GANA Payment, a BEP-20 token project operating on the Binance Smart Chain (BSC), has suffered a $3.1 million exploit.
The confirmation of details and tracing of the laundering of stolen funds was by blockchain investigator ZachXBT. The incident highlights persistent vulnerabilities in BSC-based protocols and exposes ongoing risks for smaller DeFi projects.
How the GANA Payment Exploit Occurred
An attacker took $3.1 million in cryptocurrency from GANA Payment’s project contracts and liquidity pools on November 20, 2025. The attacker first converted the cash into 1,140 BNB, or $1.04 million, at a BSC address. Then, they immediately transferred the money into Tornado Cash, a privacy-focused mixer that hides transaction records and makes asset recovery more difficult. With 346.8 ETH (about $1.05 million) transferred via Tornado Cash and another 346 ETH (worth $1.046 million) kept dormant in an Ethereum wallet. The remaining compromised funds bridged to Ethereum.”
ZachXBT’s on-chain analysis confirms the multi-step laundering process, a tactic increasingly favored in recent attacks on BNB Chain. The move to Tornado Cash and subsequent cross-chain transfers make tracking and freezing the stolen assets much more challenging for law enforcement and exchanges.
DeFi Security Risks and Response
GANA Payment lacked comprehensive security audits or publicly available technical documentation, leaving it susceptible to smart contract vulnerabilities. This hack follows a string of similar BSC exploits. They had poorly audited contracts rapidly drained, and attackers evaded detection through privacy tools and cross-chain bridging. DefiLlama reports that BSC projects have collectively lost over $100 million to such exploits in 2025.
Security analysts stress the necessity of regular audits and transparency for DeFi projects. The rapid execution and coordination observed in the GANA exploit mirror other incidents, such as the Future Protocol and smaller DEX attacks, raising urgency for improved contract design and proactive threat monitoring.
Recovery prospects remain bleak. Blockchain monitoring services and alert networks continue to track the dormant Ethereum addresses and related wallets, but the attacker presently retains control over more than $1 million in unlaundered ETH. The GANA Payment hack stands as another stark reminder of DeFi’s fragility in the absence of robust security measures and tested smart contracts.
READ MORE: Starknet Price Prediction as BTC Staking Crosses $365 Million
