The onchain transactions of the exploiter behind the $116 million Balancer hack point to a sophisticated actor and extensive preparation that may have taken months to orchestrate without leaving a trace, according to new onchain analysis.
The decentralized exchange (DEX) and automated market maker (AMM) Balancer was exploited for around $116 million worth of digital assets on Monday.
Blockchain data shows the attacker carefully funded their account using small 0.1 Ether (ETH) deposits from cryptocurrency mixer Tornado Cash to avoid detection.
Conor Grogan, director at Coinbase, said the exploiter had at least 100 ETH stored in Tornado Cash smart contracts, indicating possible links to previous hacks.
“Hacker seems experienced: 1. Seeded account via 100 ETH and 0.1 Tornado Cash deposits. No opsec leaks,” said Grogan in a Monday X post. “Since there were no recent 100 ETH Tornado deposits, likely that exploiter had funds there from previous exploits.”
Grogan noted that users rarely store such large sums in privacy mixers, further suggesting the attacker’s professionalism.
Balancer offered the exploiter a 20% white hat bounty if the stolen funds were returned in full amount, minus the reward, by Wednesday.
Related: Balancer audits under scrutiny after $100M+ exploit
“Our team is working with leading security researchers to understand the issue and will share additional findings and a full post-mortem as soon as possible,” wrote Balancer in its latest X update on Monday.
Balancer exploit was most sophisticated attack of 2025: Cyvers
The Balancer exploit is one of the “most sophisticated attacks we’ve seen this year,” according to Deddy Lavid, co-founder and CEO of blockchain security firm Cyvers:
“The attackers bypassed access control layers to manipulate asset balances directly, a critical failure in operational governance rather than core protocol logic.”
Lavid said the attack demonstrates that static code audits are no longer sufficient. Instead, he called for continuous, real-time monitoring to flag suspicious flows before funds are drained.
Related: CZ sounds alarm as ‘SEAL’ team uncovers 60 fake IT workers linked to North Korea
Lazarus Group paused illicit activity for months ahead of the $1.4 billion Bybit hack
The infamous North Korean Lazarus Group has also been known for extensive preparations ahead of their biggest hacks.
According to blockchain analytics firm Chainalysis, illicit activity tied to North Korean cyber actors sharply declined after July 1, 2024, despite a surge in attacks earlier that year.
The significant slowdown ahead of the Bybit hack signaled that the state-backed hacking group was “regrouping to select new targets,” according to Eric Jardine, Chainalysis cybercrimes research Lead.
“The slowdown that we observed could have been a regrouping to select new targets, probe infrastructure, or it could have been linked to those geopolitical events,” he told Cointelegraph.
It took the Lazarus Group 10 days to launder 100% of the stolen Bybit funds through the decentralized crosschain protocol THORChain, Cointelegraph reported on March 4.
Magazine: Coinbase hack shows the law probably won’t protect you — Here’s why