GMX hacker starts returning the stolen funds

The GMX exchange hacker posted a message that he would return the funds ‘later’ and made good on the promise, starting with FRAX tokens. Previously, the GMX team offered a 10% white hat bounty and no law enforcement actions in exchange for returning the $42M in ETH and stablecoins. 

The GMX hacker posted an on-chain message, promising he would return the funds “later.” Just minutes after that, the first tokens were returned, sending 5M FRAX back to the GMX deployer contract. 

#PeckShieldAlert #GMX Exploiter has returned another 5M $FRAX to #GMX: Deployer pic.twitter.com/95xjVqTnad

— PeckShieldAlert (@PeckShieldAlert) July 11, 2025

Soon after that, the hacker continued by returning 3K ETH. All of the exploiter’s wallets were flagged, though it would not prevent mixing, if the hacker decided to keep the funds. 

The GMX hack also raised the question of USDC freezes. Circle is capable of freezing USDC, but usually takes hours after an exploit to do this. In this case, the hacker had plenty of time to swap and distribute the funds, bridging all proceeds from Arbitrum to Ethereum. 

Previously, the hacker consolidated most funds on the Ethereum network, splitting the DAI stablecoins into multiple wallets in preparation for mixing. The hacker emptied out the initial exploit wallet, and has been moving the funds into addresses. Apparently, the offer of a 10% bounty for returning the funds within 48 hours was considered good enough. 

The hacker will net around $5M, leaving GMX with most of its vaults refilled. However, the attack still crashed the value of the GMX token by up to 30%, erasing millions of notional value. GMX is still not fully recovered, trading at $13.28.

GMX hacker makes a successful ETH trade

The hacker chose a fortunate moment to switch some of the funds to ETH. To consolidate the tokens taken from GMX V1 vaults, the hacker swapped them into 11,700 ETH. 

The trades happened just as ETH coasted around $2,600, before its big rally to over $3,000. Initially, the hacker swapped $32M in various assets, which are now valued at over $35M, netting a small gain. 

In theory, the hacker could choose to sell the ETH, return stablecoins or other tokens, and retain the difference. The hacker addresses have received multiple messages, finally responding to the original team message from xviv.eth. 

GMX uncovers flawed order book contract

The GMX team narrowed down the exploit issue to an order book contract. The contract itself protected against reentrancy, but the hacker called an external function outside the contract, bypassing the protection. 

Overall, the exploit cut a small dent in all token pairs, as GMX had multiple versions with safe vaults. During the day of the exploit, the GLP pool generated over $717K in daily fees, reflecting the heightened activity of exploiting the value of the GLP token.

The attacker was then able to manipulate the price of the GLP token, by bringing down the BTC short price to an anomaly of $1,913.70. This allowed the hacker to inflate GLP to an unfair price of $27, then use the unfair value to drain trading pools. 

GMX still carries $409.27M, down from a recent level above $480M before the exploit. The DeFi vaults suffered additional losses as an after-effect of the hack.

KEY Difference Wire helps crypto brands break through and dominate headlines fast