Onchain transactions of the exploiter behind the $116 million Balancer hack point to a sophisticated actor and extensive preparation that may have taken months to orchestrate without leaving a trace, according to new onchain analysis.
The decentralized exchange (DEX) and automated market maker (AMM) Balancer was exploited for around $116 million worth of digital assets on Monday. Blockchain data shows the attacker carefully funded their account using small 0.1 Ether (ETH) deposits from cryptocurrency mixer Tornado Cash to avoid detection.
Conor Grogan, director at Coinbase, said the exploiter had at least 100 ETH stored in Tornado Cash smart contracts, indicating possible links to previous hacks. “Hacker seems experienced: 1. Seeded account via 100 ETH and 0.1 Tornado Cash deposits. No opsec leaks,” said Grogan in a Monday X post. “Since there were no recent 100 ETH Tornado deposits, likely that exploiter had funds there from previous exploits.”
Grogan noted that users rarely store such large sums in privacy mixers, further suggesting the attacker’s professionalism. Balancer offered the exploiter a 20% white hat bounty if the stolen funds were returned in full amount, minus the reward, by Wednesday.
“Our team is working with leading security researchers to understand the issue and will share additional findings and a full post-mortem as soon as possible,” wrote Balancer in its latest X update on Monday.
The Balancer exploit is one of the “most sophisticated attacks we’ve seen this year,” according to Deddy Lavid, co-founder and CEO of blockchain security firm Cyvers:
“The attackers bypassed access control layers to manipulate asset balances directly, a critical failure in operational governance rather than core protocol logic.”
Lavid said the attack demonstrates that static code audits are no longer sufficient. Instead, he called for continuous, real-time monitoring to flag suspicious flows before funds are drained.
The infamous North Korean Lazarus Group has also been known for extensive preparations ahead of their biggest hacks. According to blockchain analytics firm Chainalysis, illicit activity tied to North Korean cyber actors sharply declined after July 1, 2024, despite a surge in attacks earlier that year.
The significant slowdown ahead of the Bybit hack signaled that the state-backed hacking group was “regrouping to select new targets,” according to Eric Jardine, Chainalysis cybercrimes research Lead.
“The slowdown that we observed could have been a regrouping to select new targets, probe infrastructure, or it could have been linked to those geopolitical events,” he told Cointelegraph.
It took the Lazarus Group 10 days to launder 100% of the stolen Bybit funds through the decentralized crosschain protocol THORChain, Cointelegraph reported on March 4.
Risk Warning: this article represents only the author’s views and is for reference only. It does not constitute investment advice or financial guidance, nor does it represent the stance of the Markets.com platform.When considering shares, indices, forex (foreign exchange) and commodities for trading and price predictions, remember that trading CFDs involves a significant degree of risk and could result in capital loss.Past performance is not indicative of any future results. This information is provided for informative purposes only and should not be construed to be investment advice. Trading cryptocurrency CFDs and spread bets is restricted for all UK retail clients.
