Gnosis Safes, also known as Safe Smart Accounts, are multisig smart contract wallets requiring multiple owners to approve a transaction. This threshold model reduces the risk of a single private key failure but can complicate investigations as control is distributed across signers. Illicit actors increasingly use Gnosis Safes to store, route, or obscure stolen crypto, often configuring them to mimic legitimate setups or layering controls to hide who runs the funds. The simplest way to identify a Gnosis Safe on-chain is by viewing contract details, where the name may appear as GnosisSafeProxy, and internal transactions often show deployment via the Safe Proxy Factory; the contract’s code is typically publicly verified.
Ownership and activity are tracked at the signer level: each Safe has a set of owners stored in the contract state, and investigators can view these signers directly in block explorers or with tools like TRM Forensics. They can track which signer initiated, signed, or confirmed each transaction and monitor changes to Safe configuration (for example, if a signer was removed after a suspicious transfer). A case study on Avalanche showed a Safe sending 249,999,980 Lighter tokens to an external wallet, with the initiating signer later tied to funds at a centralized exchange, offering potential KYC leads for law enforcement.
Advanced techniques include threshold analysis, modules, and nested Safes, all of which can increase obfuscation risk. Thresholds define how many signers are required and are visible on-chain via tools like Etherscan or app.safe.global, while modules automate transactions and nested Safes add indirection to conceal control. Investigators can use Safe App at app.safe.global to review signer addresses, thresholds, and metadata, helping reveal discrepancies between activity and expected behavior.
Leave a Reply