GMX Hacker Returns $20 Million in Stolen Crypto

The attacker who exploited the GMX v1 decentralized exchange (DEX) and stole $40 million in crypto started returning the stolen funds after sending an onchain message promising to return the crypto taken during the hack. The hacker, who had initially transferred the funds to an unknown wallet, eventually returned the stolen assets to GMX. This unexpected turn of events has raised questions about the motivations behind the hacker's actions and the potential for future exploits in the decentralized finance (DeFi) space.

In an onchain message flagged by a blockchain security firm, the hacker wrote that the funds will be returned. “Ok, funds will be returned later,” the exploiter wrote in an onchain message, accepting the bounty offered by the GMX team. Almost an hour later, the hacker started returning the crypto stolen from the attack. At the time of writing, the address labeled GMX Exploiter 2 returned about $9 million in Ether (ETH) to the EthereumETH-- address specified by the GMX team in an onchain message. Furthermore, the attacker returned about $5.5 million in FRAX tokens to the GMX team. After a while, the hacker returned another $5 million in FRAX tokens to the GMX address. At the time of writing, about $20 million in assets had already been returned to GMX.

The exploit on Wednesday targeted a liquidity pool on GMX v1, the first iteration of the perpetual trading platform deployed on Arbitrum. The attacker drained various crypto assets from the platform after exploiting a design flaw that allowed the attacker to manipulate the value of GLP tokens. The GMX team recognized the abilities of the hacker and offered a bounty of $5 million for the return of the funds stolen during the attack. The team promised that the amount would be categorized as a white hat bounty that the hacker could freely spend as soon as the funds were returned. “You’ve successfully executed the exploit; your abilities in doing so are evident to anyone looking into the exploit transactions,” GMX wrote. “The white hat bug bounty of $5 million continues to be available.” The GMX team said that this would allow the hacker to remove the risks associated with spending stolen funds. The team even offered to provide proof of the source of funds should the hacker require it. On the other hand, the GMX team threatened to pursue legal action if the hacker did not return the stolen funds. In an onchain message, the GMX team told the hacker they would pursue legal action in 48 hours if the funds were not returned. In the message, the team said the hacker can take 10% of the stolen funds as a white hat bounty reward as long as 90% of the crypto is returned to the addresses they specified.

On July 11, 2025, the decentralized futures exchange GMX experienced a significant security breach, resulting in the theft of approximately $40 million from its liquidity pool on the Arbitrum network. The exploit targeted the first version of the GMX protocol, known as GMX V1, which is a perpetual exchange deployed on Arbitrum. The attacker manipulated short positions on BitcoinBTC-- (BTC) by exploiting a re-entrancy flaw in the OrderBook contract, allowing them to manipulate the GLP token price through the calculation of the total assets under management. This vulnerability enabled the attacker to mint an abnormal amount of GLP tokens, leading to the theft of funds. Following the exploit, GMX immediately halted trading and token minting on both the Arbitrum and Avalanche networks to prevent further losses. The protocol team assured users that the exploit did not affect GMX V2, its markets, or liquidity pools, nor the GMX token itself. Users were instructed to disable leverage and change their settings to disable GLP minting as a precautionary measure. The stolen funds, initially held in USDC, were later converted into 11,700 ETH by the attacker.

In response to the exploit, GMX offered a 10% white hat bounty to the hacker if they returned the stolen funds. This offer was made in an effort to recover the assets and mitigate the damage caused by the cyberattack. The GMX exploit is the latest in a series of high-profile cyberattacks targeting decentralized exchanges and other crypto platforms. These incidents highlight the ongoing challenges faced by the crypto industry in securing its infrastructure and protecting user funds. The exploit has also underscored the importance of thorough smart contract audits and the need for continuous monitoring and improvement of security measures in the DeFi ecosystem. As the industry continues to evolve, it is crucial for platforms to prioritize security and transparency to build trust with users and attract new participants.