Skip to content
btc Bitcoin $74,532 -5.06% eth Ethereum $2,178 -7.14% usdt Tether $1 -0.02% bnb BNB $749 -3.38% xrp XRP $2 -4.53% usdc USDC $1 0.00% sol Solana $98 -5.89% trx TRON $0 -0.55% steth Lido Staked Ether $2,177 -7.10% doge Dogecoin $0 -3.52%
Bitcoin ATM Crypto Mining Apps Best XRP Wallet Bull Flag Vs Bear Flag Crypto Mining Apps Proof of Stake Best Crypto Wallets Crypto Leverage Trading Crypto Airdrops Best Cryptocurrencies Crypto Scammers

Balancer hack linked to sophisticated, months-long operation: On-chain analysis reveals deep planning

Balancer hack shows signs of months-long planning by skilled attacker
SHARE THIS ARTICLE
Twitter
LinkedIn
Telegram
Whatsapp
Written by
Written by
Nazia Saeed
Reviewed by
Reviewed by
Raghav Chopra
Nov. 17, 2025

The $116 million exploit targeting decentralized exchange Balancer appears to have been meticulously planned for months, with the attacker employing advanced operational security and Tornado Cash to obscure their tracks, according to new onchain analysis.

Attacker used Tornado Cash to fund operations

Blockchain data reveals that the exploiter funded their account using multiple 0.1 Ether (ETH) deposits from Tornado Cash a move likely aimed at avoiding detection by automated systems.
Conor Grogan, director at Coinbase, said the attacker stored at least 100 ETH within Tornado Cash smart contracts, suggesting possible connections to earlier hacks.

Hacker seems experienced: seeded account via 100 ETH and 0.1 Tornado Cash deposits. No opsec leaks, Grogan noted, adding that such large Tornado deposits are rare and point to professional-level execution.

Following the breach, Balancer offered a 20% white-hat bounty for the return of stolen funds by Wednesday and confirmed that its security team was collaborating with top researchers to conduct a full post-mortem.

Deddy Lavid, co-founder and CEO of blockchain security firm Cyvers, described the exploit as one of the most sophisticated attacks of 2025.
He said the attackers bypassed access control layers to manipulate asset balances directly a failure in operational governance rather than core protocol logic.

Lavid warned that static audits alone are no longer sufficient and called for continuous, real-time monitoring to detect abnormal fund movements before they escalate into full-scale breaches.

Similarities with Lazarus Group’s long-term tactics

The methodical nature of the Balancer exploit draws parallels with the North Korean Lazarus Group, known for spending months preparing cyberattacks.


Data from Chainalysis shows that Lazarus-linked activity dropped sharply after July 2024 a period analysts now believe was used for “regrouping” and target selection ahead of the $1.4 billion Bybit hack.


Lazarus later laundered the stolen Bybit funds through THORChain within just 10 days, in one of the largest crypto heists ever recorded.

Coin Headlines covers the latest news in crypto, blockchain, Web3, and markets, bringing you credible and up-to-date information on all the latest developments from around the world.

We focus on real-time news updates, market movements, whale transfers, and macroeconomic trends to keep you informed and engaged. Whether it’s Bitcoin price swings, altcoin updates, meme coin hype, regulatory changes, or major moves from the world of traditional finance, Coin Headlines gives you what you need to know, right when you need it.