Insiders Reveal Sophisticated Hacker’s Long-Running, Complex Plot

A recent high-profile exploit on the decentralized exchange Balancer has revealed a highly coordinated attacker utilizing sophisticated onchain tactics. With an estimated $116 million in assets compromised, experts suggest the attack involved extensive pre-planning over months, highlighting the growing complexity and skill level behind recent crypto exploits. This incident underscores the importance of advanced security measures in the evolving landscape of blockchain and DeFi security.

The recent Balancer exploit, targeting the decentralized exchange (DEX) and automated market maker (AMM), exposed vulnerabilities in DeFi protocols and demonstrated the evolving sophistication of crypto attackers. The breach resulted in the theft of approximately $116 million worth of digital assets, with onchain data revealing a meticulously coordinated attack that may have been months in the making.

blockchain data shows the attacker carefully funded their account using small 0.1 ETH deposits from the privacy-focused mixer Tornado Cash, aiming to obfuscate their tracks. Conor Grogan, director at Coinbase, noted that the attacker stored at least 100 ETH in Tornado Cash smart contracts, suggesting links to previous hacking activities. “Hacker seems experienced: 1. Seeded account via 100 ETH and 0.1 Tornado Cash deposits. No operational security leaks,” Grogan remarked in a social media post. “Since there were no recent 100 ETH Tornado deposits, it’s likely the funds originated from earlier exploits.”

Balancer has responded by offering a 20% white hat bounty, incentivizing the attacker to return the stolen funds in full, minus the reward, by Wednesday. The project also assured the community that ongoing investigations are underway. Security audits of Balancer’s protocol are under scrutiny following this incident.

Balancer stated, “Our team is working with leading security researchers to understand the issue and will share additional findings and a full post-mortem as soon as possible,” in an update. This incident emphasizes the increasing need for proactive security in DeFi platforms to counter advanced threat actors.

Balancer exploit was most sophisticated attack of 2025: Cyvers

According to Deddy Lavid, CEO of blockchain security firm Cyvers, the Balancer breach represents one of the most complex attacks seen this year.

“The attackers bypassed access control layers to manipulate asset balances directly, marking a critical failure in operational governance rather than core protocol logic.”

Lavid stressed that static code audits alone are no longer sufficient to defend against such threats. Instead, continuous, real-time monitoring is crucial to identify suspicious activity before funds are drained, highlighting the need for advanced security measures in DeFi protocols.

Lazarus Group paused illicit activity ahead of the Bybit hack

The notorious North Korean hacking outfit, Lazarus Group, known for some of the largest crypto exploits, reportedly paused illicit activities for months prior to executing their $1.4 billion attack on Bybit. Blockchain analytics firm Chainalysis observed a sharp decline in Lazarus-linked activity after July 1, 2024, following an intense period of attacks earlier that year.

Experts suggest that this slowdown indicates the group was regrouping to target new schemes or adjust their infrastructure, possibly influenced by geopolitical tensions. The Lazarus Group is known for laundering stolen funds through decentralized cross-chain protocols such as THORChain, with it taking roughly ten days to fully launder the proceeds from the Bybit hack, according to reports.

As crypto markets grow more lucrative, heightened security awareness and vigilance remain vital to combating increasingly sophisticated threats from state-backed hacking groups and independent cybercriminals alike.