The attacker who recently exploited the GMX v1 decentralized exchange (DEX) and made off with $40 million in crypto has started returning the stolen funds. The move follows an onchain message in which the hacker accepted a bounty offer from the GMX team and promised to return the assets.
According to blockchain security firm PeckShield, the exploiter left a brief but clear message onchain: “Ok, funds will be returned later.”
The exploit, which occurred on Wednesday, targeted a liquidity pool within GMX v1 by manipulating the valuation mechanics of GMX’s GLP tokens. The sophisticated maneuver allowed the attacker to siphon off a range of crypto assets from the platform.
Related: GMX Halts V1 Trading After $40M Exploit Targets Liquidity Pool
$20 Million Returned So Far
Roughly an hour after the message was broadcast, the hacker began transferring the stolen funds back to GMX. PeckShield reports that the address labeled “GMX Exploiter 2” returned approximately $9 million worth of Ether (ETH) to a designated Ethereum address provided by GMX.
In separate transactions, the hacker also returned $5.5 million and later an additional $5 million in FRAX stablecoins. As of the latest update, nearly $20 million of the stolen assets have been returned.
GMX Offers White Hat Bounty, Threatens Legal Action
Following the breach, the GMX team acknowledged the hacker’s technical skills in an X post and extended a $5 million white hat bounty. The team emphasized that the bounty would be free to use and would eliminate legal and financial risks associated with holding stolen funds.
“You’ve successfully executed the exploit; your abilities in doing so are evident to anyone looking into the exploit transactions,” GMX stated. “The white hat bug bounty of $5 million continues to be available.”
To incentivize the return of funds, GMX also threatened to initiate legal proceedings within 48 hours if the assets weren’t returned. They offered the attacker a deal: keep 10% of the stolen funds as a reward and return the remaining 90% to the specified addresses.
What’s Next?
With half of the stolen funds now returned, attention turns to whether the exploiter will follow through completely. The case has sparked renewed discussion around DEX vulnerabilities and the growing trend of hackers negotiating bounties post-exploit.
