Hacker Returns $20 Million After GMX Offers $5 Million Bounty

The attacker who exploited the GMX v1 decentralized exchange (DEX) and stole $40 million in crypto started returning the stolen funds after sending an onchain message promising to return the crypto taken during the hack. The hacker wrote in an onchain message, “Ok, funds will be returned later,” accepting the bounty offered by the GMX team. Almost an hour later, the hacker started returning the crypto stolen from the attack. At the time of writing, the address labeled GMX Exploiter 2 returned about $9 million in Ether (ETH) to the Ethereum address specified by the GMX team in an onchain message. Furthermore, the attacker returned about $5.5 million in FRAX tokens to the GMX team. After a while, the hacker returned another $5 million in FRAX tokens to the GMX address. At the time of writing, about $20 million in assets had already been returned to GMX.

The exploit on Wednesday targeted a liquidity pool on GMX v1, the first iteration of the perpetual trading platform deployed on Arbitrum. The attacker drained various crypto assets from the platform after exploiting a design flaw that allowed the attacker to manipulate the value of GLP tokens. In an X post, the GMX team recognized the abilities of the hacker and offered a bounty of $5 million for the return of the funds stolen during the attack. The team promised that the amount would be categorized as a white hat bounty that the hacker could freely spend as soon as the funds were returned. “You’ve successfully executed the exploit; your abilities in doing so are evident to anyone looking into the exploit transactions,” GMX wrote. “The white hat bug bounty of $5 million continues to be available.” The GMX team said that this would allow the hacker to remove the risks associated with spending stolen funds. The team even offered to provide proof of the source of funds should the hacker require it. On the other hand, the GMX team threatened to pursue legal action if the hacker did not return the stolen funds. In an onchain message, the GMX team told the hacker they would pursue legal action in 48 hours if the funds were not returned. In the message, the team said the hacker can take 10% of the stolen funds as a white hat bounty reward as long as 90% of the crypto is returned to the addresses they specified.

On July 11, 2025, the decentralized futures exchange GMX experienced a significant security breach, resulting in the theft of approximately $40 million from its GLP pool. The exploit targeted the first version of the protocol on the Arbitrum blockchain, allowing the attacker to manipulate GLP token prices through a re-entrancy vulnerability. This vulnerability enabled abnormal GLP token minting, leading to substantial losses for the platform. The stolen funds were initially held in USDC before being laundered through new wallets, with a significant portion converted into 11,700 ETH. In response to the exploit, GMX halted trading and token minting to investigate the incident and mitigate further damage. The platform offered a 10% white hat bounty to the attacker if the remaining 90% of the stolen funds were returned within 48 hours. This move was part of an effort to recover the stolen assets and restore trust in the platform's security measures. The incident highlights the ongoing challenges faced by decentralized exchanges in securing their platforms against sophisticated attacks. Despite claiming robust third-party audits, GMX was unable to prevent the exploit, raising questions about the effectiveness of current security measures in the crypto industry. The attack serves as a stark reminder of the need for continuous improvement in cybersecurity protocols to protect against evolving threats. The return of the stolen funds by the hacker marks a significant development in the aftermath of the exploit. This unexpected turn of events has raised questions about the motivations behind the hacker's actions and the potential for future collaborations between hackers and platforms to recover stolen assets. The incident also underscores the importance of transparency and communication in the crypto industry, as platforms work to rebuild trust with their users following security breaches.