Whitehat Hacker Saves $1.5M in DeFi’s First Big Hack of 2025

The first crypto heist of this year happened yesterday with a big bang as hackers drained  $2.5 million from the decentralized finance (DeFi) options platform Moby on the Arbitrum network. 

However, in a dramatic turn of events, whitehat hacker Tony Ke, a self-described “noob engineer” and MEV researcher from Solayer Labs/Fuzzland, got back $1.5 million in USDC from the money taken by the attacker.

Tony Ke recovers $1.5m from the stolen fund| Source: X

Moby confirmed that the breach stemmed from a leaked private key, which the hacker used to exploit a proxy contract and activate an “emergency” withdrawal function. The stolen funds included 207 WETH valued at $687,000 and 3.7 WBTC worth $350,000.

“This was not a security issue with the protocol’s smart contracts,” Moby stated, promising to reimburse affected traders and liquidity providers (LPs).

According to blockchain security firm Beosin , the attacker converted the stolen funds into ETH and transferred them to an Ethereum address before scattering them across a large number of wallets.

The situation took a twist when Ke’s MEV bot detected a glitch in the hacker’s own contract. After hacking Moby’s private key, the attacker left the upgrade function in their replacement contract unsecured, allowing Ke to execute a counter-exploit .

Using the same loophole, Ke recovered $1.5 million in USDC from the attacker’s contract. “The rescue of the remaining WETH and WBTC was missed by just 30 seconds,” Ke explained, highlighting the razor-thin margins in such high-stakes recoveries.

The remaining stolen funds, approximately $1 million in WETH and WBTC, remain unrecovered. Moby has since pledged to compensate for all losses, demonstrating a commitment to its user base amid ongoing scrutiny.

Meanwhile, Virtuals Protocol, an AI agent platform, reported a breach of its Discord server after a private key of a Discord moderator was compromised, allowing unauthorized access to the server. Multiple phishing links were shared on Google during the breach, but the Virtuals team confirmed that the issue had been resolved.