Sophisticated $3M USDC Phishing Attack Drains Multi-Sig Wallet—Here’s How It Happened
Another day, another crypto heist—except this one didn't need brute force. A slick phishing exploit just siphoned $3 million in USDC from a supposedly secure multi-signature setup.
How the Attack Unfolded
The perpetrators didn’t hack the blockchain; they hacked human confidence. Using a fake dApp interface, they tricked authorized signers into approving transactions that looked legit—until the funds vanished.
Why Multi-Sig Isn’t Foolproof
Even with multiple layers of approval, a well-orchestrated social engineering play can bypass the strongest tech safeguards. In this case, the attackers exploited trust, not code.
The Aftermath
Victims thought they were covered—until they weren’t. The incident serves as yet another reminder that in crypto, your weakest link isn’t your private key; it’s the person holding it.
Of course, Wall Street will call this 'proof of crypto's immaturity'—ignoring that traditional finance loses billions yearly to far simpler email scams. At least our thieves innovate.
How the exploit occurred
SlowMist founder Yu Xian explained that the compromised address was a 2-of-4 SAFE multi-signature wallet.
He explained that the breach originated from two consecutive transactions in which the victim approved transfers to an address that mimicked their intended recipient.
The attacker crafted the fraudulent contract so that its first and last characters mirrored the legitimate one, making it difficult to detect.
Xian added that the exploit took advantage of the Safe Multi Send mechanism, disguising the abnormal approval inside what appeared to be a routine authorization.
He wrote:
“This abnormal authorization was hard to detect because it wasn’t a standard approve.”
According to Scam Sniffer, the attacker had prepared the ground well in advance. They deployed a fake but Etherscan-verified contract nearly two weeks earlier, programming it with multiple “batch payment” functions to look legitimate.
On the day of the exploit, the malicious approval was executed through the Request Finance app interface, giving the attacker access to the victim’s funds.
In response, Request Finance acknowledged that a malicious actor had deployed a counterfeit version of its Batch Payment contract. The company noted that only one customer was affected and stressed that the vulnerability has since been patched.
Still, Scam Sniffer highlighted broader concerns about the phishing incident.
The blockchain security firm warned that similar exploits could stem from several vectors, including app vulnerabilities, malware or browser extensions modifying transactions, compromised front-ends, or DNS hijacking.
More importantly, the use of verified contracts and near-identical addresses illustrates how attackers are refining their methods to bypass user scrutiny.
