Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
The onchain transactions of the exploiter behind the $116 million Balancer hack point to a sophisticated actor and extensive preparation that may have taken months to orchestrate without leaving a trace, according to new onchain analysis.
U decentralized exchange (DEX) and the Automated Market Balancer (AMM) was leveraged for about $116 million digital asset value on Monday.
Blockchain data shows that the attacker carefully funded his account using a small 0.1 Ether (ETH) deposits from the Tornado Cash cryptocurrency mixer to avoid detection. Coinbase director Conor Grogan said the exploiter had at least 100 ETH stored in Tornado Cash smart contracts, indicating possible links to previous hacks.
“Hacker seems experienced: 1. Account Seeded via 100 ETH and 0.1 Tornado Cash deposits. No opsec leaks,” said Grogan in a post on Monday X. “Since there were no recent deposits of 100 ETH Tornado, probably that exploiter had funds there from previous exploits.”
Grogan noted that users rarely store such large sums in privacy mixers, further suggesting the attacker’s professionalism.
Balancer offered the exploiter a 20% white hat reward if the stolen funds were returned in full, minus the reward, by Wednesday.
Related: Balancer audits under scrutiny after leveraging $100M+
“Our team is working with leading security researchers to understand the issue and will share additional findings and a full post-mortem as soon as possible,” he wrote Balancer in its latest update X on Monday.
Exploiting the Balancer was the most sophisticated attack of 2025: Cyvers
The Balancer exploit is one of “the most sophisticated attacks we’ve seen this year,” according to Deddy Lavid, co-founder and CEO of blockchain security firm Cyvers:
“Attackers bypassed access control layers to directly manipulate asset balances, a critical failure in operational governance rather than core protocol logic.”
Lavid said the attack demonstrates that static code audits are no longer enough. Instead, he called for continuous real-time monitoring to flag suspicious flows before funds are drained.
Related: CZ sounds alarm as ‘SEAL’ team uncovers 60 fake IT workers linked to North Korea
Lazarus Group paused illicit activity for months before the $1.4 billion Bybit hack
The infamous North Korea’s Lazarus Group he is also known for extensive preparation before his biggest hacks.
Second at blockchain analytics firm Chainalysis, illicit activity linked to North Korean cyber actors has declined sharply since July 1, 2024, despite a spike in attacks prior to that year.
The significant slowdown before the Bybit hack signaled that the state-backed hacker group was “regrouping to select new targets,” according to Eric Jardine, Chainalysis cybercrimes research Lead.
“The slowdown we observed could be a grouping to select new targets, probe infrastructure, or could be related to those geopolitical events,” he told Cointelegraph.
He took the Lazarus Group 10 days to wash 100% of Bybit funds stolen through decentralized crosschain protocol THORChain, Cointelegraph reported on March 4.
Magazine: Coinbase hack shows the law probably won’t protect you – Here’s why
