Best crypto insights delivered straight to your inbox.
- Cyvers Alerts noted unauthorized withdrawals from two small Arbitrum protocols.
- The attacker gained access to an admin role, deploying malicious smart contracts to withdraw $1.5M.
- Tornado Cash is storing record liquidity after activity picked up at the end of 2025.
On-chain research noted outflows from two Arbitrum-based projects. An attacker managed to gain access to two projects, launching a malicious smart contract.Â
Two Arbitrum projects launched by the same deployer suffered unauthorized withdrawals for an estimated $1.5M. The attacker managed to gain admin access, replacing smart contracts with malicious versions.Â
Cyvers Alert noted multiple suspicious transactions on Arbitrum, still one of the most active Ethereum-compatible L2 networks.Â
Preliminary research showed the deployer of USDGambit and TLP projects may have lost access to their account. This allowed the attacker to launch a new contract with ProxyAdmin permissions, controlling both DeFi projects. The stolen funds were bridged back to Ethereum and mixed.Â
Arbitrum attack follows similar small-scale smart contract exploits
The recent attack extends the trend of relatively sophisticated and targeted attacks against smaller protocols. Crypto hacks slowed down in the past year, but DeFi and individual wallets, as well as smart contracts, remain one of the main targets.Â
The attack follows the recent Unleash Protocol theft, again managing to gain access to a governance process and deploy a malicious smart contract. As with previous attacks, the funds were almost immediately mixed.Â
Even after last year’s outflows, Arbitrum remains one of the main venues for DeFi activity, still carrying over $3B in liquidity.Â
Recent attacks targeted relatively obscure projects
Recent attacks affected relatively obscure projects, with smaller hauls. The recent attack follows a model that has been linked to DPRK hackers, which mostly use the Ethereum network and Tornado Cash to launder funds.Â
In this case, the attacker chose a project with residual liquidity. USD Gambit points to a singular exchange, which will be phased out in the coming weeks. The project has been around since 2023, but it did not benefit from the recovery of DeFi and perpetual futures trading. The recent attack shows that all Web3 projects remain at risk of draining available liquidity.Â
In the last quarter of 2025, Tornado Cash also showed a spike in deposits. The mixer holds record value locked, from both new hacks and older exploits. The mixer contains more than 338K ETH, surpassing even the 2021 peak.Â
Even the Railgun mixer, which requires more monitoring, has achieved peak activity at the end of 2025.
New exploiters move fast to avoid address blacklisting. However, most Web3 projects allow trading without blacklisting exploit addresses. Unlike older hacks, new exploiters tend to swap and mix their funds almost immediately, relying on a wider Web3 infrastructure.
Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.
Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decisions.
Hristina Vasileva
Hristina Vasileva specializes in DeFi, business, and economic news. She graduated from Sofia University with an MA in Philosophy, after completing a 4-year BA in Business Administration, Journalism, and Mass Communication. She has worked for one of the country’s leading newspapers, covering the commodities and corporate results beat. Currently, Hristina is a contributing news author at Cryptopolitan.
CRASH COURSE
- Which cryptocurrencies can make you money
- How to boost your security with a wallet (and which ones are actually worth using)
- Little-known investment strategies that the pros use
- How to get started investing in crypto (which exchanges to use, the best crypto to buy etc)