GMX exploiter returns stolen crypto after $42m hack

The exploiter who swiped $42 million from GMX returned almost all the stolen funds on Friday morning after receiving a bounty offer from members of the decentralised perpetual futures exchange’s team

On Wednesday, the exploiter used bugs in a version of GMX’s codebase to steal the funds, including stablecoins and wrapped versions of Bitcoin and Ethereum, among others.

At 7:29 am London time, the exploiter sent a short onchain message directed to the GMX team. “Ok, funds will be returned later,” the message said.

The exploiter began returning the funds at 9:08 am, sending $10.4 million worth of stablecoins over two transactions, onchain records show. Over the hours that followed, they returned a further 10,000 Ether and other assets totalling $40.5 million.

“Thank you ser, we love GMX,” an Arbitrum address belonging to an unknown observer said in an onchain message sent to the exploiter.

The return of funds comes after the GMX team engaged the exploiter via an onchain message shortly after the hack, offering a 10% white hat bounty for the return of the stolen funds within 48 hours.

It’s not clear if the exploiter decided to accept the 10% bounty, as they returned more than 90% of the stolen funds.

When the exploiter stole the funds, they converted most of them into Ether. Since then, the price of Ether increased by around 14%.

The exploiter still holds 1,700 Ether worth $5.1 million.

Re-entrancy attack

GMX published a post-mortem of the attack on Thursday.

It identified that the root cause of the exploit was a re-entrancy attack, a type of vulnerability that allows an attacker to interact with a smart contract more times than should be possible, allowing them to repeat certain actions, like withdrawals, and drain funds.

Re-entrancy attacks are one of the most commonly exploited vulnerabilities in DeFi, despite them being identified as a problem as far back as 2016.

Other protocols that used GMX’s code, called forks, could still be at risk.

“We urge all GMX V1 forks to take the necessary steps to prevent this exploit, if these haven’t already been taken,” GMX said.

Uncommon

Exploiters returning funds after hacking decentralised finance protocols is uncommon, but not unheard of.

One of the most high-profile cases of an exploiter returning funds happened after the Euler Finance hack in 2023. The exploiter eventually returned the $176 million worth of stolen crypto two weeks after stealing it.

However, many more exploits don’t have such happy endings.

In February, a hacker stole an eye-watering $1.4 billion from crypto exchange Bybit in a complex attack that involved compromising the exchange’s wallet provider, Safe.

The Bybit theft marked 2025 as the worst year so far for crypto hacks due to the amount stolen.

Security researchers pinned the attack on North Korean hackers, who don’t usually return funds.

Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at tim@dlnews.com.