This breach occurred during a routine multi-signature emissions adjustment process, which takes place periodically to adapt to market conditions and utilization rates. The malicious actors exploited this normalcy, using the process to collect multiple compromised signatures over several attempts, all while mimicking the appearance of routine transaction failures. The attackers used malware to manipulate transaction data at the device level, bypassing manual checks and simulations in Tenderly, which returned normal results. The attackers exploited this by presenting normal-looking transactions in Gnosis Safe, with no visible anomalies, aside from routine transaction failures — a common occurrence, making detection difficult.