Losses reach $1.5M as attackers access two DeFi smart contracts on Arbitrum

On-chain research noted outflows from two Arbitrum-based projects. An attacker managed to gain access to two projects, launching a malicious smart contract. 

Two Arbitrum projects launched by the same deployer suffered unauthorized withdrawals for an estimated $1.5M. The attacker managed to gain admin access, replacing smart contracts with malicious versions. 

Cyvers Alert noted multiple suspicious transactions on Arbitrum, still one of the most active Ethereum-compatible L2 networks. 

Preliminary research showed the deployer of USDGambit and TLP projects may have lost access to their account. This allowed the attacker to launch a new contract with ProxyAdmin permissions, controlling both DeFi projects. The stolen funds were bridged back to Ethereum and mixed. 

Arbitrum attack follows similar small-scale smart contract exploits

The recent attack extends the trend of relatively sophisticated and targeted attacks against smaller protocols. Crypto hacks slowed down in the past year, but DeFi and individual wallets, as well as smart contracts, remain one of the main targets. 

The attack follows the recent Unleash Protocol theft, again managing to gain access to a governance process and deploy a malicious smart contract. As with previous attacks, the funds were almost immediately mixed. 

Even after last year’s outflows, Arbitrum remains one of the main venues for DeFi activity, still carrying over $3B in liquidity. 

Recent attacks targeted relatively obscure projects

Recent attacks affected relatively obscure projects, with smaller hauls. The recent attack follows a model that has been linked to DPRK hackers, which mostly use the Ethereum network and Tornado Cash to launder funds. 

In this case, the attacker chose a project with residual liquidity. USD Gambit points to a singular exchange, which will be phased out in the coming weeks. The project has been around since 2023, but it did not benefit from the recovery of DeFi and perpetual futures trading. The recent attack shows that all Web3 projects remain at risk of draining available liquidity. 

In the last quarter of 2025, Tornado Cash also showed a spike in deposits. The mixer holds record value locked, from both new hacks and older exploits. The mixer contains more than 338K ETH, surpassing even the 2021 peak. 

Even the Railgun mixer, which requires more monitoring, has achieved peak activity at the end of 2025.

New exploiters move fast to avoid address blacklisting. However, most Web3 projects allow trading without blacklisting exploit addresses. Unlike older hacks, new exploiters tend to swap and mix their funds almost immediately, relying on a wider Web3 infrastructure.

Get seen where it counts. Advertise in Cryptopolitan Research and reach crypto’s sharpest investors and builders.