A multi-chain crypto exploit drained GANA Payment of over $3.1 million, shaking the project’s future and raising fresh alarms about DeFi security on BNB Smart Chain.
Quick Summary – TLDR:
- GANA Payment lost over $3.1 million in a sophisticated exploit involving BSC and Ethereum.
- Funds were laundered using Tornado Cash, complicating recovery efforts.
- Blockchain investigator ZachXBT traced the movement of funds and exposed the attack path.
- GANA token plummeted over 90 percent following the breach.
What Happened?
On November 20, 2025, GANA Payment, a BEP-20 token project operating on the Binance Smart Chain, was exploited for over $3.1 million. The attacker swiftly moved the stolen assets through privacy protocols and across blockchains, leaving investigators and token holders scrambling for answers.
🚨 Another rug today
— Master of Crypto (@MasterCryptoHq) November 20, 2025
GANA Payment just lost $3.1M on BSC.
The attacker:
⁰- Sent 1,140 BNB into Tornado⁰- Bridged the rest to Ethereum⁰- Deposited 346 ETH into Tornado⁰- Still holds 346 ETH on-chain
Zach (@zachxbt) confirmed the hit.
Stay alert out pic.twitter.com/QkJgDemG0a
Funds Laundered Through Tornado Cash
According to blockchain investigator ZachXBT, the attacker initially drained funds from GANA Payment’s smart contracts and liquidity pools. These assets were converted into 1,140 BNB, valued at about $1.04 million, and funneled into Tornado Cash on BSC. This mixer service is often used to obfuscate the origins and destinations of cryptocurrency transactions, making stolen funds difficult to trace.
After hiding the initial batch, the hacker bridged the remaining assets to Ethereum, depositing an additional 346.8 ETH, worth approximately $1.05 million, into Tornado Cash on that network. As of now, 346 ETH (around $1.046 million) remains dormant in an Ethereum wallet tied to the attacker. The Ethereum wallet address was identified as 0x7a503e3ab9433ebf13afb4f7f1793c25733b3cca.
ZachXBT confirmed the full laundering process using onchain analysis, highlighting how the attacker moved across networks and used privacy tools to cover their tracks. The original BSC address involved in consolidating the stolen assets was 0x2e8a8670b734e260cedbc6d5a05532264aae5c38.
No Audit, No Documentation
Security experts say the GANA Payment project showed glaring vulnerabilities. It lacked formal security audits and did not publish any technical documentation detailing its contract logic. These red flags left it vulnerable to precisely the kind of exploit it faced.
The method of attack shares similarities with other BSC incidents in 2025, such as those involving Future Protocol and various smaller decentralized exchanges. In many cases, these exploits follow a similar pattern:
- Poorly audited or unaudited contracts.
- Liquidity pool drains.
- Key compromises.
- Rapid bridging and mixing via Tornado Cash.
Token Price Tanks Over 90 Percent
The fallout was swift. Within hours of the exploit, GANA’s token dropped more than 90 percent in value, as reported by GeckoTerminal. With investor confidence shaken and little hope for fund recovery, the project’s future looks uncertain.
Despite ongoing blockchain monitoring, there are currently no signs of fund recovery or developer response plans. The attacker remains in control of the remaining stolen ETH, and Tornado Cash’s privacy features continue to hinder tracking efforts.
SQ Magazine Takeaway
Honestly, it’s the same playbook again, and it keeps working. GANA Payment had no audit, no transparency, and apparently no plan. That makes it a soft target for attackers. I’m amazed that in 2025, we still have DeFi projects launching without security audits. It’s disappointing but not surprising to see another BSC token drained and dumped. If you’re putting money into any DeFi project, check the audit status. If it’s not there, neither should your funds be.
