A wallet linked to the Balancer exploit that drained nearly $120 million from the protocol’s V2 pools has resurfaced after five months, with onchain data flagging 1,100 ether worth $2.55 million being funneled through Thorchain into BTC.
Balancer Exploiter Resurfaces After 5 Months, Moves 1,100 ETH Through Thorchain
WRITTEN BY
SHARE
Key Takeaways:
- Lookonchain flagged the Balancer exploiter moving 1,100 ETH ($2.55M) via Thorchain.
- The wallet had been dormant for five months since last year’s $120M Balancer V2 breach.
- Funds are being converted from ETH into BTC through Thorchain, a route seen in prior major exploits.
Dormant Wallet Reactivates
The exploiter moved 1,100 ETH over the course of approximately one hour and is converting the proceeds into BTC using Thorchain, a decentralized cross-chain liquidity protocol that allows assets to move between blockchains without centralized intermediaries or know-your-customer (KYC) requirements.
The absence of KYC controls on Thorchain has made it a recurring destination for stolen funds seeking conversion into harder-to-trace assets. The ETH-to- BTC route is a particularly favored laundering path because it moves stolen funds out of the Ethereum ecosystem, where freezes and blacklists are more easily coordinated, and into bitcoin’s UTXO-based architecture, which distributes traceability across a much larger set of addresses.
The wallet’s reactivation after five months of silence is consistent with a broader pattern seen in major crypto exploits. Attackers routinely allow wallets to go quiet long enough for active monitoring to ease before beginning to move funds, a tactic designed to outlast both law enforcement attention and the onchain alert systems maintained by accounts like Lookonchain, Peckshield, and ZachXBT. The five-month gap places the reactivation well outside the initial response window for the original breach.
Thorchain’s architecture does allow validators to vote for temporary halts on specific chains when malicious activity is detected, a mechanism they have deployed before during major incidents. However, such votes are rare, require independent validator coordination, and are reversible, making Thorchain a persistently attractive option for exploit proceeds moving at speed.
The Original Balancer Breach
The Balancer exploit that drained approximately $116 million from the protocol’s V2 liquidity pools was one of the more consequential decentralized finance ( DeFi) hacks of 2025. The breach was tied to a batch swap rounding bug that allowed the attacker to systematically drain funds from Balancer’s smart contracts across multiple pools.
The financial and reputational fallout from the exploit had lasting consequences for the protocol, with Balancer Labs subsequently announcing it would shut down as a company, transferring control of the protocol’s future to its decentralized autonomous organization ( DAO). The move left the protocol operating under a leaner, community-led structure.
The incident also contributed to a wider industry reckoning about smart contract security, a debate that has gained fresh urgency in April 2026 following the $292 million KelpDAO exploit and its downstream impact on Aave’s lending markets.
A Pattern Worth Watching
The Thorchain-based ETH-to- BTC conversion route observed here closely mirrors laundering approaches flagged by onchain analysts in connection with prior high-profile hacks, including a case in which a Kraken user lost $18.2 million in a social engineering attack, with funds subsequently routed through Thorchain by the attacker.
The reactivation of the Balancer exploiter’s wallet is part of a growing list of dormant exploit proceeds showing signs of movement in 2026, a trend that can be attributed in part to improving market liquidity, providing better exit conditions for large illicit positions.
