Warning

Please be vigilant about TRM impersonation scams, especially those claiming to assist with fund recovery. More info

Solutions
Products
RESOURCES
Customers
Company
Request a demo
en
Search
Search
Investigations
January 29, 2026

Investigator Insights: How to Analyze Gnosis Safes in Blockchain Investigations

TRM Team
Investigator Insights: How to Analyze Gnosis Safes in Blockchain Investigations

Key takeaways

  • Gnosis Safes (now often called Safe Smart Accounts) are multisig smart contract wallets that require multiple approvals to execute transactions — improving treasury security but complicating investigations.
  • Illicit actors increasingly exploit Gnosis Safes to store, route, or obscure stolen crypto — often configuring them to mimic legitimate setups or layering them to hide control.
  • Investigators can identify Safes on-chain via indicators like the GnosisSafeProxy contract name, use of the Safe Proxy Factory, and unique transaction patterns requiring no token transfer.
  • Signer-level analysis reveals attribution opportunities, especially when Safe owners also use linked wallets on centralized exchanges or participate in other known activity.
  • Advanced Safe features like modules and nesting increase obfuscation risk, requiring investigators to trace control structures, signer behavior, and transaction automation logic.

{{horizontal-line}}

Gnosis Safes, which are now often referred to as Safe Smart Accounts, are multi-signature smart contract wallets that offer enhanced security for digital assets. 

While they’re commonly used by Decentralized Autonomous Organizations (DAOs), protocols, and crypto-native businesses, investigators are increasingly encountering them in high-profile hacks, fraud schemes, and sanctions evasion activity. Gnosis Safes have been used in several prominent attacks in recent years:

  • 2025 ByBit hack — in which DPRK-affiliated actors injected malicious JavaScript into the Safe{Wallet} UI, tricking authorized signers into approving a handover of control)
  • 2024 Radiant Capital exploit and 2024 WazirX incident — in which Gnosis Safes were used as part of broader attack chains to temporarily secure or route illicit funds

In this article, we’ll explore what Gnosis Safes are, how investigators can identify them on-chain, and how to extract meaningful intelligence during an investigation.

What is a Gnosis Safe?

A Gnosis Safe is a smart contract wallet that requires multiple owners to approve a transaction before it can be executed. Instead of relying on a single private key, Gnosis Safes operate using a threshold model — for example, requiring two of three or five of seven designated owners to approve any movement of funds.

This distributed control minimizes the risk of a single point of failure, enables collaborative management of shared treasuries, and creates a clear on-chain trail of approvals from known addresses. Gnosis Safes are also highly configurable. Users can add or remove owners, set or adjust the signature threshold, and enable optional modules to customize wallet behavior.

Why do Gnosis Safes matter for investigators?

From a compliance or investigative standpoint, Gnosis Safes offer both opportunities and challenges.

Illicit actors use Gnosis Safes as “secure vaults” to manage stolen funds, obfuscate control, or enforce internal guardrails within criminal groups. They can also be used to fake legitimacy. For example, a fraudulent project might create a five-of-five multisig wallet to manage investor funds but secretly control all five keys. On the surface, it looks secure. In practice, it’s a rug pull waiting to happen.

How to identify a Gnosis Safe on-chain

1. Use blockchain explorers

The simplest way to identify a Gnosis Safe is by viewing the contract details.

  • The contract name may appear as GnosisSafeProxy
  • Internal transactions often show deployment via the Safe Proxy Factory
  • The contract’s source code and bytecode are usually publicly verified

2. Use visual graphing tools

Tools like TRM Forensics can highlight:

  • Safe creation transactions, which typically involve zero token value and only incur gas fees — standard transaction costs for using a blockchain
  • Entities interacting with the Safe, including signers and connected addresses

For example, On Avalanche, a Safe creation might show an AVAX transaction to the Safe Proxy Factory, followed by contract instantiation with no funds moved — a typical deployment pattern.

Excerpt from an open-source explorer; the two red squares highlight indicators that this is a Gnosis Safe (Source: Etherscan)
A snapshot of the internal transactions tab (Source: Etherscan)

How to investigate ownership and activity

Each Gnosis Safe has a set of owners, or “signers,” which are explicitly stored in the smart contract state. Investigators can view these owners directly in block explorers or tools like TRM Forensics, track which owner initiated, signed, or confirmed each transaction, and monitor changes to Safe settings (e.g. if a signer was removed after a suspicious transfer).

Owners can propose and approve transactions, modify Safe configuration (e.g. thresholds, signer list), and interact with other smart contracts on behalf of the Safe.

Understanding which signers were active in key moments and how they relate to other infrastructure is critical for attribution.

Case study: Tracing the signer

In one observed transaction, a Gnosis Safe on the Avalanche blockchain network sent 249,999,980 Lighter tokens to an external wallet. Further investigation revealed that the initiating signer had received funds from a centralized exchange. This could provide very interesting insights for law enforcement — particularly in terms of Know Your Customer (KYC) records.

This pattern — where Safe signers double as operational wallets — allows investigators to connect infrastructure, even when assets don’t move directly between known entities.

Advanced techniques: Thresholds, modules, and nested Safes

Threshold analysis

Understanding the Gnosis Safe’s threshold is key. If three of five owners are required to move funds, investigators may need to identify only those three most active wallets to map control. Thresholds are stored in the Safe’s on-chain infrastructure and are visible via tools like Etherscan or app.safe.global.

Modules and custom behaviors

Gnosis Safes can support optional modules, which allow additional logic to govern transactions. For example: auto-splitting funds to multiple wallets or automatically triggering transfers when balances hit a certain threshold.

Illicit actors may use these modules to pre-program exits, bypassing the normal multisig protections without raising alarms.

Nested Safes

In some setups, one Safe is used as an owner of another — adding a layer of indirection and making attribution harder. Tracing the nested structure can reveal larger operational setups or laundering paths.

Using Safe App for additional intelligence

Investigators can also use app.safe.global to input a Safe address and view signer addresses and thresholds, review detailed transaction metadata (including who proposed and who confirmed each transaction), and identify discrepancies between signer activity and expected behavior. This interface supplements blockchain explorer data and offers a human-readable view of wallet configuration and operations.

Questions investigators should ask when dealing with a Gnosis Safe

Gnosis Safes are powerful security tools. And investigators are likely to increasingly encounter them more often — as both legitimate protocols and obfuscation tools for sophisticated threat actors.

Some key questions to ask when you see a Gnosis Safe:

  • Who are the real operators?
  • What configuration does the Safe use — and has it changed?
  • Are there signs of obfuscation (e.g. nested wallets, modules, signer overlap)?
  • Can I map signer activity to prior incidents or infrastructure?

By analyzing not just the Safe itself, but the people and permissions behind it, investigators can better trace illicit flows, strengthen attribution, and anticipate how actors adapt.

{{horizontal-line}}

Frequently asked questions (FAQs)

1. What is a Gnosis Safe?

A Gnosis Safe (also known as a Safe Smart Account) is a multi-signature smart contract wallet that requires a set number of approvals to authorize a transaction. It offers enhanced security, transparency, and control compared to single-signature wallets.

2. Why are Gnosis Safes relevant in blockchain investigations?

They are increasingly used by threat actors to manage stolen funds, simulate legitimacy, or obscure ownership. Their multisig structure can make it harder to trace asset control, but also provides investigators with a clear trail of signer activity.

3. How can I identify a Gnosis Safe on-chain?

Look for contract names like GnosisSafeProxy, creation via the Safe Proxy Factory, and zero-value contract deployments. Tools like TRM Forensics and block explorers like Etherscan can highlight these patterns and expose signer interactions.

4. Where can I find the list of Safe signers?

Signer addresses are stored in the Safe’s smart contract and can be viewed on platforms like Etherscan, app.safe.global, or TRM Forensics. These tools also reveal signer activity, threshold settings, and configuration changes.

5. What are the risks of nested Gnosis Safes?

Nested Safes occur when one Safe controls another. This setup can mask true ownership and delay attribution. Investigators need to trace the full ownership chain to uncover operational intent and control.

6. Can actors use modules to bypass Safe security?

Yes. Modules can automate transactions or trigger activity outside standard signer approval. Illicit users may leverage them for stealth exits or rapid fund distribution, avoiding detection by relying on custom logic.

7. How do Safe thresholds impact attribution?

Thresholds define how many signers are needed for a transaction. Knowing the threshold helps narrow the focus to the most active or relevant signers — which can inform control mapping and investigative leads.

8. How are Gnosis Safes used to simulate legitimacy?

Fraudulent actors may configure a Safe to appear secure — for example, setting up a five-of-five multisig — while secretly controlling all keys. This tactic is often used in rug pulls and deceptive fundraising.

This is some text inside of a div block.

Related posts

arrow right
BLOG
October 22, 2025

Understanding Address Poisoning on the TRON Blockchain

arrow right
White Paper
September 8, 2025

Why Law Enforcement Agencies Need Blockchain Intelligence

No posts to show
No posts to show
arrow right
GUIDE
August 29, 2025

Investigating Crypto Scams | Flip Book

No posts to show

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Select
Transaction Monitoring/Wallet Screening
Training Services
Training Services
 
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Subscribe and stay up to date with our insights
No items found.
Digital illustration showing a pie chart, masked criminal figure, and crypto coin symbol on a data grid background—representing crypto crime analytics.
REPORT
See the trends and typologies that shaped the illicit crypto ecosystem in 2025
READ THE REPORT →
Blue diamond with a circle overlayed in white on a dark blue background
REPORT
Unlocking more clarity for institutional adoption with key crypto policy shifts in 2025
READ THE REPORT →
3D illustration of a blue magnifying glass hovering over a digital fingerprint on a dark background, symbolizing crypto investigations or forensic analysis.
FLIP BOOK
Learn more about common crypto-enabled scam typologies in our "Investigating Crypto Scams" flip book
Get your copy →
Illustration of a stablecoin represented by a dollar symbol surrounded by icons for growth, risk alert, user profiles, and a security shield with a target, connected through a network of hexagons — symbolizing the interconnected risks and compliance considerations in digital asset ecosystems.
USE CASE
Learn how TRM helps compliance teams monitor exposure, detect threats, and safeguard their organizations
TRM for stablecoin risk management →
A worn silver wrench tool on a brown-red background, as a metaphor for violent crime
BLOG
Learn about the recent rise of "wrench attacks" and crypto-related violent crime
Read the post →
Illustration of a financial institution icon and a compliance document with checkboxes, symbolizing regulatory due diligence and financial compliance in the digital asset ecosystem.
GUIDE
Learn best practices for evaluating the legal, operational, and financial integrity of crypto entities before engagement
Get the guide →
A judge's gavel rests beside a stack of gold-colored cryptocurrency tokens, including Bitcoin, Dogecoin, Ethereum, and others, symbolizing the intersection of digital assets and regulatory or legal oversight.
REGULATORY ACTION TRACKER
Stay updated on the latest crypto-linked regulatory actions available in the public domain
Check it out →
Screenshot of the splash page used by law enforcement agencies following the takedown of Garantex, with bold red lettering reading, "This domain has been seized," along with the logos of various international law enforcement agencies involved in the action.
BLOG
Learn more about the global law enforcement operation that took down Garantex
Read the post →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
2025 Crypto Crime Report: Explore how the crypto crime landscape evolved over the past year
DIG IN NOW →
Bright blue fiber optic cables on a dark blue background, with flashes of white sparks interspersed throughout.
REPORT
As AI technology becomes more sophisticated, so will the ways in which criminals use it. See what TRM is doing to counter AI-enabled crime.
FIGHT AI WITH AI →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
The crypto crime landscape saw significant shifts in 2024, including decreases in illicit volumes. Dig into the data here.
PREVIEW THE CRYPTO CRIME REPORT →
Cork board with mugshots of Heather "Razzlekhan" Morgan and Ilya Lichtenstein, with their names written in handwritten script below their photos, and push pins on the board connected by red string.
DOCUMENTARY
Stream “Biggest Heist Ever” and get a behind-the-scenes peek from the TRM team
CHECK IT OUT →
A light blue two dimensional circle (representing a stablecoin) floating against dark blue and white curved lines (representing waves), with thin dotted blue and white lines overhead to represent wind.
REPORT
Explore the macro trends and jurisdictional developments that shaped the global crypto policy landscape in 2024
READ THE REPORT →
Illustration on a dark blue background showing a bug and exclamation mark (representing illicit activity), a globe with pin points, a coin, and a bar chart.
REPORT
See the countries with the highest rates of crypto adoption — and the highest rates of exposure to illicit activity
READ THE REPORT NOW →
A blue rectangle with geometric shapes in the background and dots connected by thin lines in the foreground, representing connections on the bockchain.
WHITE PAPER
Explore four ways TRM improves compliance in the modern sanctions enforcement era
Download the white paper →
Illustration of a pig butchering chart featuring various cryptocurrency logos in each section, with a bright blue sheriff's badge on top, symbolizing law enforcement's role in combating fraud.
CASE STUDY
See how Deputy District Attorney Erin West and the REACT Task Force are fighting back against pig butchering
WATCH THE VIDEO →
Illustration of an eye, skull and crossbones, and a pie chart on a light blue background, symbolizing the dangers of crypto scams and financial fraud.
REPORT
Explore the key trends that shaped that the illicit crypto economy in 2023
GET THE REPORT →
Close-up photograph of the United States Capitol building with snow falling
BLOG
Learn why cryptocurrency has become a central issue in the 2024 US election
READ THE POST
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Take a deep-dive into the Russian-speaking illicit crypto ecosystem
READ THE FULL REPORT
Outline of pig with law enforcement shield overlaid
Case Study
Learn more about how the REACT Task Force is tackling pig butchering
Read the case study
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Explore recent ransomware trends in the Russian-speaking crypto ecosystem—including the role of ransomware groups in cybercrime around the world
GET THE REPORT
Person typing on a laptop keyboard with dark blue filtered overlay
BLOG POST
Learn about summer 2024’s spate of ransomware attacks, and the proliferation of RaaS around the world
READ THE POST
REPORT
Learn about cryptocurrency’s role in the international synthetic drug precursor market
GET THE REPORT