$2.15M Drained from Mobius in Smart Contract Hack, Washed via Tornado Cash
An attacker exploited a critical flaw in Mobius Token smart contracts, making off with $2.15 million in tokens and laundering the proceeds through Tornado Cash.
Mobius Token, operating on BNB Chain, fell victim to a $2.15 million exploit after a hacker uncovered a critical flaw in its smart contract algorithm.
The attacker deployed a tailored contract that double-applied the decimal multiplier during token swaps, enabling disproportionate token extraction. They then rapidly converted the MBU to stablecoins on PancakeSwap, collapsing pool liquidity, before obfuscating the funds through Tornado Cash.
The heist was carried out with remarkable speed, making headlines as one of the most disruptive crypto exploits in recent days. Experts at Cyvers flagged the Mobius Token flaw as critical, citing highly irregular transaction behavior that accompanied the breach.
Two minutes prior to the exploit, our system identified a deployment of a malicious smart contract, that eventually targeted the Mobius Token smart contracts. The attacker executed multiple malicious transactions via contract, targeting victim's address,
the analysts concluded.
The attack lays bare a deeper issue—critical vulnerabilities can exist even in trusted, mainstream DeFi code. PeckShield reports show that April 2025 saw over $360 million in crypto stolen from DeFi protocols and wallets, a dramatic rise from the $33 million breached in March.
Hacken’s CEO Dyma Budorin didn’t mince words when addressing the state of crypto security. In his remarks, he called out developers for clinging to superficial protections—favoring isolated bounty programs for white-hat hackers over systemic code reviews. According to him, this negligence not only exposes users but erodes trust across the entire Web3 ecosystem.
Check this out: WhiteBIT’s Cybersecurity Tips
For decentralized projects to restore credibility, they must adopt a multi-layered approach: secure code by design, protocol-native asset insurance, and active threat monitoring. Just as critical is user-side protection—educating communities to recognize phishing attacks and minimize exposure to social engineering.
The content on The Coinomist is for informational purposes only and should not be interpreted as financial advice. While we strive to provide accurate and up-to-date information, we do not guarantee the accuracy, completeness, or reliability of any content. Neither we accept liability for any errors or omissions in the information provided or for any financial losses incurred as a result of relying on this information. Actions based on this content are at your own risk. Always do your own research and consult a professional. See our Terms, Privacy Policy, and Disclaimers for more details.
Articles by this author
