highlights the critical risk of disguised malicious contract approvals within seemingly routine transactions. The attacker leveraged a fake, Etherscan-verified contract, mirroring the legitimate recipient’s address, to bypass user scrutiny and execute the illicit transfer. The immediate consequence for the affected user was a significant capital loss, with stolen funds rapidly converted to Ethereum and laundered via Tornado Cash.

A close-up view reveals a modern device featuring a translucent blue casing and a prominent brushed metallic surface. The blue component, with its smooth, rounded contours, rests on a lighter, possibly silver-toned base, suggesting a sophisticated piece of technology

Context

Prior to this incident, the digital asset landscape consistently faced advanced social engineering and contract manipulation tactics. Attack surfaces often include front-end interfaces, compromised administrative keys, and vulnerabilities in user authorization flows. The prevailing risk factors included the increasing sophistication of phishing schemes, which leverage legitimate-looking infrastructure to trick users into granting malicious approvals. This exploit leveraged a known class of vulnerability → the deceptive embedding of malicious logic within standard transaction mechanisms.

A modern, elongated device features a sleek silver top and dark base, with a transparent blue section showcasing intricate internal clockwork mechanisms, including visible gears and ruby jewels. Side details include a tactile button and ventilation grilles, suggesting active functionality

Analysis

The attack initiated with the deployment of a fake, Etherscan-verified contract approximately two weeks before the exploit. This contract was meticulously crafted to mimic a legitimate batch payment function, lending it an undeserved air of authenticity. The attacker then exploited the Safe Multi Send mechanism, disguising a malicious approval within what appeared to be a standard transaction. The victim, interacting through the Request Finance app interface, unknowingly authorized transfers to this fraudulent contract.

This chain of events allowed the attacker to siphon $3.047 million in USDC, subsequently swapping the assets for Ethereum and funneling them through Tornado Cash to obscure the financial trail. The success of this attack underscores the attacker’s advanced preparation and the deceptive power of mimicking trusted on-chain entities.

A close-up view reveals a sophisticated blue and silver mechanical structure, partially submerged and interacting with a white, bubbly foam. The effervescent substance flows around the intricate gears and metallic segments, creating a dynamic visual of processing

Parameters

  • Targeted Entity → 2-of-4 Safe multi-signature wallet
  • Attack Vector → Sophisticated Phishing via Malicious Contract Approval
  • Financial Impact → $3.047 Million USDC
  • BlockchainEthereum
  • Exploited Mechanism → Safe Multi Send
  • Deception Method → Fake, Etherscan-verified contract mimicking legitimate address
  • Facilitating Application → Request Finance app interface
  • Attribution/Discovery → ZachXBT, SlowMist founder Yu Xian, Scam Sniffer

A central white sphere is meticulously held by a complex, metallic framework. This entire assembly is embedded within a textured, blue, ice-like matrix

Outlook

Immediate mitigation requires users to exercise extreme vigilance when approving transactions, manually verifying all contract addresses and approval details before signing. Protocols must enhance their front-end security to detect and warn against suspicious contract interactions, even when originating from verified contracts. This incident establishes a new benchmark for phishing sophistication, demanding that security audits extend beyond code logic to include comprehensive assessments of user interaction flows and the potential for social engineering at the application layer. The contagion risk extends to any multi-signature wallet or DeFi protocol relying on user approvals via third-party interfaces.

A textured, white sphere is centrally positioned, encased by a protective structure of translucent blue and metallic silver bars. The intricate framework surrounds the sphere, highlighting its secure containment within a sophisticated digital environment

Verdict

This incident definitively signals a critical escalation in phishing attack sophistication, necessitating an immediate and fundamental shift towards rigorous manual transaction verification and enhanced application-layer security across the digital asset ecosystem.

Signal Acquired from → CryptoSlate

Micro Crypto News Feeds

multi-signature wallet

Definition ∞ A multi-signature wallet is a type of digital wallet that requires multiple private keys to authorize a transaction.

social engineering

Definition ∞ Social engineering is a non-technical method of influencing people to give up confidential information or perform actions that benefit the attacker.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

multi-signature

Definition ∞ Multi-signature, often abbreviated as multisig, is a type of digital signature that requires more than one cryptographic key to authorize a transaction.

malicious contract

Definition ∞ A malicious contract is a piece of code, often a smart contract on a blockchain, designed with the intent to deceive, defraud, or harm users.

usdc

Definition ∞ USDC is a prominent stablecoin designed to maintain a fixed value relative to the US dollar.

ethereum

Definition ∞ Ethereum is a decentralized, open-source blockchain system that facilitates the creation and execution of smart contracts and decentralized applications (dApps).

deception

Definition ∞ Deception in financial contexts involves any act intended to mislead participants for illicit gain.

approvals

Definition ∞ Approvals are cryptographic signals that grant permission for a smart contract or another address to spend or interact with a user's digital assets.

phishing attack

Definition ∞ A phishing attack is a fraudulent attempt to obtain sensitive information, such as usernames, passwords, and financial details, by disguising oneself as a trustworthy entity in electronic communication.

Tags:

Tags: