What To Know:
- SlowMist’s Yu Xian confirmed the on-chain “white hat negotiation” messages after the Yearn exploit as a part of a phishing attempt.
- The attacker prepared weeks in advance, used Railgun for privacy, funneled 1,000 ETH through Tornado Cash, and is estimated to have gained nearly $9 million.
- The yETH pool was manipulated through newly deployed self-destructing contracts, triggering major liquidity losses.
A new instance of phishing attempt has surfaced in the fallout from the recent Yearn Finance exploit. Security researcher Yu Xian, founder of SlowMist, reported that the so-called white hat negotiation messages circulating on-chain after the attack were fabricated. He said the messages were crafted to resemble good-faith outreach but were actually part of a phishing effort. This pattern aligns closely with what occurred during the previous Balancer incident, where fake on-chain communications tried to influence public reaction and disrupt early investigative steps.
Yearn Finance (yETH) Pool Hit by Major Security Attack
Yearn 这个链上喊话是假的,和上次 Balancer 被黑一样,都是同一个假消息钓鱼团伙所为…
这个攻击者,28 天前就从 Railgun 隐私协议里准备好了 gas,非常少的 gas(0.0006384 ETH):
0xFb63aa935Cf0a003335dCE9Cca03c4F9c0fa4779
0x011C654467a2f84068325Be2C856c1D07d27f9B7… pic.twitter.com/Zv96pp7IhY— Cos(余弦)😶🌫️ (@evilcos) December 1, 2025
The attacker responsible for the Yearn exploit operated with significant preparation. Blockchain activity shows that the individual used the Railgun privacy protocol to conceal identity weeks before the event. Two low-gas addresses were funded 28 days earlier, each receiving a very small amount of ether. These addresses served as the foundation for the exploit. After the initial setup, the attacker executed a single transaction that triggered the vulnerability. The transaction looked complex on the surface, involving multiple contract interactions and unexpected value flows.
Funds moved rapidly through the system. In total, 1,100 ETH entered the attacker’s control. Of this amount, 100 ETH was separated to support follow-up activity. The remaining 1,000 ETH was routed through Tornado Cash to obscure any final traces. Additional proceeds remain spread across other addresses. Analysts reviewing the wallet trails estimate that the attacker gained close to nine million dollars. Several observers noted that the attacker’s early preparations, timing, and series of precise micro-transactions reflect unusually deliberate behavior.
The exploit targeted yETH, a pooled asset representing several liquid staking derivatives of Ethereum. By manipulating the pool structure, the attacker generated an inflated yETH balance, draining substantial liquidity from Balancer-connected pools. Early reporting from analysts suggests roughly three million dollars in profit from this part alone, though the complete financial impact remains under evaluation. An X user monitoring liquid staking markets flagged heavy movement across Yearn, Rocket Pool, Origin, and Dinero, which provided the first community alert.
Blockchain data shows that the exploit relied on newly deployed contracts designed for rapid execution. These contracts self-destructed immediately after being used. That approach removed key information that investigators typically rely on. Prior to the attack, the yETH pool held a value of around eleven million dollars. The current deficit is still being calculated. The community reaction has been mixed. Several users pointed to lingering legacy contracts across DeFi platforms as a persistent weakness. Others noted a long history of security gaps in protocols that handle complex collateral structures.
Yearn Finance itself has faced multiple security issues. Its 2021 hack resulted in an eleven million dollar loss in the yDAI vault. The attacker retained nearly three million dollars from that event. A later issue in 2023 created further complications when a faulty script erased a large portion of a treasury position. These incidents form a pattern that continues to weigh on user confidence in the protocol.
The crypto industry is also facing heavy losses this month. Data from CertiK shows that the industry lost approximately 127 million dollars to hacks and exploits in November. Actual impacted funds were higher at 172 million dollars, though around 45 million dollars has since been recovered. The Balancer attack contributed the largest single loss. More than 116 million dollars drained from pools across several chains. DeFi exploits accounted for roughly 135 million dollars in losses, while nearly 30 million dollars came from exchange breaches.
The surge in attacks is steering several networks toward emergency recovery measures. Berachain, a Layer 1 compatible with Ethereum, is distributing upgrade files after its BEX protocol was targeted in the same cycle of exploits. In a notable twist, the individual who drained BEX liquidity identified as a white hat participant and agreed to return funds. Validators have begun updating their nodes.
Also Read: BNB Chain Completes Compensation for Oct 1 Security Attack Victims
