In the dark forest of the crypto world, hacking incidents continue to emerge one after another. According to blockchain security firm PeckShield, over 300 cryptocurrency hacking incidents occurred in 2024, resulting in total losses of 2.15 billion USD—a 30% increase compared to 1.51 billion USD in 2023. Hackers treat various sectors as their personal ATM machines, with wallet-related fraud being especially rampant—including multisig scams.

A multisig scam is a form of fraud that manipulates wallet accounts by exploiting the multisignature mechanism (commonly called multi-sig), leading to users losing control over their wallets and stealing their assets. While the original purpose of the multisig system is to enhance wallet security, its inherent complexity often becomes an entry point for scammers. This article will take a deep dive into the multisig mechanism—exploring how it works, its pros and cons, real-world case studies, and ultimately providing users with preventive strategies to secure their digital wallet assets better.

What is the Multisig Mechanism?

The multisignature (multisig) mechanism is a widely adopted security technique in the cryptocurrency and blockchain space. It requires multiple private key holders to jointly authorize transactions or perform critical operations, allowing several users to manage and control access to a single crypto wallet collaboratively. Compared to single-key systems, multisig offers significantly greater security and flexibility through distributed authorization. It’s particularly well-suited for scenarios like team collaboration, institutional asset management, and DAO governance.

To put it simply, multisig is a high-security combination lock, where multiple keys must be used to unlock it. This means that even if one or more private keys are lost or compromised, the wallet’s assets may still remain secure.

Key Milestones in the Development of Multisig Mechanisms

• 2012: Bitcoin’s P2SH (Pay-to-Script-Hash) protocol introduced the ability to embed multisig scripts into transactions via hashing.
• 2016: Crypto exchange Bitfinex adopted BitGo’s multisig solution to manage user assets. However, due to a misconfiguration in the hot wallet, 120,000 BTC were stolen.
• 2017: The Parity multisig wallet was attacked due to a code vulnerability, resulting in the theft of approximately 150,000 ETH.
• 2020: The Gnosis team officially launched Gnosis Safe, the first standardized multisig wallet solution within the Ethereum ecosystem. In the same year, Ethereum’s EIP-3074 proposed the AUTH and AUTHCALL opcodes, which allowed externally owned accounts (EOAs) to authorize contracts to execute transactions on their behalf, providing foundational support for multisig.
• 2021: Ethereum’s EIP-4337 proposed account abstraction via smart contracts, enabling more flexible permission management for multisig wallets.
• 2023: EIP-4337 was officially implemented. That same year, a contract vulnerability was discovered in Safe (formerly Gnosis Safe). An attacker exploited a flaw in the signature verification logic to forge multisig transactions and steal funds. In response, the Safe team promptly patched the issue, introduced a modular security audit framework, and launched a new “delayed execution” feature.
• 2024: The EIP-7702 proposal allowed EOA addresses to temporarily gain smart contract functionality within a single transaction, further simplifying multisig logic.

How Multisig Wallets Work

At the core of the multisignature mechanism is the concept of threshold signatures, which means a transaction can only be completed when a predefined number of valid signatures (the threshold) is met. This is commonly expressed in an “m-of-n” format, where m is the number of required signatures, and n is the total number of private keys involved. For example, in a 2-of-3 multisig wallet, three private keys are set up, but any two of them are sufficient to authorize a transaction.

Taking the TronLink wallet—which supports multisig—as an example, the workflow functions as follows:

1) Private Key Management and Distribution

After creating or importing a wallet, the user navigates to the “Permission Management” section under “Wallet Management.” TRON’s multisig permission system defines three levels of access: Owner, Witness, and Active, each with different functions:

• Owner: This is the highest level of authority in the account. It controls ownership, manages permission structures, and can execute any contract. When a new account is created, this role is assigned by default to the account itself.
• Witness: This level is exclusive to Super Representatives and is used to manage block-producing nodes. It is not available to regular users. Once permissions are modified, the block-producing node must be reconfigured.
• Active: This permission level is set and modified by the Owner. It is used to carry out specific tasks such as transfers, voting, staking, asset issuance, and smart contract creation.

Source: TronLink

Users can modify permissions, add private key addresses held by different parties, and configure the threshold value based on their needs. The number of private keys must be equal to or greater than the threshold. For example, in a 3-of-5 setup, the user adds five private keys, and any three of them must sign a transaction for it to be valid.

2) Transaction Signing and Execution

Once setup is complete, User A initiates a transfer request, prompting the system to generate an unsigned transaction. User A then signs the transaction using their private key. After that, User B, User C, or other key holders sign in turn until the required number of signatures is collected. Once the threshold is met, the transaction is verified and broadcast to the blockchain network for execution.

Advantages and Disadvantages of the Multisig Mechanism

Based on how the multisignature mechanism works, its benefits are clear and compelling:

1) Significant Security Enhancement

• Prevents Single Points of Failure: When transactions require multiple signatures, the compromise of a single private key or the failure of one device does not result in asset loss.
• Protects Against Insider Threats: In team environments, requiring multiple approvals significantly reduces the risk of a single individual misappropriating funds.
• Reduces Hacking Risks: An attacker would need to simultaneously compromise multiple private keys or devices, making unauthorized access much more difficult.

2) Flexible Asset Management

• Layered Permissions: Different thresholds can be set for different scenarios.(For example: 2-of-3 for routine, low-value transactions, and 3-of-5 for high-value transfers.)
• Distributed Key Management: Users can store private keys across multiple devices (such as smartphones, hardware wallets, etc.) or in separate physical locations—effectively spreading risk.

3) Improved Transparency and Auditability

All signature-related information—such as addresses, timestamps, and more—is publicly recorded and traceable, making post-event auditing and accountability much easier.

However, the complexity of the multisig mechanism also introduces several challenges, such as:

1) Complex Key Management

While threshold signatures offer flexibility, they also create a high level of dependency. Users must ensure that every private key is securely stored and accessible. If one or more key holders become unreachable, it may be impossible to meet the required signature threshold—potentially leading to funds being permanently locked. Moreover, attackers may exploit social engineering tactics—manipulating human trust by impersonating legitimate sources to trick other signers into granting authorization. This can result in unauthorized access and theft of funds.

2) High Barrier for Users

Since transactions require coordination among multiple parties for signing, this can cause delays or errors, especially in urgent situations

3) High On-Chain Costs

On chains like Ethereum, multisig contracts require multiple rounds of signature verification. Compared to single-signature transactions, this leads to significantly higher gas costs.

4) Risk of Technical Vulnerabilities

Multisig is not inherently foolproof. If the wallet system’s integration or the contract itself has security flaws, hackers may exploit them to steal funds.

Bybit Attack Process (Source: SlowMist Security Team)

For instance, on February 21, 2024, the multisig wallet of crypto exchange Bybit was specifically targeted and breached. Hackers exploited the delegatecall function in the Safe multisig wallet contract, injecting a malicious contract to override the correct logic. This made fraudulent transactions appear legitimate on the front end, deceiving the signers. As a result, the attacker bypassed the multisig verification process and successfully transferred nearly 1.5 billion USD in assets to an anonymous wallet address.

What are the Common Tactics Used in Multisig Scams?

At their core, multisig scams typically revolve around private key leaks or unauthorized changes to wallet permissions. Scammers gain access to a user’s private key or mnemonic phrase through various means, and then modify the wallet’s permissions—adding their own address as a co-controller of the multisig account. In such cases, users can still receive funds into the wallet without any issues, but when they try to transfer funds out, they find they cannot do so. Due to this hidden setup, many users don’t realize they’ve already lost control of their wallet. Scammers often play the long game—waiting for assets to accumulate before draining the wallet.

So, in what situations do wallets typically fall victim to malicious multisig setups?

1) Improper Key Management by the User: Some users store private keys or mnemonic phrases by taking screenshots, uploading them to cloud drives, or saving them on internet-connected devices. Hackers can obtain these through cyberattacks, and once they have access, they can immediately configure malicious multisig permissions.

2) Social Engineering Attacks: These come in various forms. Common tactics include phishing links from third-party websites, fake airdrop claims, enticing users with low-cost top-ups, impersonating technical support, or posing as team members to trick users into granting permissions. These methods can lead users to either knowingly or unknowingly disclose their wallet’s private key, or trigger malicious smart contract code that alters wallet permissions—resulting in the wallet being configured as a multisig under the scammer’s control.

3) Deliberate Key Disclosure by Others: In some cases, scammers pretend they don’t know how to operate a wallet and offer their private key to the user for help with a transfer. However, the wallet has already been set up as a multisig, and once the user transfers crypto into it, the assets are irreversibly lost—controlled by the scammer through multisig permissions.

How Can Users Protect Themselves?

To fully leverage the security benefits of multisig mechanisms while minimizing risk, users should adopt a dual approach: combining technical safeguards with behavioral best practices.

Technical Measures:

• Choose trusted multisig services: Prioritize open-source multisig wallets that have undergone third-party security audits. Opt for service providers or wallet platforms with strong reputations and proven security track records.
• Implement multiple layers of security: In addition to multisig, users should also activate extra protective tools such as hardware wallets (e.g., Ledger, Trezor), two-factor authentication (2FA), antivirus software, and browser extensions like Scam Sniffer to block phishing threats.

Behavioral Practices:

• Safeguard private keys properly: Never share your private key with anyone. To avoid online risks, store your private key or mnemonic phrase offline, ideally written down on durable paper and securely sealed in a physical location.
• Be cautious with suspicious operations and links: Never click unknown links or download unofficial apps. Always verify airdrop notifications and other communications through official sources. Before approving any contract interaction, carefully review the requested permissions—such as token approvals or account upgrades—and reject anything suspicious.
• Regularly check wallet authorization status: Use tools like Revoke.cash to inspect and revoke any unauthorized wallet permissions.

Navigating the crypto world demands constant vigilance. Users should adopt a “zero trust” mindset—avoid wishful thinking or get-rich-quick fantasies, and stay alert to common traps. Equally important is staying informed: learn about evolving scam techniques and build stronger risk awareness.

If a user discovers that their wallet has been maliciously configured as a multisig account, they should immediately disconnect from the internet, cut off all connected devices from interacting with the compromised wallet, revoke permissions via a blockchain explorer, and contact a professional security team as soon as possible for assistance.

Of course, beyond individual users, the multisig mechanism itself must continue to evolve to better defend against increasingly sophisticated attacks. For example, integrating MPC (Multi-Party Computation) to enable “keyless” signatures, allowing users to co-sign transactions without revealing complete private keys; implementing dynamic defenses that adjust signature rules in real-time based on threat intelligence; and establishing automated verification systems that leverage AI detection tools to freeze suspicious transactions and trigger alerts.

On the other hand, regulatory bodies have also begun enforcing compliance requirements for custodial wallet services, including multisig wallets. For example, the European Union’s Markets in Crypto-Assets (MiCA) regulation—now officially in effect—clearly mandates that institutions offering custodial services such as multisig wallets must meet licensing, capital, and asset segregation requirements, and must adhere to strict operational compliance standards.

As global regulatory frameworks for crypto custody continue to become clearer and more established, these rules—while adding extra costs for service providers—will ultimately contribute to a more transparent, trustworthy crypto ecosystem, significantly enhancing user asset security.

Conclusion

The multisig mechanism has greatly enhanced the security and flexibility of cryptocurrency storage. By eliminating the risks associated with a single private key, it lays a solid foundation for asset management, enterprise applications, and innovative financial services. However, like any complex system, multisig is not immune to exploitation, and scams targeting it are becoming increasingly common.

As crypto users, it’s essential to continually improve security awareness, stay vigilant against tempting offers and hidden traps, and never let short-term gains lead to long-term losses. Additionally, users should become proficient in utilizing various crypto tools to more effectively guard against potential risks.