The onchain trail left by the exploiter behind the $116 million Balancer hack has revealed a methodical, high-level operation that may have been in motion for months.
The attacker executed every step with surgical precision, using multiple Tornado Cash deposits of 0.1 Ether to mask the origin of funds and avoid identification.
Onchain data indicates months of planning, funded through stealth Tornado Cash transfers.
Security analysts suggest the scale of the breach and the attacker’s operational discipline reflect a growing sophistication in decentralised finance (DeFi) exploits, which increasingly resemble state-sponsored cyber campaigns in planning and execution.
Balancer, the decentralised exchange and automated market maker, confirmed the exploit on Monday, reporting a loss of approximately $116 million in various digital assets.
The attacker’s account received funds through a pattern of small deposits from Tornado Cash, a privacy protocol often used to obscure fund origins.
Blockchain analyst Conor Grogan said in an X post that the exploiter’s account was initially funded with 100 Ether already held within Tornado Cash, suggesting the individual may have been involved in previous hacks.
Balancer was hacked for ~$100M. Hacker seems experienced: 1. Seeded account via 100 ETH and 0.1 Tornado Cash deposits. No opsec leaks 2. Since there were no recent 100 ETH Tornado deposits, likely that exploiter had funds there from previous exploits
Grogan noted that users rarely store such large sums in mixers, pointing to the attacker’s experience and careful planning.
Balancer has offered the hacker a 20% white hat bounty if the funds are returned in full, excluding the reward, by Wednesday.
The platform said it is collaborating with security researchers to produce a detailed post-mortem of the incident.
According to blockchain security firm Cyvers, the Balancer exploit represents one of the most complex attacks seen this year.
The attackers managed to bypass access control layers and directly manipulate asset balances, exposing a critical weakness in governance rather than in Balancer’s core smart contract logic.
Deddy Lavid, co-founder and chief executive of Cyvers, said the event underscores the limits of static code audits.
He argued that continuous real-time monitoring of transactions is essential to detect anomalies before funds are drained.
Industry experts believe this shift towards persistent surveillance is now unavoidable as DeFi platforms face attackers who test defences months in advance.
The Balancer breach has drawn comparisons to the North Korean Lazarus Group, whose activity patterns show similar levels of preparation.
Chainalysis data indicates that illicit transactions tied to North Korean hackers dropped sharply after July 2024, following a surge earlier that year. Analysts interpreted the lull as a strategic pause to regroup and identify new targets.
The slowdown preceded the $1.4 billion Bybit hack, which took only 10 days to launder through the decentralised cross-chain protocol THORChain.
The speed and coordination of that operation suggest the use of sophisticated automation and pre-planned laundering pipelines, techniques now appearing in independent exploits like the Balancer case.
The Balancer hack reflects an emerging era of professionalised cyber theft in decentralised finance.
Unlike opportunistic rug pulls or phishing scams, modern exploits increasingly rely on disciplined funding chains, automated obfuscation, and attack vectors targeting governance mechanisms rather than technical flaws.
Investigators believe the Balancer incident demonstrates how attackers are evolving faster than DeFi’s current security models.
As the sector expands, experts warn that the distinction between criminal syndicates and state-linked hackers is blurring, with both groups sharing tools, infrastructure, and tactics.
Balancer’s investigation continues, with the project urging exchanges and wallet providers to monitor suspicious inflows.
The outcome could shape how the DeFi industry rethinks security frameworks, audits, and insurance mechanisms for years to come.
The post Balancer hack reveals months of planning behind $116 million crypto heist appeared first on Invezz
Read More
The onchain trail left by the exploiter behind the $116 million Balancer hack has revealed a methodical, high-level operation that may have been in motion for months.
The attacker executed every step with surgical precision, using multiple Tornado Cash deposits of 0.1 Ether to mask the origin of funds and avoid identification.
Onchain data indicates months of planning, funded through stealth Tornado Cash transfers.
Security analysts suggest the scale of the breach and the attacker’s operational discipline reflect a growing sophistication in decentralised finance (DeFi) exploits, which increasingly resemble state-sponsored cyber campaigns in planning and execution.
Balancer, the decentralised exchange and automated market maker, confirmed the exploit on Monday, reporting a loss of approximately $116 million in various digital assets.
The attacker’s account received funds through a pattern of small deposits from Tornado Cash, a privacy protocol often used to obscure fund origins.
Blockchain analyst Conor Grogan said in an X post that the exploiter’s account was initially funded with 100 Ether already held within Tornado Cash, suggesting the individual may have been involved in previous hacks.
Balancer was hacked for ~$100M. Hacker seems experienced: 1. Seeded account via 100 ETH and 0.1 Tornado Cash deposits. No opsec leaks 2. Since there were no recent 100 ETH Tornado deposits, likely that exploiter had funds there from previous exploits
Grogan noted that users rarely store such large sums in mixers, pointing to the attacker’s experience and careful planning.
Balancer has offered the hacker a 20% white hat bounty if the funds are returned in full, excluding the reward, by Wednesday.
The platform said it is collaborating with security researchers to produce a detailed post-mortem of the incident.
According to blockchain security firm Cyvers, the Balancer exploit represents one of the most complex attacks seen this year.
The attackers managed to bypass access control layers and directly manipulate asset balances, exposing a critical weakness in governance rather than in Balancer’s core smart contract logic.
Deddy Lavid, co-founder and chief executive of Cyvers, said the event underscores the limits of static code audits.
He argued that continuous real-time monitoring of transactions is essential to detect anomalies before funds are drained.
Industry experts believe this shift towards persistent surveillance is now unavoidable as DeFi platforms face attackers who test defences months in advance.
The Balancer breach has drawn comparisons to the North Korean Lazarus Group, whose activity patterns show similar levels of preparation.
Chainalysis data indicates that illicit transactions tied to North Korean hackers dropped sharply after July 2024, following a surge earlier that year. Analysts interpreted the lull as a strategic pause to regroup and identify new targets.
The slowdown preceded the $1.4 billion Bybit hack, which took only 10 days to launder through the decentralised cross-chain protocol THORChain.
The speed and coordination of that operation suggest the use of sophisticated automation and pre-planned laundering pipelines, techniques now appearing in independent exploits like the Balancer case.
The Balancer hack reflects an emerging era of professionalised cyber theft in decentralised finance.
Unlike opportunistic rug pulls or phishing scams, modern exploits increasingly rely on disciplined funding chains, automated obfuscation, and attack vectors targeting governance mechanisms rather than technical flaws.
Investigators believe the Balancer incident demonstrates how attackers are evolving faster than DeFi’s current security models.
As the sector expands, experts warn that the distinction between criminal syndicates and state-linked hackers is blurring, with both groups sharing tools, infrastructure, and tactics.
Balancer’s investigation continues, with the project urging exchanges and wallet providers to monitor suspicious inflows.
The outcome could shape how the DeFi industry rethinks security frameworks, audits, and insurance mechanisms for years to come.
The post Balancer hack reveals months of planning behind $116 million crypto heist appeared first on Invezz
Read More
