After being silent for nearly five months, the hacker who stole approximately $98 million in assets from Balancer in November 2025 finally pressed the "continue" button. The address that had been inactive on-chain suddenly became active on April 24, 2026—not with tentative small transfers, but with a large-scale asset maneuver that directly impacted market sentiment.

According to monitoring by Ember (@EmberCN), starting from April 24, the hacker began to exchange ETH for BTC in batches through the decentralized cross-chain liquidity protocol THORChain. In just two days, he had exchanged about 14,300 ETH for approximately 419.3 BTC, with an estimated market value of around $32.51 million at the time. This flow of funds was completed via THORChain, making the entire operation more difficult to disrupt at a single point since it did not rely on traditional centralized channels.

As of April 25, the hacker still held about 7,700 ETH on Ethereum and approximately 419.3 BTC on the Bitcoin chain, with a total combined market value of about $50.4 million. Compared to the book size of about $98 million when the attack occurred, this amount of stolen funds has clearly shrunk—partly due to passive evaporation from price corrections and partly due to the active cross-chain reallocation and the ongoing spinning of the risk roulette.

Several Chinese media outlets quickly quoted Ember's on-chain data, bringing the role of THORChain, whether there would be continued selling pressure, and if it could still be effectively tracked back into the spotlight. Identity, nationality, and organizational affiliation remain blank; this address, which once caused a stir in the market with an attack, now leaves a new mystery: after exchanging ETH for BTC, what does he plan to do next?

Five Months of Silence After the $98 Million Heist

To understand this sudden concentrated exchange action, we need to rewind to November 2025. At that time, Balancer, one of the veteran decentralized trading protocols, was stabbed in the back—its contract was breached, and approximately $98 million in assets was transferred away in a short time. At that time, the average price of ETH was around $3,600, which meant that the hacker snatched an amount that could be converted to "tens of thousands of ETH" tokens, making this number glaring on the DeFi security incident list for that year.

In the days immediately following the attack, the on-chain community experienced a familiar procedure: the project team conducted urgent investigations and reassurances, the security team worked overnight to analyze what happened, and media outlets prominently displayed "9800 million dollars" in their headlines. Various speculations circulated on social media—some focused on the attack route, while others attempted to depict the hacker's identity based on on-chain behavior. But soon, another more unusual detail emerged: the attacker who took away the huge ETH did not disperse and transfer the tokens quickly as many cases have done in the past, but almost seemed to have pressed the "pause button" right there.

From November 2025 to mid-April 2026, there were no significant transfers of funds from the involved address on-chain. The curve on the monitoring panel, after an initial sharp spike, seemed to be artificially cut off and reverted to a calm line. There were no frequent small splits, no complex multi-hop obfuscation paths, and typical signs of eager "washing" were nowhere to be seen—this near "playing dead" state was unreasonable for an attacker controlling nearly $100 million in tokens.

As time dragged on, public attention began to drift elsewhere. New vulnerabilities and losses continued to emerge, and the $98 million heist of Balancer gradually fell into the "historical cases" category. For most onlookers, this felt like an indefinitely shelved case: the hacker remained inactive, regulators and security teams lacked new breakthroughs, and the on-chain atmosphere consisted merely of a string of immobile addresses along with a sum that seemed to be eternally sealed away.

This nearly five-month silence led many to subconsciously form a delusion—maybe the hacker had given up, and maybe this money would just lie there on-chain, becoming a textbook "cold case." Until April 24, 2026, when this impression was suddenly shattered: the relevant addresses began to execute cross-chain exchange operations through THORChain, and the long-dormant ETH balances were quickly activated and exchanged for BTC, marking the reopening of the flow of funds.

The transition from "almost no activity" to "intense exchanges" changed nearly abruptly. During the five months, observers had grown accustomed to the stillness of those addresses; even if there were occasional minor operations, it was not enough to disrupt the narrative of "silence." However, after April 24, what the market witnessed was an organized large-scale token exchange: about 14,300 ETH were exchanged for approximately 419.3 BTC in a short time, the magnitude and pace contrasting sharply with the previous restraint.

It was this break from silence to eruption that magnified scrutiny on this favorable financial maneuver—still the same chips that had swept away $98 million in November 2025, still the same address that had long remained motionless; only now it had finally chosen to break its silence and the tension of the entire story seemed to be forcibly pulled back.

Why the Hacker Chose THORChain Over Exchanges

To understand why the hacker chose to complete the cross-chain exchange of 14,300 ETH for BTC through THORChain, one must first clarify how this channel differs from traditional withdrawal routes.

THORChain is essentially a decentralized cross-chain liquidity protocol; it does something quite straightforward: providing direct asset-to-asset exchanges across multiple public chains, including Bitcoin and Ethereum. Users do not need to wrap BTC into some sort of token, nor do they need to entrust ETH to a centralized entity for them to "credit" it on the target chain; funds are deposited into THORChain's liquidity pool on the corresponding chains, and the protocol layer settles according to on-chain rules, ultimately receiving the native asset from the target chain—such as entering Ethereum and directly exiting BTC on the Bitcoin chain. Compared to cross-chain bridges that rely on custodial assets or wrapped tokens, THORChain's design goal is to not depend on a single centralized custodian, with some sources even describing it as "not involving third-party minting or custody," though this statement currently only comes from a single source and still requires further verification.

This is clearly a completely different logic than the route the hacker is most familiar with, as are regulators—the centralized exchange. Centralized platforms require account opening and KYC, with deposits and withdrawals leaving traces in a company's controllable database. Once identity information is linked to on-chain addresses, the entire flow of funds becomes a "named and identified" case clue. More realistically, as long as the funds are genuinely deposited into the exchange, the platform has the authority to directly freeze suspicious assets and cooperate with law enforcement investigations. For an attacker holding a significant amount of stolen funds and already being highly scrutinized by the on-chain community, going this route would almost be handing over the initiative.

Cross-chain bridges look more "decentralized" on the surface, but in practice, they often rely on a centralized custody point: assets are locked in a contract on the source chain while corresponding wrapped tokens are minted on the target chain. This mode means that as long as that custody point or contract encounters issues or is closely monitored by regulators, the entire funding channel could be cut off. In contrast, native cross-chain liquidity protocols like THORChain break funds into multiple on-chain pools, facilitating exchanges through on-chain consensus and liquidity incentives. For the hacker, the opponent is no longer a single entity that could directly "press the pause button," but rather a whole set of distributed rules. For those tracking, this is not entirely invisible, but to precisely intervene in any one link is more difficult than sending a cooperation letter to a specific platform.

Placing this framework back on the timeline of the Balancer incident makes it easier to see the hacker's choices: after nearly five months of silence, he did not opt to deposit 14,300 ETH into any large centralized exchange but rather, starting April 24, chose to exchange them in batches for approximately 419.3 BTC via THORChain. On-chain analyst Ember (@EmberCN) continuously monitored this financial path, and multiple Chinese media outlets referenced his data: it was cross-chain and asset conversion, but the hacker deliberately circumvented the two most sensitive aspects—centralized custody and real-name systems—leaving the risks as much as possible in the higher collaborative costs of the on-chain world.

This is not the first time THORChain has appeared in the migratory path of attack funds. Previously, similar cases have been reported multiple times: stolen assets lie "flat on the source chain" for a while before suddenly initiating cross-chain and asset conversion, with THORChain or similar protocols often serving as the key switching channel. With the cross-chain conversion of these 14,300 ETH through THORChain in the Balancer incident, the controversies surrounding it have also been thrust into sharper relief—supporters see it as one of the few infrastructures that can facilitate direct matching of native assets across multiple public chains, protecting user property autonomy; on the other hand, those concerned view it as a new tool for enhancing the difficulty of law enforcement tracking and facilitating "track switching" for large amounts of suspicious funds. The tension between regulation and privacy, accountability and decentralization, has twisted itself into a tighter rope around this THORChain node, with the Balancer hacker simply pulling this rope into everyone's view once more.

14,300 ETH Escape, Markets Respond

The "track switching channel" of THORChain is truly bearing weight: from April 24 to 25, the Balancer hacker exchanged approximately 14,300 ETH for about 419.3 BTC, worth around $32.51 million. Looking at the numbers alone, this is not the kind of "hundreds of exploratory transfers," but rather a volume that could create ripples in any major asset's trading market. How big a splash it could make on the market depends on the real trading volume and depth of ETH trading pairs at that time—specific market data needs to be supplemented by downstream sources when writing, with clear indications of their origin.

Emotionally, the market is not facing a normal sell order but rather "cash-out of stolen funds." When the on-chain monitoring accounts began continuously reporting "the hacker is selling X amount of ETH again," this itself created additional pressure: even if the current depth is sufficient and price fluctuations are smoothed out, traders will instinctively view these 14,300 ETH as a signal for a one-time release of sell pressure, while considering the remaining 7,700 ETH as a knife still hanging over their heads. As long as these tokens remain on Ethereum and have not been fully exchanged out, each new on-chain movement could be interpreted as a prelude to "the next rate drop," extending the panic and anticipation over time.

More subtly, the total value of the tokens the hacker ultimately liquidated has become far less "astonishing" than in November 2025. From the initial attack value of about $98 million, to the current estimated worth of about $50.4 million for both chains, much of the depreciation in between comes from ETH's price correction over the past few months. This means that even if the hacker sells all remaining ETH now, it would be hard to recreate the imagination of a "single address controlling massive assets," yet for short-term traders, those 7,700 ETH that have not yet moved still need to be factored in as potential downward pressure.

On one end of the exchange is the selling pressure of ETH; on the other end is the BTC tokens acquired. About 419.3 BTC, valued similarly around $30 million, may not stand out in the deeper and broader liquidity river of Bitcoin—it resembles the tokens of a medium-sized whale rather than a super whale capable of turning the market around. But that does not mean it can be completely ignored: once the market confirms that these BTC are still in the hacker's possession, they will be tagged as "high-risk inventory," entering various risk control models and public narratives. Regardless of whether they are sold off gradually after being split or concentratedly transferred to new selling locations, they will be regarded as sources of marginal selling pressure on the BTC side, but this time, the carrier of pressure has shifted from ETH to BTC.

Ultimately, these 14,300 exchanged ETH and the remaining 7,700 ETH lying on the chain together create a new uncertainty: the hacker's assets are no longer dormant but are searching for an exit within a deeper global liquidity network. As for the impact of this capital exodus on the short-term prices of ETH and BTC, determining how long it casts a "shadow" requires looking at the trading volumes, bid-ask depths, and other real-time data from the day of the incident; when downstream sources supplement this information, they must clearly indicate their data sources and time dimensions.

On-chain Hunters Face Off Against Decentralized Mists

What truly elevated this round of financial movements from cold trading records into the public eye is a single individual: on-chain analyst Ember (@EmberCN).

Starting from April 24, when the relevant addresses began to exchange ETH for BTC through THORChain in batches, he was almost the first to provide "live commentary" on social media. On his timeline, the funding path was dismantled into traceable links: starting from earlier addresses holding tokens related to the Balancer attack, flowing to the entry point of the cross-chain exchange, then completing the ETH→BTC conversion on THORChain, and finally landing on the receiving address on the Bitcoin chain—what once belonged only to a few professional teams has been unfolded before the public in threads and long images.

As of April 25, the key numbers he disclosed—approximately 14,300 ETH having been exchanged for about 419.3 BTC, while about 7,700 ETH remaining on Ethereum—painted a new asset distribution map for the outside world, making the "escape" no longer just an abstract risk expectation but rather one with a clear quantitative outline. It is essential to emphasize that more granular details, such as certain suspected transit addresses and hourly exchange rhythms, mainly come from public analyses by Ember and a few other on-chain intelligence accounts; downstream references can only regard these as “pending verified information,” while needing to indicate sources and credibility, and cannot directly elevate them to verified facts.

When the on-chain hunter completed this mapping, the microphone quickly passed to other media outlets. Foresight News, Deep Tide TechFlow, PANews, and Odaily Star Daily among other Chinese media outlets almost simultaneously cited Ember's monitoring data, transforming his original monitoring screenshots and threads into titles like “Hacker sells 14,300 ETH” and “THORChain becomes cross-chain outlet again.” Technical tracking was translated into narratives that could spread quickly—within charts and simplified numbers, descriptions of the hacker "waking up," "running away," and "accumulating BTC" began to overshadow the underlying protocol details, and the event's influence was amplified accordingly.

This amplification was not limited to emotional aspects. In their reports, media outlets constantly emphasized two sets of information: first, the hacker's current holdings on two mainstream public chains—about 7,700 ETH on Ethereum and about 419.3 BTC on Bitcoin, with a total value of approximately $50.4 million, a noticeable reduction from the book value of roughly $98 million when the attack occurred in November 2025; second, that the primary cross-chain channel for these assets was THORChain rather than a traditional centralized platform. The former reinforced public perception of "book losses" and "time costs," while the latter directed discussion toward an even thornier issue: under this architecture, what traditional regulatory and tracking actions can still be taken?

Protocols like THORChain operate on a different logic: providing cross-chain liquidity in a decentralized manner through smart contracts and a node network without relying on a single centralized custody account. For ordinary users, this means “no need to entrust assets to a platform for cross-chain exchange,” while for law enforcement trying to track and freeze hacker assets, it means that many past effective paths—requiring exchanges to freeze accounts, retrieving records from custodians, and pressuring through centralized clearing layers—are largely ineffective here.

Public information shows that to date, no authoritative sources have confirmed that any organizations have successfully frozen assets related to this case, nor has there been confirmation that the BTC exchanged by the hacker is stuck on any traditional platform. This is not surprising: within the framework of something like THORChain, funds flow automatically between multiple nodes and chains through contracts, with no single "controllable master link" to be directed. While on-chain data certainly exposes every major conversion the hacker makes, "seeing" does not automatically equal "stopping," especially when liquidity itself is scattered among decentralized nodes.

As a result, the scene becomes one of confrontation: on one side are on-chain hunters like Ember, using public ledgers, tagging systems, and data analysis to make the hacker's movements as transparent as possible; on the other side is the decentralized liquidity network represented by THORChain, which strives to strip away singular control rights in its design, making it very difficult for any "seen hand" to reach directly in the system's inner workings. The media spotlight allows this ongoing contest to be seen by more people and brings a sharper question to the surface—under such a technical stack, to what extent can traditional law enforcement intervene, or will they only be left with increasingly dense but difficult-to-actualize "tracking reports" on-chain?

Remaining 7,700 ETH Suspended Over the Market

Since the attack in November 2025, valued at approximately $98 million, the main storyline has not changed: a massive amount of stolen assets has been locked in a few addresses, like a stone that could fall at any moment, suspended over the entire market. When the attack occurred, ETH was priced around $3,600, making the hacker's chips extremely valuable on paper; over the next five months, these addresses saw almost no substantial transfers, leaving only trace activity on-chain. While public attention gradually cooled, that "stone" did not disappear; it simply remained still in midair.

Until April 24, 2026, when the silence was broken. The relevant addresses began exchanging ETH for BTC in batches through cross-chain liquidity protocols like THORChain, and the flow of funds was quickly recorded on-chain once more. In just two days, about 14,300 ETH were exchanged for approximately 419.3 BTC, estimated to be worth around $32.51 million at the time. This series of transaction trajectories was captured and made public by on-chain analyst Ember (@EmberCN), with several Chinese crypto media following up on reports, bringing the long-unmentioned Balancer attack case back into the spotlight.

Returning the focus to the present, the hacker's ledger has shifted from what was nearly a "pure ETH position" to a half-and-half situation between Ethereum and Bitcoin: on-chain data shows that he still holds about 7,700 ETH on Ethereum and approximately 419.3 BTC on the Bitcoin chain, with a total market value of about $50.4 million. Compared to the starting point of about $98 million, this represents a significant shrinkage—partly due to ETH price corrections and partly due to the "exchange process itself not compensating for losses." For the market, what is more impactful is not how "losses" rack up in the accounting, but rather the fact that this more than $50 million worth of assets still lies in the hands of the attacker.

The approximately 7,700 ETH that have yet to be disposed of are the most direct tokens suspended over the market. If there is further substantial liquidation or cross-chain action, it will undoubtedly create new waves of public sentiment in a short time, while the BTC acquired extends this shadow from Ethereum into the Bitcoin ecosystem—both chains now harbor a large amount of assets with "clear source issues and unclear destinations." They may not specifically strike the market at a particular price point, but as long as they remain in the attacker's address, they will be seen as core chips in the potential sell pressure and regulatory tracking contest.

Surrounding this incident, external parties have begun to broaden their perspective. Some analysis will juxtapose it with other DeFi attacks (such as the KelpDAO incident), speculating whether the hacker is "drawing lessons" from previous examples, but currently, these remain more commentary and hypotheses rather than verified facts. What can be confirmed is this: from Balancer's breach to five months of on-chain silence, to concentrated exchanges through THORChain in late April, this path has become a case study for security teams, protocol developers, and regulators alike.

For DeFi, the impact lies not only in being "successfully attacked" once more, but also in what happens afterward: the attacker can maintain an invisible state for a considerable amount of time, waiting for the right window, then utilize cross-chain liquidity networks to reorganize asset structures while avoiding direct risk control paths of traditional centralized channels. This compels protocol designers to reassess: to what extent should permissions be managed, risks isolated, and attack surfaces exposed; as cross-chain protocols pursue openness and decentralization, do they need to reserve more interfaces for dialogue with security and compliance at both protocol and governance levels?

As for regulatory collaboration, the Balancer incident offers a blunt reminder: under such a technical stack, the power of a single judiciary jurisdiction or entity is extremely limited. Tracking can be carried out across chains and time zones, but freezing and recovering must cross real-world boundaries. How to allow law enforcement and regulation from different countries and regions to form truly executable collaborations without stifling open networks—rather than merely settling into post-event reports and on-chain data screenshots—is a long-term question this incident leaves for all participants.

Who the hacker is, where he is, and what he plans to do next currently remains without authoritative conclusion. The only clear entities are the cold on-chain numbers: the 419.3 BTC that have been repeatedly marked, and the approximately 7,700 ETH that still lie quietly on Ethereum. They serve as both an unfinished clue and a mirror, reflecting the vulnerabilities in DeFi security assumptions, the sharp edges of cross-chain protocol designs, and the hesitations and blanks of real-world regulation in the face of a new paradigm.

Join our community to discuss together and become stronger!
Official Telegram community: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh
OKX Welfare Group: https://aicoin.com/link/chat?cid=l61eM4owQ
Binance Welfare Group: https://aicoin.com/link/chat?cid=ynr7d1P6Z

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。