Hackers exploited a vulnerability in Balancer, a decentralized finance (DeFi) protocol, stealing over $120 million in cryptocurrency, with at least $99 million in ETH compromised. The attack was traced to faulty access control mechanisms, allowing attackers to bypass security measures. Balancer paused affected pools and initiated recovery mode, collaborating with security and legal teams for a thorough investigation. The incident prompted warnings about fraudulent messages impersonating Balancer’s security team. Several associated platforms (e.g., Berachain, Gnosis, Sonic) took emergency actions, freezing stolen funds where possible. While Balancer had undergone 10+ audits and maintained bug bounty programs, this exploit marks one of its most severe breaches. The attack aligns with a broader trend of North Korean state-sponsored hackers targeting DeFi platforms, with over $2 billion stolen in H1 2025, funding illicit programs like ballistic missile development.
Source: https://therecord.media/crypto-heist-balancer-exploit
TPRM report: https://www.rankiteo.com/company/balancer-ecosystem
"id": "bal5502355110425",
"linkid": "balancer-ecosystem",
"type": "Cyber Attack",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Blockchain/Cryptocurrency',
'name': 'Balancer',
'type': 'Decentralized Finance (DeFi) Protocol'},
{'industry': 'Blockchain/Cryptocurrency',
'name': 'Berachain Foundation',
'type': 'Blockchain Organization'},
{'industry': 'Blockchain/Cryptocurrency',
'name': 'Gnosis',
'type': 'Blockchain Platform'},
{'industry': 'Blockchain/Cryptocurrency',
'name': 'Sonic',
'type': 'Blockchain Platform'},
{'industry': 'Blockchain/Cryptocurrency',
'name': 'Beefy',
'type': 'Blockchain Platform'}],
'attack_vector': ['Compromised Access Control Mechanisms',
'Smart Contract Vulnerability'],
'customer_advisories': ['Avoid interacting with fraudulent messages',
'Monitor official Balancer channels for updates'],
'date_detected': '2025-MM-DD (early morning, exact date not specified)',
'date_publicly_disclosed': '2025-MM-DD (Monday afternoon)',
'description': 'Hackers stole millions of dollars worth of cryptocurrency '
'from the decentralized finance (DeFi) protocol Balancer on '
'Monday. Estimates varied, but blockchain security firms '
'tracked over $120 million in losses, with at least $99 '
'million in ETH stolen. The exploit was traced back to faulty '
'access control mechanisms compromised by attackers. Balancer '
'paused affected pools and is investigating the incident with '
'security and legal teams. Fraudulent messages claiming to be '
'from Balancer’s security team are circulating, and users are '
'warned not to interact with them. Several tied blockchain '
'organizations (e.g., Berachain, Gnosis, Sonic, Beefy) took '
'emergency measures to protect user assets, including freezing '
'some stolen funds. North Korea-linked hackers are suspected '
'in broader crypto theft trends, with over $2 billion stolen '
'in the first half of 2025.',
'impact': {'brand_reputation_impact': ['Potential loss of trust in DeFi '
'security',
'Fraudulent messages circulating'],
'downtime': ['Pools paused and in recovery mode',
'Berachain network halted'],
'financial_loss': '$120 million+ (with $99 million in ETH)',
'operational_impact': ['Emergency measures by multiple platforms',
'Funds frozen on some platforms'],
'systems_affected': ['Balancer DeFi protocol pools',
'Tied platforms (Berachain, Gnosis, Sonic, '
'Beefy)']},
'initial_access_broker': {'entry_point': 'Faulty access control mechanisms in '
"Balancer's DeFi protocol",
'high_value_targets': ['Balancer pools',
'Tied platforms (e.g., '
'Berachain, Gnosis)']},
'investigation_status': 'Ongoing (post-mortem planned)',
'motivation': ['Financial Gain',
"Funding North Korea's ballistics missile program (broader "
'trend)'],
'post_incident_analysis': {'root_causes': ['Faulty access control '
'mechanisms']},
'references': [{'source': 'Chainalysis Report (2025)'},
{'source': 'U.S., France, Germany, Japan Joint Report (2025)'},
{'source': 'Balancer Public Statements (2025)'}],
'response': {'communication_strategy': ['Public statements by Balancer',
'Warnings about fraudulent messages',
'Collaboration announcements by tied '
'platforms'],
'containment_measures': ['Pools paused and put in recovery mode',
'Network halts (e.g., Berachain)',
'Freezing stolen funds'],
'incident_response_plan_activated': True,
'recovery_measures': ['Recovery mode for paused pools',
'User asset protection by tied platforms'],
'remediation_measures': ['Investigation with security/legal '
'teams',
'Post-mortem planned'],
'third_party_assistance': ['Security experts', 'Legal teams']},
'stakeholder_advisories': ['Warnings about fraudulent messages',
'Collaboration updates from tied platforms'],
'threat_actor': ['Unknown (suspected North Korea-linked actors in broader '
'context)'],
'title': 'Balancer DeFi Protocol Cryptocurrency Theft',
'type': ['Cryptocurrency Theft', 'Exploit', 'DeFi Attack'],
'vulnerability_exploited': "Faulty access control mechanisms in Balancer's "
'DeFi protocol'}