The $116 million Balancer exploit appears to have been part of a well-orchestrated plan involving advanced tactics designed to avoid detection. According to recent analysis, the breach was executed by a knowledgeable party who made thorough preparations over several months.

The decentralized exchange (DEX) Balancer was compromised, leading to losses of approximately $116 million in digital assets earlier this week. On-chain transaction data suggests the hacker took careful steps to fund their account using small 0.1 Ether (ETH) deposits from a cryptocurrency mixer, Tornado Cash, to avoid attracting attention.

Conor Grogan, the Director at Coinbase, commented that the attacker had over 100 ETH stored in Tornado Cash smart contracts, suggesting they may be connected to previous hacking incidents. He posted on X, stating:

“Hacker seems experienced: 1. Seeded account via 100 ETH and 0.1 Tornado Cash deposits. No opsec leaks.”
Translation: The hacker seems experienced: 1. They funded the account using 100 ETH and 0.1 deposits from Tornado Cash. No operational security leaks.

Grogan noted that it’s uncommon for users to keep such large amounts in privacy mixers, reinforcing the theory of the attacker’s expertise.

In response to the hack, Balancer offered a 20% bounty for a white hat hacker who would return the stolen funds in full by Wednesday.

The incident has been recognized by Deddy Lavid, co-founder and CEO of blockchain security firm Cyvers, as one of the most sophisticated attacks of the year:

“The attackers bypassed access control layers to manipulate asset balances directly, a critical failure in operational governance rather than core protocol logic.”
Translation: The attackers managed to navigate around the layers of access control to directly alter asset balances, indicating a major failure in the operational governance instead of the core logic of the protocol.

Lavid emphasized that traditional static code audits may not be enough anymore, advocating for continuous monitoring to detect suspicious activities before funds are lost.

Lastly, a parallel was drawn with the notorious North Korean Lazarus Group, known for meticulous planning ahead of their major hacks. Their operations were notably halted for a period prior to their $1.4 billion Bybit hack.

This case highlights the urgent need for robust security measures and proactive monitoring in the rapidly evolving landscape of blockchain technology.