Balancer Hacker Swaps 14,300 ETH for 419.3 BTC

The hacker behind the Balancer V2 exploit has converted 14,300 ETH into 419.3 BTC, signaling a strategic shift in how the stolen funds are being moved across blockchain networks.

The swap, first flagged by on-chain watchers, marks one of the largest single-transaction conversions tied to the Balancer exploit wallets. The move from Ethereum-native assets into Bitcoin raises fresh concerns about fund recovery prospects and the laundering techniques available to DeFi attackers.

What the 14,300 ETH to BTC Conversion Involves

The wallet linked to the Balancer hacker executed a conversion of 14,300 ETH into 419.3 BTC. At current market rates, the transaction represents tens of millions of dollars in value rotating from one major asset to another.

This is not a routine trade. The funds trace back to exploited Balancer V2 smart contracts, making every movement from these wallets a potential step in a laundering chain. The conversion drew immediate attention because of both its size and its cross-chain nature.

According to reporting from Cryptopolitan, the Balancer exploiter had been steadily trading ETH holdings into BTC, with this swap representing a significant acceleration of that pattern.

How the Swap Connects Back to the Balancer Exploit

The Balancer V2 protocol suffered a major exploit on November 3, 2025. A post-mortem published by the Balancer team detailed how the attacker drained funds from the protocols liquidity pools.

Security researchers at Check Point later published a detailed technical analysis showing that the attacker exploited a rounding error vulnerability to drain approximately $128 million from Balancer.

The Balancer community has since pursued recovery efforts. A governance proposal (BIP-892) addressed the distribution of funds that were rescued during the initial response to the attack.

A separate proposal, BIP-908, outlined a recovery assistance offer targeting approximately 21,000 ETH sitting in dormant exploit wallets. The ETH-to-BTC conversion undercuts those recovery efforts directly.

Why a Hacker Would Rotate from ETH into BTC

Bitcoin offers a hacker several advantages as a destination asset. Its deep liquidity across global exchanges means large amounts can be moved without the same slippage risk present on smaller networks or tokens. Institutions and traders increasingly treat Bitcoin as a core treasury and derivatives asset, which only deepens available liquidity.

The conversion also introduces a cross-chain barrier. Ethereum-based monitoring tools, blacklists, and smart contract-level freezes do not extend to the Bitcoin network. Once the funds exist as BTC, the attacker operates in a different ecosystem with different surveillance infrastructure.

Coin Edition reported that the Balancer hacker appeared to be copying laundering routes previously used in the KelpDAO exploit, routing funds through THORChain to bridge between chains. This pattern suggests the attacker is following an established playbook rather than improvising.

Bitcoin mixers and privacy tools, while increasingly scrutinized by law enforcement, remain available. The rotation from ETH to BTC may represent a step toward further obfuscation before attempting to off-ramp into fiat currency.

What the ETH-to-BTC Move Means for DeFi Security and Fund Recovery

The conversion sharply reduces the odds of recovering these specific funds. Balancer‘s BIP-908 proposal targeted dormant ETH in exploit wallets, but the hacker’s decision to move and convert the assets suggests awareness of those recovery plans.

For DeFi protocols more broadly, the Balancer episode illustrates a recurring problem. Even when exploits are quickly identified and post-mortems published, attackers retain months to plan their exit strategy. The gap between exploit and fund movement gives hackers time to study monitoring tools and choose optimal laundering routes.

This pattern echoes broader enforcement challenges in crypto. The recent U.S. freeze of $344 million in crypto assets linked to Iran demonstrated that authorities can act on illicit fund flows, but cross-chain swaps complicate jurisdiction and tracing.

DeFi governance mechanisms like Balancers BIP proposals represent a community-driven approach to recovery, but they move at the speed of governance votes while attackers move at the speed of on-chain transactions. Ongoing efforts by crypto industry groups petitioning for clearer DeFi rulemaking may eventually close some of these gaps, but regulatory frameworks remain incomplete.