The hacker behind last November’s massive Balancer exploit has escalated activity after five months of dormancy, converting a total of 4,873 ETH (approximately $11.3 million at current prices) into roughly 178 Bitcoin through the cross-chain protocol THORChain.
Onchain data from THORChain explorer shows that the hacker has routed these funds in multiple batches to THORChain’s router. The swaps include earlier tranches such as 348 ETH for ~11.8 BTC and additional transfers pushing the cumulative total to 4,873 ETH as of the latest on-chain records.
This acceleration follows closely on the heels of the Kelp DAO exploiter, who routed nearly 75,700 ETH (about $175 million) through THORChain, swapping the bulk into native BTC and driving record daily volume on the protocol.
Security researchers see the Kelp DAO case as a clear blueprint, with both actors are leveraging THORChain’s decentralized, non-custodial ETH-to-BTC swaps to fragment transaction trails across chains, bypass centralized intermediaries, and complicate address clustering or potential asset recovery.
The original Balancer attack in early November 2025 drained nearly $120 million—with some estimates reaching $128 million—across multiple chains. The perpetrator exploited a precision-loss vulnerability in Balancer V2’s composable stable pools, manipulating rounding errors in the Vault contract during batch swaps to siphon liquidity from pools holding wrapped ETH and other assets.
Balancer Labs subsequently wound down operations amid the fallout. After initial laundering attempts via Tornado Cash, the hacker remained largely inactive until this week. Linked addresses are still reported to hold tens of millions in remaining ETH, indicating the current movements may signal the beginning of a larger liquidation phase.
The timing—five months after the heist—mirrors established patterns in major crypto thefts, where perpetrators allow initial scrutiny to subside before resuming cash-out operations.
Now this repeated use of THORChain by high-profile exploiters highlights ongoing challenges in cross-chain tracking and the increasing sophistication of laundering tactics employed by sophisticated actors.
No law enforcement updates have been released regarding identification or recovery efforts for the Balancer case as of publishing.
Also read: U.S. Seizes 503 Crypto Scam Websites in Major Fraud Crackdown