Yeliz Akmaca 
An experienced attacker stole $116 million from Balancer DEX on Monday after months of preparation. On-chain data shows the attacker used Tornado Cash and sophisticated methods to move funds without leaving traces, indicating the operation was planned in advance.
Details of the Attack and Preparation
Blockchain analyses show the attacker funded their account stealthily with small 0.1 ETH transfers through Tornado Cash to avoid detection. Coinbase executive Conor Grogan said the attacker stored at least 100 ETH in Tornado Cash smart contracts and that those funds may link to earlier hacks. Grogan stated, “Hacker seems experienced: seeded the account with 100 ETH and operated with 0.1 ETH Tornado Cash transfers. No opsec leaks.” This behavior clearly points to a professional actor who prepared ahead of time. Balancer announced it would offer a 20% white‑hat bounty if the stolen funds were returned in full (minus the reward).
What Makes the Balancer Hack Unique
Deddy Lavid, co‑founder and CEO of blockchain security firm Cyvers, called the Balancer exploit one of the most sophisticated attacks of 2025. The attackers bypassed access control layers to manipulate asset balances directly. This represents a critical failure in operational governance rather than a flaw in core protocol logic.
Lavid also warned that static code audits are no longer enough. He urged platforms to implement continuous, real‑time monitoring to detect suspicious flows before funds are drained.
, co‑founder and CEO of blockchain security firm Cyvers, called the Balancer exploit one of the most sophisticated attacks of 2025. The attackers bypassed access control layers to manipulate asset balances directly. This represents a critical failure in operational governance rather than a flaw in core protocol logic.
Lavid also warned that static code audits are no longer enough. He urged platforms to implement continuous, real‑time monitoring to detect suspicious flows before funds are drained.
Lazarus Group and Long‑Term Preparation Strategies
Similarly, North Korean group Lazarus reportedly paused illicit activity for months before the Bybit hack. Chainalysis data showed a sharp decline in cybercriminal activity after July 1, 2024, which experts interpreted as regrouping to identify new targets and probe infrastructure.
In the Bybit incident, attackers laundered the $1.4 billion through THORChain within 10 days. That operation demonstrates how months‑long stealth and preparation can precede large, professionally executed exploits—parallels that highlight the seriousness of the Balancer incident.
Recommendations for Balancer Users
Store crypto assets only in trusted wallets and avoid moving large sums in single transactions. Be aware that using Tornado Cash and similar mixers can draw attention from professional attackers and investigators, and consider employing multi‑layer security practices to reduce exposure to sophisticated on‑chain exploits.
You can also freely share your thoughts and comments about the topic in the comment section. Additionally, don’t forget to follow us on our Telegram, YouTube, and Twitter channels for the latest news and updates.