Blockchain investigator ZachXBT a prominent on-chain sleuth with over 930,000 followers on X, known for exposing scams and hacks disclosed a major security breach targeting GANA Payment, a decentralized payment protocol built on the BNB Smart Chain (BSC).
The exploit resulted in the theft of over $3.1 million in digital assets, primarily from the project’s smart contracts. This incident highlights ongoing vulnerabilities in smaller DeFi projects on BSC, which have seen collective losses exceeding $100 million in exploits throughout 2025.
GANA Payment is a BEP-20 token-based project focused on facilitating crypto transactions and payments via liquidity pools and decentralized exchanges. It lacks publicly documented security audits, which likely contributed to the breach— a common issue in mid-sized protocols where rushed deployments outpace thorough vetting.
The hack occurred earlier on November 20, 2025, draining funds from GANA’s contracts on BSC. Approximately $3.1 million, including BNB and other tokens. The GANA token price plummeted over 90% within 24 hours, as tracked by GeckoTerminal, erasing significant market value and eroding user confidence.
Register for Tekedia Mini-MBA edition 19 (Feb 9 – May 2, 2026): big discounts for early bird.
Tekedia AI in Business Masterclass opens registrations.
Join Tekedia Capital Syndicate and co-invest in great global startups.
Register for Tekedia AI Lab: From Technical Design to Deployment (next edition begins Jan 24 2026).
The attacker executed the exploit swiftly, consolidating stolen funds into a single wallet before initiating laundering. Specific on-chain movements include: Swapping portions of the loot into BNB. Depositing 1,140 BNB valued at ~$1.04 million into Tornado Cash on BSC to obfuscate the trail.
Bridging the remainder to Ethereum, where 346.8 ETH ~$1.05 million was deposited into Tornado Cash’s Ethereum mixer. An additional 346 ETH ~$1.046 million remains dormant in the Ethereum address 0x7a5…b3cca, with no further activity reported as of the latest updates.
This cross-chain laundering tactic is a hallmark of sophisticated attackers, exploiting bridges and mixers to hinder tracking. ZachXBT’s analysis, shared via his Telegram channel, provided the initial transaction traces that alerted the community.
Attacker’s Actions and Laundering
The exploiter’s post-hack behavior followed a predictable pattern seen in recent BSC incidents. All stolen assets funneled to one address for efficiency. Direct deposit to Tornado Cash to break on-chain links.
Cross-Chain Bridge: Transfer to Ethereum for further mixing, leveraging lower scrutiny on ETH-based tools. Leaving a portion untouched, possibly awaiting market conditions or to avoid immediate flags.
No arrests or fund recoveries have been announced, though BNB Chain has recently partnered with ZachXBT to enhance exploit investigations across its ecosystem. This collaboration could aid in future tracing efforts.
This hack adds to a troubling trend of mid-sized exploits on BSC in 2025, including the $2 million New Gold Protocol breach in September and smaller incidents totaling over $100 million in losses. Similar vulnerabilities—such as unpatched smart contract flaws or liquidity pool drains—have plagued projects like Balancer which lost $120 million in a November exploit affecting forks across chains.
Key takeaways for DeFi users and builders: Prioritize Audits: Projects without multiple, reputable audits (e.g., from PeckShield or Certik) are high-risk. Monitor On-Chain Activity: Tools like Etherscan or BscScan can flag unusual wallet behaviors early.
Diversify Exposure: Avoid over-concentration in unaudited tokens; use hardware wallets for storage. Sleuths like ZachXBT underscore the value of transparent reporting—follow verified investigators to stay ahead of threats.
If you’re holding GANA or similar BSC assets, consider withdrawing to safer chains or stables amid the fallout. Monitor On-Chain activity or check ZachXBT’s channels. This event reinforces that while DeFi offers innovation, security remains its Achilles’ heel.