A crypto investor lost $3.047 million in USDC in a highly coordinated phishing attack on September 11, 2025, after unknowingly authorizing a malicious contract disguised as a legitimate transaction. Blockchain investigator ZachXBT first flagged the incident, revealing that the attacker quickly swapped the stolen stablecoins for Ethereum and funneled the proceeds through Tornado Cash to obscure the funds' trail.
The compromised address was a 2-of-4 Safe multi-signature wallet. SlowMist founder Yu Xian explained that the breach originated from two consecutive transactions where the victim approved transfers to an address mimicking their intended recipient. The attacker crafted the fraudulent contract so that its first and last characters mirrored the legitimate one, making it difficult to detect. The exploit took advantage of Safe's Multi-Send mechanism, hiding the abnormal approval within what appeared to be a routine authorization.
Scam Sniffer reported that the attacker had prepared the attack well in advance, deploying a fake but Etherscan-verified contract nearly two weeks earlier and programming it with multiple "batch payment" functions to appear legitimate. On the day of the exploit, the malicious approval was executed through the Request Finance app interface. Request Finance acknowledged that a malicious actor had deployed a counterfeit version of its Batch Payment contract, noting that only one customer was affected and that the vulnerability has been patched.
Security experts warn that similar exploits could stem from various vectors, including app vulnerabilities, malware, browser extensions modifying transactions, compromised front-ends, or DNS hijacking. The incident highlights how attackers are refining methods to bypass user scrutiny using verified contracts and near-identical addresses.