Defi protocol Balancer and numerous Balancer-fork deployments are currently being exploited in a fast-moving DeFi incident that has so far produced estimated losses of roughly $128.64 million across multiple chains. On-chain monitoring team Peckshied flagged a cluster of attacker addresses, tracked via DeBank, which show large inflows originating from Balancer vaults and forked pool contracts. Early attribution remains technical. this appears to be an on-chain drain rather than a single exchange cash-out, but the scale and coordination indicate a systemic attack affecting multiple deployments and their front-ends.
Observed attacker clusters (DeBank profile links provided by trackers):
• https://debank.com/profile/0xaa760d53541d8390074c61defeaba314675b8e3f
• https://debank.com/profile/0x872757006b6f2fd65244c0a2a5fdd1f70a7780f4
• https://debank.com/profile/0x045371528a01071d6e5c934d42d641fd3cbe941c
What we know so far: large token movements appear to originate from Balancer vaults and forked pool contracts; the attacker addresses aggregate assets, perform rapid swaps and routing actions, and then split proceeds across bridges and swap routers to obfuscate origin. The incident’s cross-chain footprint increases complexity for recovery and exchange-level freezes.
Immediate implications: liquidity in affected Balancer pools will likely dry up as LPs withdraw or migrate & price action for tokens exposed to those pools could see sharp volatility. Confidence in lightly vetted Balancer forks which often reuse code with minimal auditing will take the brunt of market reaction.
Analyst recommendations: if you hold liquidity in Balancer or fork pools, move funds to cold storage or reputable custody immediately (avoid interacting with suspect front-ends). Operators should pause vulnerable pools, publish an IOCs pack (attacker addresses, tx hashes, timestamps) and coordinate with major exchanges and security firms to request freezes on identifiable deposits. Security firms and auditors should prioritize rapid forensic tracing of bridges and mixers used by the attacker.
This remains an active situation. Track official Balancer channels, reputable on-chain trackers, and exchange security desks for updates. We will monitor the attacker clusters and provide a detailed transaction timeline and laundering map as forensic data matures.
