Greetings!

More than $132M were stolen this week across seven incidents. Smart contract exploits, systemic stablecoin depegs and liquidity crunches, kidnappings, and much more happened last week. However, this edition focuses on the largest smart contract exploit this year - the Balancer hack.

On November 3, 2025, Balancer experienced a highly coordinated attack across seven chains. A bad actor exploited a subtle rounding error to steal more than $128M. There are plenty of excellent writeups on the exploit itself and you can find much more in the premium section below. Instead, I want to focus on something positive amid all of this destruction. The story of how the community, blockchain security companies, chain and protocol operators worked together with remarkable coordination to fight back against the attacker and in many instances win!

Here are just some of the incident response actions by Balancer and many affected chains and protocols:

• Balancer paused affected pools, gauges, incentives across chains in 20min.

• Stakewise executed emergency multisig to claw back $20.7M in osETH and osGNO tokens.

• Monerium froze attacker’s 1.3M EURe.

• Berachain quickly disabled affected pools while coordinating gradual shutdown of bridges and eventually halting the chain.

• Sonic immediately froze* attacker’s addresses using a built-in safety mechanism.

• Polygon chain started to sensor attackers’ addresses.

• Gnosis chain partially halted canonical bridge.

*Simply freezing ERC20 transfers was not sufficient since attackers were able to bypass them with permit approvals.

Balancer responded within a twenty minute window by pausing pools. It slowed the attacker a bit, but they were still able to redeploy and continue a second wave almost an hour after the first attack. Protocols with centralized control over their tokens such as osETH, osGNO, and EURe were able to intervene and freeze specific stolen tokens. And that was when the nuclear option was activated. Multiple chains patched their validators to either censor the attacker’s transactions or halt their chain entirely. This level of control is normally frowned upon since the original Dao hack. However, these were exceptional measures for an exceptional scenario.

While the protocols were busy defending themselves, whitehats stepped in and began actively attacking the attacker:

• Bitfinding bot frontran exploiter on Base chain to recover almost $1M.

• A frontrunning bot operator on Berachain was able to intercept $12M worth of stolen funds and agreed to return funds.

• Another frontrunning bot operator on Base returned $150K.

• Yet another frontrunning bot operator on Arbitrum returned about $82K.

• SEAL/Certora rescue operation recovered $4.1M across Ethereum, Optimism (Beets), Arbitrum chains a few days after the hack.

Just as the attacker was trying to execute their exploit on different chains, various financial and a dedicated defensive bots activated to immediately intercept $13M. In one case, a Bitfinding bot was able to deploy an exploit contract on Base minutes before the attacker. SEAL and Certora teamed up to execute a separate $4.1M rescue for the yet unexploited vulnerability in Balancer.

After the dust settled, almost $18M were intercepted or returned relative to the $128M stolen. A disastrous incident, yet it offers ideas for what worked or could work in the future.

• Balancer had an emergency action script ready. If only it had triggered immediately after the first exploit on mainnet. There is an opportunity for projects to improve automation and perhaps err on the side of caution, pausing first and asking questions later.

• Warrooms worked perfectly with chains, protocols, and security researchers all coordinating the best possible actions to slow the exploit and fight back. Protocols should regularly practice fictional warroom scenarios to build up their incident response muscle.

• The real winners in this incident were the bots and Bitfinding’s bot in particular. Building dedicated defensive bots is truly the next frontier which is barely explored in our industry and yet already shows how effective it can be. The Berachain bot alone intercepted the majority of the attacker’s funds, an astounding $12.6M!

It is a dark day for the industry and Balancer in particular. But we will take time to patch ourselves up and most importantly learn valuable lessons from these incidents that will ultimately make the industry stronger and more resilient for the fights ahead.

Enjoy reading BlockThreat? Each edition takes more than ten hours of careful research and preparation every week. Consider sponsoring an upcoming issue or becoming a paid subscriber to unlock the premium section with detailed analyses of hacks, vulnerabilities, special reports, and a fully searchable newsletter archive.

In other news, a mistrial was declared for the case against Anton and James Peraire-Bueno brothers after the jury could not reach a unanimous verdict and complained about sleepless nights and crying. As you recall, the two brothers used their validator to send a special crafted block that tricked a vulnerable relay to reveal normally hidden block transactions which were later used to sandwich other bots. The defense and oddly enough Coin Center omitted that small detail about a software flaw being exploited and instead focused on other MEV operators simply being greedy and should just accept a bad trade. So basically the good ole’ Code is Law argument. Obviously all of this literally broke juror’s brains and now we made end up with a case precedent which may legitimize blockchain exploits. Let’s hope the sanity and the law prevails.

In other news, a mistrial was declared in the case against Anton and James Peraire Bueno after the jury failed to reach a unanimous verdict and reported sleepless nights and crying. As you recall, the brothers used their validator to send a specially crafted block that exploited a vulnerability in a relay which tricked it into revealing normally hidden block transactions. They then used those transactions to sandwich other bots. The defense, and surprisingly Coin Center, chose to omit the small detail that a software flaw was exploited and instead framed the issue as nothing more than greedy MEV operators who should accept a bad trade. In other words, the classic Code is Law argument.

Unsurprisingly, all of this overwhelmed the jurors. Now we may end up with a legal precedent that could legitimize blockchain exploits. This is a case the entire industry should watch closely, since the wrong precedent could blur the line between fair trades and intentional exploitation in ways that would introduce significant long-term risks.

Let’s dive into the news!

News

• Analysts map $285M in potential exposure across DeFi after Stream Finance’s $93M loss. The platform halted withdrawals shortly after the announcement leading to mass stablecoin depeging, liquidity crisis, and a chain of protocol of halts in multiple DeFi protocols.

• DWF Labs ‘Likely’ Exploited for $44M in 2022 Hack Linked to North Korea: Report.

• AMD confirms security vulnerability on Zen 5-based CPUs that generates potentially predictable keys.

Crime

• Mistrial declared for MIT brothers accused of $25M crypto heist as deadlocked jury complains of tears, sleepless nights.

• Keonne Rodriguez Sentenced to 5 Years in Prison, $250,000 Fine. Relevant thread on differences between Samourai and Tornado Cash by tanuki42.

• When the Defenders Become the Attackers: Cybersecurity Experts Indicted for BlackCat Ransomware Operations. The story of Kevin Ryan Clifford Goldberg (Sygnia), Tyler Martin (DigitalMint), and an unidentified party (DigitalMint) taking their ransomware negotiation skills to extort victims as part of a ALPHV BlackCat ransomware as a service operation.

• Convicted crypto felon behind $500m scam found butchered alongside wife in desert after a failed ransom attempt. Roman Novak previously raised $500M through a scam crypto project, Fintopio, and later fled with investors’ money. Russian police has seen arrested suspects in the gruesome murder.

• Spanish crypto influencer CryptoSpain detained on $300 million fraud, money laundering charges.

• China is sentencing pig butchering scammers to death.

• Treasury Sanctions DPRK Bankers and Institutions Involved in Laundering Cybercrime Proceeds and IT Worker Funds.

• From North Korean IT Workers to IT recruiters by Security Alliance and Heiner Garcia.

• CISO Playbook: North Korean IT Workers by Sophos.

• EU Arrests Nine in Connection with $689M Crypto Scam Network.

• FBI can’t be blamed for wiping hard drive with $345M BTC, say judges.

• Google Threat Report Links AI-powered Malware to DPRK Crypto Theft.

• Crypto Tracing Leads to Arrest in Global Child Abuse Network Takedown.

• Mastermind behind $300M crypto pyramid scheme arrested in Spain.

Policy

• Central Bank of Ireland fines Coinbase Europe $25 million for breaching anti-money laundering monitoring obligations.

Phishing

• Interview with the Chollima Part III, IV, V by Bitso Quetzal Team. The use of face altering AI tech is particularly concerning as well as the use of certain Latin American countries.

• Are you a freelancer? North Korean spies may be using you.

• A victim lost $1.25M to an address poisoning attack by Specter.

Scams

• stablewatch (@stablewatchHQ) on X - Over the past week, Yield Bearing Stablecoins saw their largest outflow since the UST collapse - totaling $1B. Of that, $411 million came from xUSD alone.

• Crypto’s $3.2 Trillion Scam: Just 489 People Behind Massive Telegram Pump-and-Dump.

Malware

• Blockchain malware’s neverending novelty by Taylor Monahan (Tay). A long history of malware using blockchains to retrieve secondary payloads.

• SleepyDuck malware invades Cursor through Open VSX by John Tuckner (Secure Annex). Interestingly this malware sample uses Ethereum as a backup C2 command channel.

• LeakyInjector and LeakyStealer Duo Hunts For Crypto and Browser History by Vlad Pasca, Radu-Emanuel Chiscariu (Hybrid Analysis).

• Android Malware Mutes Alerts, Drains Crypto Wallets.

Media

• How a Canadian math prodigy allegedly stole millions in crypto by CBC - The Current. The story of Andean Medjedovic. Interestingly, the podcast mentioned that Andean was caught in Europe at one point but was let go.

• bountyhunt3rz - Episode 30 - mitchell amador.

• Consensus Protocols by CBER Forum with Ertem Nusret Taş (a16z Crypto), Joachim Neu (a16z Crypto), Jacob Leshno (University of Chicago).

• Crypto Market Wizards - Making $10M in DeFi with 0xlawlol. A particularly concerning interview with a greyhat on extorting protocols for post-hack bounty.

Contests

• Onchain CTF Solution Writeup by kaden.eth.

Research

• $1M Intercepted from the Balancer Hack by Bitfinding.

• Supply Chain Attacks: Prepare for Next Week by Franco Riccobaldi (Coinspect).

• Critical Security Risks associated with Telegram Trading Bots by Sebastian Lim (HashDit).

• Securing $29 199 014 133 – Methodology to Secure One of the Biggest Project on Ethereum by Damian Rusinek (Composable Security).

• Sticky Notes to Seed Phrases: How To Identify Crypto Artifacts in the Field by TRM.

• Mastering Wake Printers for Solidity Security Analysis by Naoki Yoshida (Ackee).

• LLM Vulnerabilities: Why AI Models Are the Next Big Attack Surface by Sai Krishna (Netlas).

• What is the Solana Virtual Machine (SVM)? by 0xIchigo (Helius).

• Move Vulnerability Database by MoveMaverick.

• Sample Arkham Bounty onchain investigation of an Aaron Shames wallet by Whistleblower007. Ever though

• Taming DeFi’s Ouroboros. A deep dive into quantifying recursive lending risk and why your “diversified” yield vault might be a ticking time bomb by totomanov.

• DeFi’s Contagion Loop: The Cost of Hidden Dependencies by Chaos Labs.

• ConneX: Automatically Resolving Transaction Opacity of Cross-Chain Bridges for Security Analysis.

• FTSmartAudit: A Knowledge Distillation-Enhanced Framework for Automated Smart Contract Auditing Using Fine-Tuned LLMs.

• Penetrating the Hostile: Detecting DeFi Protocol Exploits through Cross-Contract Analysis.

• 1 PoCo: Agentic Proof-of-Concept Exploit Generation for Smart Contracts.

• SoK: Design, Vulnerabilities, and Security Measures of Cryptocurrency Wallets.

• PoCo: Agentic Proof-of-Concept Exploit Generation for Smart Contracts.

Tools

• Fuck blind signing: Introducing Web3 Semantic Second Factor by Bitfinding.

• Unblind Second Factor is now available by Bitfinding.

• Unblind your Safe Dashboard by Bitfinding.

• Routescan Multichain Explorer. A unified explorer for 79 blockchains and a great way to track cross-chain transactions.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content

The content presented below is intended for personal, non-commercial use only and is protected by copyright laws. Any unauthorized distribution, reproduction, or inclusion of this content in public or commercial products, databases, publications, and other mediums is strictly prohibited without the express written permission of the author.

Hacks

Balancer, Beets Finance, Beethoven X

Date: November 03, 2025
Attack Vector: Rounding Error
Impact: $128,640,000
Chain: Ethereum, Arbitrum, Base, Polygon, Sonic, Optimism, Berachain

Indicators: