GMX hacker starts returning $40M after accepting $5M bounty

The attacker who exploited GMX v1, a decentralized exchange (DEX) deployed on Arbitrum, has begun returning funds stolen in a $40 million crypto exploit, after accepting a $5 million white hat bounty proposed by the GMX team.

In an onchain message flagged by blockchain security firm PeckShield, the hacker confirmed intent to return the funds, stating: “Ok, funds will be returned later.” The message was sent in response to GMX’s bounty offer and marked the start of the fund recovery process.

Stolen funds begin to flow back

Nearly an hour after the onchain message, the wallet labeled GMX Exploiter 2 began transferring funds back. At the time of writing, about $9 million in Ether (ETH) had been returned to the Ethereum address shared by GMX in a previous onchain message.

PeckShield also noted the attacker returned approximately $5.5 million in FRAX tokens, followed by another $5 million in FRAX, bringing the total recovered amount to roughly $20 million.

The exploit, which occurred on Wednesday, targeted a liquidity pool on GMX v1, where the attacker used a design flaw to manipulate the value of GLP tokens, enabling the theft of multiple crypto assets.

GMX offers $5M white hat bounty

In a public statement on X, the GMX team acknowledged the hacker’s technical capabilities and extended a formal offer of a $5 million white hat bounty. The bounty, they said, could be spent freely once the stolen funds were returned.

The GMX team added that accepting the bounty would remove legal risk associated with spending the stolen crypto. They even offered to provide proof of the source of funds to assist the hacker if needed.

However, in an onchain message, GMX warned that if the funds were not returned within 48 hours, the team would move forward with legal action. The message stated that the hacker could keep 10% of the stolen assets as a white hat bounty, provided 90% was returned to addresses specified by GMX.