GANA Payment exploited for more than $3.1 million

A decentralized payment project on Binance Smart Chain (BSC) called GANA Payment was exploited at around 5:00 AM UTC on Thursday, resulting in losses exceeding $3.1 million, according to blockchain researcher ZachXBT. 

The crypto investigator’s findings showed that the attacker used a flaw in the project’s smart contract to steal tokens. They then moved them through Tornado Cash and other networks to set up money laundering operations.

“GANA’s interaction contract has been targeted by an external attack, resulting in unauthorized asset theft…We will continue to provide updates on the investigation progress and subsequent actions through official channels,” the DeFi platform wrote on X earlier today.

Several cybersecurity platforms on X, including OnChain Lens, reported that the exploit began when the attacker transferred 1,140 BNB, valued at approximately $1.04 million, into Tornado Cash on BSC. 

The stolen assets were subsequently bridged to Ethereum, where another 346 ETH, worth $1.05 million, was deposited into the crypto mixer purportedly for laundering.

Blockchain records shared by ZachXBT show the Ethereum address used for laundering was 0x7a503e3ab9433ebf13afb4f7f1793c25733b3cca. The original theft addresses on BSC were identified as 0x2e8a…aae5c38 and 0xd10e…cc8fa4d.

Hacker exploited GANA’s ‘unstake function’ to steal coins

According to Web3 security firm HashDit, the ownership of the exploited contract had been altered, which the hacker used to manipulate reward rates and invoke the unstake function, receiving more GANA tokens than intended. 

🚨HashDit Alert🚨

HashDit has monitored that @GANA_PayFi has been compromised for ~$3.1m $GANA.

Users should NOT trade with the $GANA token for the time being, and await for team announcement!

Funds have been deposited into TC: https://t.co/rtdjnMvYpI

Root cause: Ownership of… pic.twitter.com/XZzuoMmf8D

— HashDit | now with Pro Extension (@HashDit) November 20, 2025

The perpetrator then rapidly sold the tokens on decentralized exchanges, significantly devaluing the project’s currency. A total amount of 346 ETH held in the Ethereum address remained dormant for several hours. 

However, beginning an hour ago, the hacker resumed laundering the funds through Tornado Cash in incremental batches of 1 ETH, 10 ETH, and 100 ETH, a method used by thieves during DeFi attacks to “shake-off” security researchers’ trail of stolen funds.

GANA Payment is a relatively small-scale payment token project built around the BEP-20 GANA token. Its operations are decentralized and use liquidity pools and exchanges, but Cryptopolitan has not found any publicly available technical documentation. 

The project, which launched in early November, has yet to publish formal audits or detailed security analyses. In the aftermath of the hack, data from GeckoTerminal showed that GANA’s token value dropped more than 90%.

DeFi exploits on BSC, Ethereum cooled in October

According to DefiLlama’s hack tracker, smaller BSC-based projects have collectively lost over $100 million in 2025 alone. The hack on GANA has taken the tally to almost $10 million in the last two months, including network breaches on OlaXBT, Evoq Finance, Seedify and GriffinAI.

Cryptopolitan reported in October that total losses from hacks amounted to just $18.18 million in about 15 incidents, an 85.7% drop from September’s $127.06 million. Major incidents that took place during the month included hacks at Garden Finance, Typus Finance, and Abracadabra, which together accounted for $16.2 million in stolen funds. 

Abracadabra, a decentralized lending protocol and maker of the Magic Internet Money (MIM) stablecoin, suffered a $1.8 million loss when attackers used flaws in how the contract handled actions within the same transaction. 

Typus Finance lost $3.4 million due to access control weaknesses in its custom price oracle, while Garden Finance experienced an $11 million loss through a single solver connected to several blockchain networks.

This month, Balancer was hit with one of the largest DeFi hacks of 2025, where wrapped ETH and other assets from multiple networks were swindled for several hours. Blockchain investigators had estimated losses of about $70 million, but when the network’s developers took back control, the bleeding had gone north of $116 million. 

The following day, multi-chain lending protocol Moonwell was exploited via flawed oracle data, losing around $1 million. The attacker took advantage of price discrepancies to borrow and trade specific wrapped ETH assets, pocketing 295 ETH.

Per DefiLlama data, cross-chain bridge hacks in 2025 had resulted in over $1.5 billion in stolen funds by mid-2025, while reentrancy bugs accounted for $325 million in losses, particularly from older or forked contracts. Oracle manipulation accounted for 13% of attacks, while liquidity pool drains caused $103 million in stolen assets. 

Get seen where it counts. Advertise in Cryptopolitan Research and reach crypto’s sharpest investors and builders.