Recovery Assistance Offer — 21,000 ETH Dormant Balancer V2 Exploit Wallets (BIP-908)

Hi Balancer community,

I’m reaching out from CyberLeakWatch Investigations, an independent blockchain forensics unit. We’ve been monitoring three dispersion wallets from the November 2025 Balancer V2 exploit that hold a combined 21,000 ETH (~$44.8M) — all completely dormant for 5 months with zero outgoing transactions.

What we’re offering

  • Real-time sentinel monitoring on all 3 wallets (already active)
  • CEX freeze coordination if funds move (pre-established contacts at major exchanges)
  • Law enforcement coordination channels
  • Success-fee basis under BIP-908 — zero cost unless funds are recovered

Why now

  • The funds haven’t moved in 5 months — the recovery window is still open
  • Extended dormancy often precedes exit attempts
  • We sent two emails to security@balancer.finance (March 13 and March 20) with no response, so reaching out here
  • With Balancer Labs transitioning its corporate structure, coordination through the community and trusted intermediaries becomes even more important

Our capabilities

We have pre-established compliance contacts at Binance, OKX, HTX, Bybit, Coinbase, Tether, and Circle for rapid freeze coordination. We also maintain active channels with international law enforcement agencies for cross-border cases.

We’ve simultaneously contacted SEAL 911 to help bridge coordination with the security team and Treasury Council.

We’d like to coordinate with anyone involved in recovery efforts under BIP-908. Happy to share our monitoring setup and forensic findings with the appropriate team.

Contact: investigations@cyberleakwatch.com

CyberLeakWatch Investigations
Blockchain Forensics Unit

1 Like

Thank you for your message. We have been prioritizing direct recovery efforts over the high volume of solicitations received since the hack. As you might expect following the incident, this inbox was inundated with solicitations from security firms; consequently, we have refrained from responding to those individually.

The Balancer Foundation is actively coordinating fund recovery and law enforcement liaison efforts with professional forensic partners. The DAO has officially sanctioned a specific recovery information bounty on top of the Safe Harbor Agreement.

As we haven’t seen a submission from you via SEAL, we invite you to share any relevant details directly via admin@balancer.finance to ensure it reaches the right team immediately.

2 Likes

CRITICAL UPDATE — May 2, 2026: Funds Have Moved

Since our original post, the Balancer V2 exploit funds are no longer
dormant
. On April 24-25, 2026, approximately 21,057 ETH were laundered
through THORChain
cross-chain swaps into Bitcoin.

What happened

The attacker consolidated funds from multiple dispersion wallets into a
single intermediary, then executed 35 depositWithExpiry() transactions
on the THORChain Router — all ETH-to-BTC swaps. We have decoded every memo to
identify the destination addresses.

Current location: 617.42 BTC across 3 addresses (ALL STATIC)

Address Balance Status
bc1qx4lwa6ewj5z0t6k4q86yd0gy62ej058hye7y93 205.43 BTC (~$20.5M) No
outflows
bc1qlyzhp6en4tk2mkt6sl83lzhxm55ycq2yjcm6u7 204.74 BTC (~$20.5M) No
outflows
bc1qwdqrn2qehcyzq6z4ut7ttjtjv3e4fjujp97vfm 207.25 BTC (~$20.7M) No
outflows
Total 617.42 BTC (~$61.7M) Static since arrival

Exploiter 2 still holds freezeable assets

Address 0xAa760D53541d8390074c61DEFeaba314675b8e3f retains 10,168 sUSDe
(~$12.5K)
. Ethena’s sUSDe contract has addToBlacklist() — this is
directly freezeable. We have contacted Ethena’s security team.

Laundering pattern

  1. Consolidation from dormant dispersion wallets into single intermediary
  2. Smurfing into 80-2,000 ETH chunks
  3. Test transactions (0.9-1 ETH) to verify THORChain route
  4. 35 cross-chain swaps via THORChain Router (no KYC)
  5. Distribution across 3 separate BTC addresses

Recovery opportunity under BIP-908

All 617 BTC remain static — the attacker has not established an exit path
yet. If these addresses are flagged at major chain analytics providers and
exchanges, any future movement to a CEX creates a freeze/recovery
opportunity.

Under BIP-908 (10% bounty, no cap), this represents up to $6.17M in
recovery incentive.

Actions taken

  • SEAL911 notified with complete trace
  • Ethena freeze request submitted for sUSDe
  • 3 BTC addresses added to our monitoring systems
  • Full evidence pack (35 tx hashes, decoded memos, fund flow graph) available
    to Treasury Council, SEAL, and zeroShadow upon request

We are available to coordinate with any authorized recovery party.

— CyberLeakWatch Investigations

1 Like

Great discussion here. I’ve been following this topic for a while and really appreciate the insights shared.