VECStake Live - The Multisig Betrayal: SUPERFORTUNE Confirms Address Tampering in $15 Million GUA Hack

 The Multisig Betrayal: SUPERFORTUNE Confirms Address Tampering in $15 Million GUA Hack

May 28, 2026 | VECS News

A routine token unlock has unraveled into a full-blown security crisis as SUPERFORTUNE confirms that a multisignature transaction address was altered before execution. The revelation shifts the narrative from simple user error to a sophisticated breach of crypto's most trusted security mechanism, sending shockwaves through the industry and raising urgent questions about the integrity of multisig wallets.

1. The Confirmation That Changes Everything: Address Tampering, Not Poisoning

Just hours after the initial GUA token disaster, SUPERFORTUNE has released a critical update that fundamentally alters the understanding of the attack. In a statement posted on X, the team confirmed that the security incident involved more than just a copy-paste error or a classic address poisoning scam. According to the official announcement, preliminary investigations suggest that the issue may have involved "address manipulation in a multisignature transaction" . The team stated that additional unlocked tokens were intended to be sent to the airdrop claim contract address, but during execution, the funds were mistakenly sent to a different hacker address . This is not a case of a user copying the wrong string of characters. This is a case of the transaction itself being altered.

2. Ruling Out the Obvious: Why It Wasn't Address Poisoning

The crypto community initially speculated that a sophisticated "address poisoning" attack was to blame. In such scams, attackers generate vanity addresses that match the first and last few characters of a target's wallet, hoping a user will accidentally copy the fraudulent address from their transaction history. However, SUPERFORTUNE has actively pushed back against this theory. The team noted that the hacker address in question had "no prior interaction with any SUPERFORTUNE-related addresses" . This lack of on-chain footprint makes a traditional poisoning attack statistically improbable. The team added that internal procedures already include multiple address-matching checks, yet the funds still went to the wrong destination . The only logical conclusion is that the address was tampered with at the point of transaction signing or execution.

3. The Anatomy of a Multisig Hijack: How Did This Happen?

The confirmation of address tampering points to a terrifying scenario: the compromise of the multisignature process itself. A multisig wallet typically requires multiple private keys to authorize a transaction, a design intended to prevent a single point of failure. However, if an attacker can manipulate what the signers are actually approving, the number of keys becomes irrelevant. SUPERFORTUNE confirmed that the funds were sent to a lookalike address: 0x70AE678b457C5E1b3fD7AD9537F234dFc1795C15, which differs from the intended 0x70ae7D3DECfB4C3aE996fb1c07092566F73D5c15 by only a few characters . The attacker either compromised one of the signing devices to alter the transaction payload before approval, or exploited a vulnerability in the interface displaying the destination address to the signers.

4. The Domino Effect: From 15.18 Million to 5.66 Million in Minutes

The mechanics of the tampering are still under investigation, but the financial outcome is painfully clear. The transferred 14.981 million GUA tokens were valued at approximately 15.18 million before the unauthorized sale. The attacker then immediately swapped the entirest ash on−chain for 2,784ETH, but the rushed liquidation only returned about 5.66 million worth of Ethereum . This represents a 63% loss in value due to slippage and the attacker's urgency to exit before the theft was discovered. The stolen funds were then distributed across three distinct wallet addresses, which are now being tracked by blockchain forensic firms like Arkham .

5. The Market Verdict: GUA Plunges as Confidence Evaporates

The market reaction to the tampering confirmation was swift and brutal. The GUA token price collapsed by more than 70% in the 24 hours following the incident . The token, which had been trading in a relatively stable range, saw massive volume spikes as holders rushed to exit their positions. This was not a gradual sell-off. It was a cascade triggered by the realization that a fundamental security assumption—the sanctity of the multisig transaction—had been violated. The damage extends beyond the immediate $5.66 million loss. The market is now repricing the risk of holding any token that relies on similar operational security for its vesting and treasury management.

6. The Broader Crisis: Multisig Failures Are Becoming a Trend

The GUA incident is not an isolated event. It is the latest and most visible in a string of attacks targeting the operational layer of crypto protocols rather than their smart contract code. Just days before, on May 25, 2026, European stablecoin issuer StablR suffered a 

13.5 million exploit after an attacker compromised a "1−of−3" multisig setup, gaining administrative privileges with a single key. This configuration offered minimal protection and resulted in the depegging of its USDR and EURR tokens by as much as 50280 million Drift Protocol hack on Solana, where attackers compromised multisig signers' machines weeks before the actual theft, tricking them into approving malicious transactions .

7. The Human Factor: Why Hardware Isn't Always Enough

Security experts have long warned that hardware wallets and multisig configurations are only as strong as the human processes that govern them. The Drift Protocol hack, attributed by Ledger CTO Charles Guillemet to North Korean-linked actors, involved "patient, sophisticated supply-chain-level compromise targeting the human and operational layer, not the smart contracts themselves" . Attackers tricked two of five signers into approving malicious transactions, exploiting a setup that featured a zero-second timelock, allowing instant execution of any approved transaction . The GUA incident appears to follow a similar pattern, where the attack did not break the cryptography but exploited the moment of transaction creation and approval.

8. Expert Perspective: Anndy Lian on the End of "Set and Forget" Security

Anndy Lian, an intergovernmental blockchain expert and author, offered a stark assessment of the situation. "The GUA confirmation is a watershed moment," Lian stated in an exclusive comment. "For years, we have told retail investors that multisig is the gold standard. But if the address you see on your screen can be altered before you sign, then the gold standard is tarnished. Projects cannot rely on 'set and forget' security measures anymore. Every transaction, especially unlocks, needs real-time, out-of-band verification. This means confirming destination addresses through a separate channel, not just trusting the interface. The industry has been lazy, and GUA is the price."

9. Expert Perspective: The Call for Standardized Multisig Protocols

The repeated failures of multisig security across GUA, StablR, and Drift Protocol have sparked calls for industry-wide standardization. The GUA incident, where the attacker manipulated a transaction that included a multisig address, highlights the need for mandatory address allowlisting and hardware-based transaction verification for any transfer above a certain threshold . Analysts argue that timelocks—delays between approval and execution—should be mandatory for large treasury movements. A zero-second timelock, as seen in the Drift hack, offers no window for detection or intervention . The community is now demanding that projects adopt "delayed multi-signature requirements" that would have given SUPERFORTUNE time to identify the tampered address before funds were moved.

10. The Bottom Line: Trust is Now a Four-Letter Word in Crypto

SUPERFORTUNE has confirmed the worst fears of the crypto community. The address was tampered with. The multisig failed. And $15 million evaporated. The investigation is ongoing, with the team reportedly contacting authorities and incident response teams . But for the average investor, the damage is already done. The incident has shattered the illusion of safety provided by multisignature wallets. Until the industry adopts mandatory address verification standards, hardware-based signing for all significant transactions, and default timelocks on treasury movements, every large unlock is a potential vulnerability. GUA lost 75% of its value because a single address was altered. The next time, it could be any token on any chain.