A hacker exploited GMX for $40 million but returned half after accepting a white hat bounty.
GMX GMX $11.68 24h volatility: 4.2% Market cap: $119.26 M Vol. 24h: $77.12 M , a decentralized exchange on Arbitrum ARB $0.40 24h volatility: 11.5% Market cap: $1.97 B Vol. 24h: $405.11 M , was hit with a $40 million exploit on July 9 after an attacker drained its v1 liquidity pool by manipulating GLP token values.
Soon after the exploit, the attacker left an on-chain message saying, “Ok, funds will be returned later,” which was flagged by blockchain security firm PeckShield.
Less than an hour later, the attacker began sending stolen crypto back to GMX, signaling they had accepted the white hat bounty offered by the team.
#PeckShieldAlert #GMX Exploiter msg: funds will be returned later pic.twitter.com/ohlOVYWSvD
— PeckShieldAlert (@PeckShieldAlert) July 11, 2025
The attacker, known as “GMX Exploiter 2,” began returning the stolen crypto and has since sent back over $9 million in Ether ETH $2 949 24h volatility: 6.5% Market cap: $356.59 B Vol. 24h: $39.25 B . PeckShield disclosed that the GMX team also received over $5.5 million in FRAX tokens from the attacker.
In another transaction, the attacker sent FRAX FRAX $1.00 24h volatility: 0.0% Market cap: $314.25 M Vol. 24h: $2.65 M tokens with $5 million to the GMX address. The attacker has sent about $20 million worth of cryptocurrencies.
#PeckShieldAlert #GMX Exploiter has returned 5.49M $FRAX to #GMX: Deployer pic.twitter.com/q4hi6DsAX1
— PeckShieldAlert (@PeckShieldAlert) July 11, 2025
What Happened After the Attack?
Shortly after the July 9 attack on GMX, the exchange announced on X that it was offering a $5 million bounty, which is roughly 12.5 percent of the stolen amount, if the attacker returned the funds.
GMX also said the incident would be treated as a white hat hack and the attacker could keep the bounty without facing any legal consequences.
The team also mentioned they were prepared to provide proof of source of funds if the attacker needed it to use the bounty. They gave the attacker a 48-hour window to return the funds before initiating legal proceedings.
The crypto exchange announced that the attacker could retain 10% of the stolen funds as a white hat bounty reward, provided that 90% of the crypto was returned to the designated addresses.
This type of exploit is common among platforms in the crypto space. Hackers often manipulate oracles or internal data to artificially deflate a token’s value, allowing them to drain assets by swapping at distorted prices.
A few weeks ago, Resupply.Fi was a victim to this, losing $9.6 million to the exploitation. The attacker distorted the value of crvUSD, collapsing its exchange rate against reUSD to zero. This manipulation made it possible to borrow assets nearly free of charge.
next