Go to Home
Web3 security pattern.
Blog
Web3 security pattern.
Multisig Security: Evolving Threats in 2025
Multisig security threats in 2025 target entire signing infrastructures, not just individual keys. Learn how to protect your crypto assets.Hilary contributor avatar

Multisig Security: Evolving Threats in 2025

Hilary contributor avatar
Hilary
February 28, 2025
Security Guides
Security Guides

As the cryptocurrency space continues to evolve, securing digital assets has become more critical than ever. Multi-signature (multisig) wallets, which require multiple approvals before a transaction can be executed, were once seen as a highly secure solution to safeguard crypto holdings. These wallets are designed to add an extra layer of protection by distributing authority across multiple signers, making it harder for malicious actors to compromise the entire wallet with a single breach.

However, the landscape of multisig wallet security has changed. What was once considered an impenetrable solution has now faced new challenges. In 2025, multi-sig vulnerabilities have evolved into sophisticated exploits targeting not just individual keys, but the entire signing infrastructure encompassing development pipelines, transaction validation, and team communication channels.

In this blog, we'll take a closer look at how multisig wallet attacks have progressed, the latest tactics used by hackers, and the lessons we can learn from past incidents. We'll also explore the best practices and strategies you can adopt to protect your assets from these evolving threats.

Problems with EOAs (Externally Owned Accounts)

EOA stands for Externally Owned Account, which refers to an Ethereum account controlled by a private key, typically used by individuals or entities to send and receive transactions. EOAs don't have internal code, but they can interact with smart contracts on the blockchain. While EOAs have served as the foundational way of managing crypto wallets, they come with several significant drawbacks:

1. Loss of Access

EOAs rely on a single private key to control the associated funds. If the private key is lost, forgotten, or damaged, access to the wallet is effectively gone. There’s no built-in recovery process for lost keys, meaning users risk permanently losing access to their assets.

2. Compromised Key

If an attacker gains access to the private key, they can easily access the funds without any additional checks or balances. This is particularly concerning in an environment where phishing attacks, malware, and other forms of cybercrime are prevalent.

3. Single Point of Failure

The biggest vulnerability of EOAs is the reliance on a single point of failure: the private key. If the key is compromised or lost, there’s no fallback. Unlike traditional banking systems, crypto assets don’t have a centralized authority to recover lost funds or halt fraudulent transactions.

How Does a Multi-Signature Wallet Work?

A multi-signature (multisig) wallet requires multiple private keys to authorize a transaction, ensuring that more than one party needs to approve a transaction before it’s finalized.

1. Setting Up the Multisig Wallet

In a multisig setup, multiple private keys are generated and distributed among different signers. For example, in a "2 of 3" configuration, three keys are created, and any two of them must approve a transaction for it to go through.

2. The "M of N" Model

  • M (Minimum Signers): This represents the minimum number of signers required to approve a transaction. In a "2 of 3" model, two out of three signers must sign to authorize a transaction.
  • N (Total Signers): This is the total number of possible signers in the setup. For example, in a "2 of 3" setup, there are three signers in total.

3. Signing a Transaction

Once a transaction is initiated, it is broadcast to all designated signers. Each signer reviews the transaction and uses their private key to approve it. Once the minimum required number of signatures (M) is reached, the transaction is confirmed and executed. If one signer is unavailable or unwilling to sign, the transaction cannot proceed until the required number is met

What Are MultiSig Attacks?

The rise of decentralized finance has made multi-signature wallets essential for securing high-value crypto assets. Rather than targeting individual private keys, modern multisig exploits focus on compromising the entire signing infrastructure—including development environments, build systems, transaction validation, and team communication channels. Malicious actors are able to bypass traditional multisig security assumptions and drain protocols' funds—with devastating and irreversible results. Understanding and defending against this evolving threat is critical for any project operating in the DeFi space.

Evolution of Multisig Wallet Attacks: From Code Exploits to Infrastructure Breaches

Early Multisig Vulnerabilities (2017-2018)

In the early days of multisig wallets, the promise of enhanced security was marred by code vulnerabilities in smart contract implementations. These vulnerabilities allowed attackers to exploit weaknesses in wallet software, often resulting in significant financial losses.

Example: Parity Wallet Hack (2017): One of the first major multisig hacks occurred when Parity wallet's Ethereum multi-sig implementation had a critical flaw in its smart contract. Hackers used this vulnerability to lock up over $150 million in funds. It exposed how code flaws could undermine multi-sig systems, leading to catastrophic consequences.

  • Hacking Techniques:
  • Smart Contract Bugs: Attackers targeted logic errors in multisig wallet code, particularly in how the contracts managed signatures and transaction approvals. These flaws gave hackers the ability to steal or lock funds, often indefinitely.
  • Lessons Learned: The key takeaway was that code security in multisig implementations must be thoroughly tested and audited to prevent vulnerabilities from being exploited.

Social Engineering and Phishing Attacks (2018-2020)

As the crypto ecosystem matured, hackers adapted by targeting the weakest link in the multisig security model, the human factor. Social engineering and phishing attacks became the go-to methods for gaining access to private keys or tricking signers into authorizing fraudulent transactions.

  • Hacking Techniques:
    • Phishing: Hackers used fake emails and websites to gather private keys from users, often impersonating trusted entities in the crypto space.
    • SIM Swapping: By taking control of a target’s phone number, attackers intercepted 2FA codes and gained access to the multisig wallet.
  • Lessons Learned: The focus shifted to strengthening the security of communication channels and adopting two-factor authentication (2FA) across all wallet signers to protect against human errors.

Malware and Device Compromise (2020-2023)

As attackers grew more sophisticated, they began targeting malware as a tool to compromise the signers’ devices. This allowed hackers to access private keys, monitor transactions, and even modify wallet approvals without the signers’ knowledge.

  • Hacking Techniques:
    • Keyloggers and Remote Access Trojans (RATs): Malware was installed on signer devices to record keystrokes, capture private keys, or gain access to transaction approval systems.
    • Device Compromise: Once an attacker gained control of a signer’s device, they could execute transactions without the signer’s knowledge, bypassing the multisig process entirely.
  • Lessons Learned: Device security became crucial. Protecting private keys and transaction-signing processes required not only securing the network but also the endpoints (signers’ devices) themselves.

Hybrid Attacks and Multi-Layered Exploits (2023-2025)

By 2025, multisig wallet attacks evolved into multi-layered campaigns, targeting a wider range of vulnerabilities across both technological and human layers of the security model. Rather than simply exploiting a single weakness, attackers now deploy complex, coordinated attacks that target the entire signing infrastructure from the key management system to the communication channels and even the underlying development environment.

  • Examples: Tapioca (2024): This attack exploited a social engineering tactic to steal private keys, followed by the use of malware and phishing to gather additional information from other signers, draining over $4.4 million in assets.
  • Radiant Capital (2024): In this case, attackers exploited vulnerabilities in the signing workflow, gaining control of three of the eleven private keys and executing fraudulent transactions worth over $50 million.
  • Bybit (2025): The Lazarus Group, a cybercriminal group believed to be based in North Korea, was behind one of the largest crypto exchange hacks in early 2025. The group used a multi-layered approach to breach Bybit’s security, by injecting malware into signing devices or tricking users into visiting a phishing link, which led to the approval of a transaction containing masked malicious content. The hack resulted in the theft of approximately 400,000 Ethereum (ETH) worth over $1.5 billion.
  • Hacking Techniques:
    • Supply Chain Attacks: Attackers targeted the development pipeline itself, injecting malicious code into the signing process. These attacks compromised the signing artifacts and turned what was supposed to be a legitimate transaction approval into a malicious one.
    • CI/CD Exploits: Continuous Integration/Continuous Deployment (CI/CD) pipelines used for building and deploying signing infrastructure became a key target. Attackers inserted malicious components into the automated deployment processes, allowing them to manipulate the entire signing workflow.
    • Transaction Manipulation: Even if signers were using secure devices, attackers targeted the systems that managed and created the transactions. They manipulated the transaction details before they reached the signers, making everything appear normal, so the signers unknowingly approved harmful transactions.
    • Infiltrating Communication Channels: Attackers infiltrated team communication channels, such as secure messaging apps, emails, and other out-of-band communication systems, to manipulate or intercept approval processes.
  • Lessons Learned: These attacks highlighted the need to secure not just the keys or consensus processes, but the entire infrastructure surrounding the multisig process. The evolution of these attacks illustrated that vulnerabilities at any point in the signing flow could lead to catastrophic breaches.

A Closer Look at the New Threat Landscape in 2025

As seen in past attacks like the Parity Wallet hack and the recent Bybit breach in 2025, attackers have continually adapted their strategies to exploit vulnerabilities in multisig systems. Initially, they focused on flaws in smart contract code, then shifted to social engineering and phishing to trick users into revealing their private keys. More recently, attackers have targeted the entire signing infrastructure, manipulating transaction data itself whether through malware, phishing, or infiltrating the systems that manage transaction creation and approvals.

Today, the threat landscape has shifted further. It’s no longer just about targeting individual keys or exploiting consensus flaws. The entire signing infrastructure is at risk, with attackers now focusing on infiltrating the core systems that handle transaction creation and approval.

In the following sections, we’ll explore the latest threats and tactics used by hackers, specifically those that involve altering transaction data and bypassing traditional security measures.

1. Development Environment Supply Chains

Malicious actors inject malware into build and deployment pipelines used to generate signing artifacts. Compromising these environments means that what’s actually signed is different from what the signers expect to be approving.

2. Continuous Integration/Deployment Processes

The CI/CD tools and scripts responsible for packaging and deploying signing infrastructure are also prime targets. Attackers swap malicious components into these automated processes.

3. Transaction Validation and Monitoring Systems

Even if the signing devices themselves are secure, attackers will find ways to manipulate the parameters of a transaction before it ever reaches the signers. Targeting RPC endpoints, local transaction construction, and asset monitoring tools allows them to display one set of details— while actually signing something different.

4. Team Communication Channels

The standard offline processes used to verify and approve high-value transactions are also under assault. Attackers have infiltrated secure messaging apps, email threads, and other channels where signers coordinate to compromise out-of-band verification steps.

These sophisticated, multi-pronged attacks demonstrate that the modern multisig attack surface extends far beyond just smart contracts and key management. Malicious actors are now undermining the entire signing infrastructure and succeeding.

The implications? Severe. Multisig compromises and their resulting loss of assets can be catastrophic and irreversible—and happen in just minutes. This has quietly become a major security risk that every DeFi project must consider. It’s no longer about just requiring additional signatures, it's about fortifying the entire signing process from end to end.

Never Trust, Always Verify: The Cantina Multisig Security Playbook

Since the attack surface for multi-signature wallets has expanded, so must every protocol’s simple key management and consensus-based security assumptions. The modern multisig threat model demands a comprehensive, defense-in-depth approach that addresses both technical and operational vulnerabilities. Here are our thoughts to get you started:

Cantina's Multi-Sig Security Playbook: 8 critical components including isolated environments, hardware security, verification protocols, and real-time monitoring.

We believe protocols should formalize these best practices into a comprehensive security framework. This could include requirements around signing environment isolation, minimum verification channels, mandatory hardware security, and tiered thresholds for additional controls on high-value transactions.

Signed, Sealed, Delivered

The future of multisig security isn't about how many signatures you require, it's about how well you protect the entire signing process from end to end. As attacks grow more sophisticated, protocols must be willing to invest in robust, defense-in-depth architectures that can withstand the evolving threat landscape.

Getting this right is crucial. With immense value at stake and the irreversible nature of crypto transactions, a single multi-sig compromise can be catastrophic. The time to act is now. Multisig attacks will only become more sophisticated as attackers exploit new vulnerabilities. Teams must evolve their thinking from multisigs as simply "requiring multiple signatures" to encompassing the entire signing process.

A couple key questions we’d like to leave you with:

How do you verify the integrity of your signing environment?

What out-of-band verification methods are you using?

How would you detect if your signing infrastructure was compromised?

What's your response plan for suspected transaction manipulation?

Are you prepared for the next generation of attacks? Perhaps it’s time to re-evaluate your multisig security posture and implement a strategy that neutralizes today’s threats.

Secure your protocol today

Cantina is your go-to for comprehensive end-to-end security. Looking to secure your protocol? Let’s talk. We can have a full quote turned around for you within 24 hours, catered exactly to your project’s needs. Request a quote here.