The exploiter behind the $40 million drain of the decentralized perpetual exchange GMX, which occurred earlier this week, has begun returning the stolen funds.
The exploiter started returning ETH and other tokens after seemingly accepting the project’s $5 million white-hat bug bounty offer.
The exploit is another blight on a cryptocurrency industry that saw investors lose $2.5 billion to hacks and scams in the first half of 2025, according to a CertiK report. This is an increase from the nearly $1.5 billion in 2024 Heist!
GMX Hacker Starts Returning The Stolen Funds
On July 9, 2025, a hacker exploited GMX’s V1 GLP pool on Arbitrum, stealing over $40 million in various cryptocurrencies, including USDC, FRAX, WBTC, and WETH, prompting GMX to halt V1 trading and minting both on Arbitrum and Avalanche.
The breach, which did not affect GMX V2 or its native token, led GMX to offer the attacker a 10% bounty via an on-chain message, committing not to pursue legal action if the remaining funds were returned within 48 hours.
Responding to GMX in another on-chain message on Friday, the exploiter said simply, “ok, funds will be returned later,” as noted by blockchain security firm PeckShield on X.
Shortly after, one of the exploiter’s addresses returned 5.5 million FRAX ($5.5 million) to the GMX Deployer in an initial transaction, followed by another 5 million FRAX ($5 million) transfer, PeckShield flagged.
GMX’s native token dropped 28% in the aftermath of the attack to a low of $10.45.
While it had already begun to recover, the token subsequently surged around 14% on Friday after the hacker agreed to return the funds, according to Tradingview. GMX is currently trading for $13.25.
GMX Hack Post-Mortem
In a post-mortem on Thursday, the project confirmed GMX V1 on Arbitrum was exploited for around $40 million through a re-entrancy vulnerability in the OrderBook contract, which allowed an attacker to manipulate the average short price of BTC, inflate the GLP liquidity provider token price, and redeem at a profit.
The team quickly paused trading, coordinated with partners to track funds, and confirmed GMX V2 was not affected.
Going forward, GLP minting and redemption on Arbitrum will be disabled. Remaining funds will be allocated for reimbursement, and affected users will be able to close their positions, it said.
The team also issued guidance for GMX V1 forks to mitigate similar risks and plans to hold a DAO discussion on further reimbursement measures. GMX V2 operations remain unaffected.
“Posting this message in hopes of connecting with the individual responsible for the GMX V1 exploit,” GMX added on X.
“You’ve successfully executed the exploit; your abilities in doing so are evident to anyone looking into the exploit transactions. The white-hat bug bounty of $5 million continues to be available” — covered by the project’s treasury.
GMX allows users to trade BTC, ETH, AVAX, and other cryptocurrencies with up to 100 times leverage.
The platform initially launched on Arbitrum One in 2021 and has since amassed $306 billion in total trading volume, with over $265 million in current open interest across nearly 715,000 users, according to its website.
