DeFi protocol MakinaFi has been hit by a security breach, with attackers stealing 1,299 ether worth roughly $4.13 million.
The incident was first flagged by blockchain security firm PeckShieldAlert, which shared details on X and tracked how the stolen funds were moved soon after the attack.
#PeckShieldAlert @makinafi has been exploited for ~1,299 $ETH (~$4.13M).
The hacker was frontrun by MEV Builder (0xa6c2…).
The stolen funds are currently held in 2 addresses:
0xbed2…dE25 ($3.3M) & 0x573d…910e ($880K) pic.twitter.com/Q5WzHpfq7j— PeckShieldAlert (@PeckShieldAlert) January 20, 2026
The stolen ETH funds were quickly re-routed into various wallets, a practice commonly used to ensure that tracking and subsequent identification of the miscreants is challenging. The attack is yet another example pointing towards the vulnerabilities associated with DeFi and indicating that as innovative as DeFi is, there is also potential for attacks to compromise funds.
Stolen ETH from MakinaFi hack split between two wallets
Blockchain data suggests that the stolen ETH from the MakinaFi attack was promptly divided between two wallets.
One address, 0xbed2…dE25, ended up holding the majority of the stolen funds i.e.about $3.3 million.
The other wallet, 0xE573…f905, held roughly $880,000. According to Etherscan, part of the money trail links back to an entity tagged as an MEV builder.
Security firm PeckShieldAlert also noticed that some transactions were executed before others, thus showing timing and careful ordering during the entire exploit.
It further indicates that the attack was not random but a properly organized and highly technical exploit. The incident has also raised eyes upon MEV-related risks in DeFi.
How do MEV frontrunning exploits take place?
In a MEV frontrunning attack, the attacker makes use of the ordering of transactions in a blockchain.
MEV stands for Maximum Extractable Value and refers to the value of pending transactions that can be observed and reordered for profit by specific parties, who are essentially builders or validators.
In a frontrunning attack, an attacker executes his transaction right before a victim’s, leveraging price changes or smart contract logic.
In DeFi, this could be utilized for fund draining or for trading manipulation where the attacker will make sure that his transaction is processed first. Since these attacks rely on speed and privileged access to transaction ordering, they are not easy to detect or avoid.
What is the market watching now?
Investors and market participants are closely monitoring what happens to the stolen ether, particularly whether it is mixed using laundering services or exchanged on centralized exchanges to cover any tracing of its origin.
An early analysis of on-chain data has attributed part of a transaction process to a MEV builder, showing that builder-related mechanisms rather than manual transactions seem to have been employed for the purpose of execution of this exploit.
The action indicates a more sophisticated attack that exploited the ordering of the transactions on the network.
MakinaFi still has to provide a detailed technical explanation of the hack and the solution for the same. Users and analysts have been left with questions regarding the protocol’s response to the security lapse, occurring due to the lack of prompt clarification.