Skip to main content
Security

Sophisticated Phishing Drains $3m from Multi-Signature Wallet via Malicious Approval

Malicious contract impersonation and Safe Multi Send abuse enabled a $3M phishing drain, highlighting critical authorization vector risks.
September 16, 20253 min

A white and grey cylindrical device, resembling a data processing unit, is seen spilling a mixture of blue granular particles and white frothy liquid onto a dark circuit board. The circuit board features white lines depicting intricate pathways and visible binary code
The image presents a detailed, abstract view of a high-tech mechanism, characterized by translucent blue elements and polished silver structures. Glowing blue light emanates from within, highlighting intricate internal components and a central circular device

Briefing

A sophisticated phishing campaign successfully compromised an investor’s 2-of-4 Safe multi-signature wallet on September 11, 2025. This attack vector leveraged a fake Etherscan-verified contract and the Safe Multi Send mechanism, tricking the victim into authorizing a malicious transaction. The primary consequence is the direct loss of $3.047 million in USDC, which the attacker swiftly converted to Ethereum and laundered through Tornado Cash. This incident underscores the escalating sophistication of social engineering tactics targeting high-value digital assets.

A vibrant blue, porous, organic-like structure, resembling a sponge or cellular network, dominates the frame, with a sophisticated metallic component embedded within it. This metallic element is circular, multi-layered, featuring a central lens and an intricately segmented outer ring, encircled by a thin transparent ring

Context

Prior to this incident, the digital asset landscape faced persistent threats from increasingly sophisticated phishing operations. Attackers routinely leverage social engineering and contract impersonation to bypass user vigilance. The prevailing attack surface includes transaction approval mechanisms, where users inadvertently grant malicious contracts access to their funds. This exploit highlights the critical risk posed by deceptive contract verification and the complexities of multi-send transaction approvals.

The image displays two intersecting bundles of translucent tubes, some glowing blue and others clear, partially encased in a textured white, frosty material. These bundles form an 'X' shape against a dark background, highlighting their structured arrangement and contrasting textures

Analysis

The attacker executed a multi-stage phishing operation, compromising an investor’s multi-signature wallet. This attack began with the deployment of a fake, yet Etherscan-verified, contract weeks in advance, programmed to mimic legitimate batch payment functions. On the day of the exploit, the victim interacted with the Request Finance app interface, unknowingly approving a malicious transaction disguised within a routine Safe Multi Send operation.

The attacker crafted the fraudulent contract address to closely resemble the legitimate one, deceiving the victim’s scrutiny. This method successfully bypassed standard approval checks, enabling the unauthorized transfer of funds.

A detailed view of a complex, multi-layered metallic structure featuring prominent blue translucent elements, partially obscured by swirling white, cloud-like material. A reflective silver sphere is embedded within the intricate framework, suggesting dynamic interaction and movement

Parameters

  • Victim ∞ Unidentified crypto investor’s 2-of-4 Safe multi-signature wallet
  • Vulnerability ∞ Sophisticated phishing via fake Etherscan-verified contract and Safe Multi Send mechanism abuse
  • Funds Lost ∞ $3.047 million in USDC
  • Blockchain AffectedEthereum
  • Attack Date ∞ September 11, 2025
  • Attacker’s Action ∞ Swapped USDC for Ethereum, laundered through Tornado Cash
  • Expert Confirmation ∞ ZachXBT, SlowMist founder Yu Xian, Scam Sniffer
  • Leveraged InterfaceRequest Finance app

The image displays a close-up of a high-tech electronic connector, featuring a brushed metallic silver body with prominent blue internal components and multiple black cables. Visible within the blue sections are intricate circuit board elements, including rows of small black rectangular chips and gold-colored contacts

Outlook

This incident mandates a reevaluation of user transaction verification processes and heightened awareness against contract impersonation. Users must exercise extreme caution when approving transactions, particularly those involving multi-send mechanisms or interactions with third-party applications. Protocols and security firms will likely prioritize advanced detection mechanisms for deceptive contract addresses and more robust front-end security to prevent similar social engineering exploits. This event reinforces the need for continuous user education on sophisticated phishing tactics.

The image displays an intricate assembly of polished silver-toned rings, dark blue plastic connectors, and numerous thin metallic wires. These elements are tightly interwoven, creating a dense, technical composition against a blurred blue background, highlighting precision engineering

Verdict

This sophisticated phishing attack on a multi-signature wallet establishes a critical precedent for refined social engineering tactics, demanding immediate, comprehensive advancements in user education and transaction verification protocols across the digital asset ecosystem.

Signal Acquired from ∞ cryptoslate.com

Glossary

social engineering tactics

A sophisticated social engineering campaign led to the compromise of a prominent individual's private key, resulting in a seven-figure asset drain.

sophisticated phishing

Attackers deployed a deceptive Etherscan-verified contract, leveraging the Safe Multi Send mechanism to bypass user scrutiny and drain over $3 million.

multi-signature wallet

Advanced phishing leveraging the Safe Multi Send mechanism bypassed multi-sig security, exposing user assets to illicit transfer.

funds

Definition ∞ Funds, in the context of digital assets, refer to pools of capital pooled together for investment in cryptocurrencies, tokens, or other digital ventures.

wallet

Definition ∞ A digital wallet is a software or hardware application that stores public and private keys, enabling users to send, receive, and manage their digital assets on a blockchain.

phishing

Definition ∞ Phishing, in the digital asset space, involves deceptive practices aimed at tricking individuals into divulging sensitive information, such as private keys or login credentials, typically through fraudulent communications.

3.047 million

An exploited third-party API allowed attackers to manipulate staking requests, resulting in a significant capital drain from the SOL Earn program.

ethereum

Definition ∞ Ethereum is a decentralized, open-source blockchain system that facilitates the creation and execution of smart contracts and decentralized applications (dApps).

laundered through tornado

**: Single sentence, maximum 130 characters, core research breakthrough.

request finance

Attackers leveraged fake Etherscan-verified contracts and Safe Multi Send to obscure malicious approvals, directly compromising user assets.

transaction verification

Dedicated ZKP verification layers are essential to scale Ethereum's cryptographic throughput, enabling a modular architecture for web3's future.

engineering tactics

A sophisticated social engineering campaign led to the compromise of a prominent individual's private key, resulting in a seven-figure asset drain.

Tags:

Tags: