Phishing exploit steals $3 million in USDC from multi-signature wallet

• Investor loses $3 million in phishing attack
• Exploit used disguised and verified malicious contract
• Request Finance confirms fake version of contract in use

A cryptocurrency investor lost over $3 million in stablecoins after falling victim to a highly sophisticated phishing attack that exploited a multisignature wallet. The case was revealed on September 11 by onchain researcher ZachXBT, who noted that the victim's wallet was drained of $3,047 million in USDC.

The attacker quickly converted the funds to Ethereum and redirected them to Tornado Cash, a privacy protocol often used to hide the movement of illicit funds.

According to Yu Xian, founder of SlowMist, the compromised address was a 2-of-4 Safe multisignature. The attack occurred after the victim authorized two consecutive transactions to a fraudulent address that mimicked the legitimate one. To increase the effectiveness of the scam, the hacker developed a malicious contract in which the first and last characters of the address mirrored the correct one, making the fraud difficult to detect.

Xian explained that the scam used the Safe Multi Send feature, disguising the malicious approval within a seemingly routine authorization. "This abnormal authorization was difficult to detect because it wasn't a standard approval," he said.

Looked at @zachxbt 发的这起被盗事件,有些意思,被盗地址是一个 2/4 Safe 多签地址：
0xE7c15D929cdf8c283258daeBF04Fb2D9E403d139

被盗 3047700 USDC 是这两笔，紧挨着：
3M USD
47700 USDC

属于授权被盗，被盗者 USDC… pic.twitter.com/KQPYxGvugP

— Cos(余弦)😶‍🌫️ (@evilcos) September 12, 2025

Scam Sniffer's investigation revealed that the fake contract had been deployed almost two weeks earlier, already verified on Etherscan, and configured with "batch payment" functions to appear legitimate. On the day of the attack, authorization was executed through the Request Finance interface, giving the attacker access to the funds.

In response, Request Finance confirmed that a malicious actor had deployed a spoofed version of its payment contract. The company emphasized that only one customer was affected and that the vulnerability has been patched.

🚨 A victim lost $3.047M USDC yesterday through a sophisticated attack involving a fake Request Finance contract on Safe wallet.

Key findings:
• Victim's 2/4 Safe multi-sig wallet shows batch transactions via Request Finance app interface
• Hidden within: approval to malicious… pic.twitter.com/U9UNfYNZhv

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) September 12, 2025

Still, Scam Sniffer warned that similar phishing attacks can be orchestrated through a variety of vectors, including malware, compromised browser extensions, flaws in application front-ends, or even DNS hijacking. The use of seemingly verified contracts and nearly identical addresses reinforces how attackers are refining their tactics to circumvent the attention of cryptocurrency users.