Onchain transactions by the exploiter behind the $116 million Balancer breach point to a sophisticated actor and extensive preparation that could have taken months to orchestrate without leaving a trace, according to a modern onchain analysis.
Decentralized exchange (DEX) and automated market maker (AMM) Balancer were used to obtain approximately $116 million worth of digital assets on Monday.
Blockchain data shows that the attacker carefully funded his account using tiny deposits of 0.1 Ether (ETH) from cryptocurrency mixer Tornado Cash to avoid detection. Coinbase executive Conor Grogan said the exploit had at least 100 ETH stored in Tornado Cash intelligent contracts, indicating possible ties to previous hacks.
“Hacker appears experienced: 1. Account seeded with 100 ETH and 0.1 Tornado Cash deposits. No opsec leaks,” Grogan said in Monday’s X post. “Since there have been no recent 100 ETH Tornado deposits, it’s likely this exploiter had funds there from previous exploits.”
Grogan noted that users rarely store such huge amounts in privacy mixers, further suggesting the professionalism of the attacker.
Balancer offered the exploiter 20% of the white hat bounty if the stolen funds were returned in full by Wednesday, minus the bounty.
Related: Balancer audit under microscope after over $100 million exploit
“Our team is working with leading security researchers to understand the issue and will release additional findings and a full autopsy as soon as possible.” he wrote Balancer in its latest X update on Monday.
The most sophisticated attack of 2025 was the Balancer: Cyvers exploit
According to Deddy Lavid, co-founder and CEO of blockchain security firm Cyvers, the Balancer exploit is one of the “most sophisticated attacks we’ve seen this year”:
“The attackers bypassed access control layers to directly manipulate resource balances, which represents a critical flaw in operational management rather than the underlying protocol logic.”
Lavid said the attack shows that inert code audits are no longer sufficient. Instead, he called for continuous, real-time monitoring to detect suspicious flows before funds are exhausted.
Related: CZ raises alarm when ‘SEAL’ team discovers 60 bogus IT workers with ties to North Korea
Lazarus Group Stopped Illegal Activities Months Before $1.4 Billion Bybit Hack
The infamous North Korean group Lazarus is also known for extensive preparations before its biggest hacks.
According to to blockchain analytics firm Chainalytic, illicit activity linked to North Korean cybercriminals dropped sharply after July 1, 2024, despite a spike in attacks earlier this year.
According to Eric Jardine, head of cybercrime research at Chainalytic, the significant slowdown before the Bybit breach signaled that the state-backed hacking group was “regrouping to select new targets.”
“The slowdown we observed could be due to regrouping to select new targets, explore infrastructure, or could be related to these geopolitical events,” Cointelegraph said.
As Cointelegraph reported on March 4, it took Lazarus Group 10 days to launder 100% of the stolen Bybit funds via the decentralized crosschain protocol THORChain.
Warehouse: Coinbase hack shows the law probably won’t protect you – here’s why
