In an unexpected development, the hacker responsible for the recent $40 million exploit on decentralized trading platform GMX has started returning the stolen funds, according to a report by Chain Retrieval. The move has caught the crypto community off guard, with many speculating about the hacker’s motives or a possible behind-the-scenes deal.
The GMX exploit, which occurred last month, involved a sophisticated manipulation of price feeds and leveraged trading positions. The attacker used on-chain strategies to drain funds from the platform’s liquidity pools—sparking panic among users and a temporary halt in certain trading pairs.
Now, in what appears to be a surprising turnaround, the exploiter has begun sending back portions of the stolen assets. Blockchain data confirms that several transactions have been made from wallets linked to the hack, transferring funds back to GMX’s designated recovery address.
Chain Retrieval, which has been tracking the funds since day one, verified that approximately $12 million has already been returned, with more expected in the coming days. The reason for this voluntary return remains unclear.
White-Hat Move or Negotiated Settlement?
Some in the Web3 community believe this could be a white-hat hacker move—where an ethical hacker exposes vulnerabilities but returns funds to demonstrate the flaw without causing lasting harm. Others speculate that the hacker may have been offered a bounty or legal immunity in exchange for returning the assets.
While GMX has not made any official statement about a deal, core contributors have hinted at “ongoing discussions” with the individual behind the attack. Such negotiations are not unusual in the DeFi space, where platforms often prefer fund recovery over pursuing legal battles that can stretch across borders and years.
The event has reignited debates about decentralized platform security and the legal gray areas surrounding on-chain exploits. Although DeFi platforms promise transparency and open access, they also expose protocols to sophisticated attacks that traditional financial systems are often better equipped to prevent.
Community members are now pushing for audit enhancements, improved price oracles, and stricter limits on high-leverage trades—especially as more retail investors begin to enter DeFi.
If the hacker continues returning the funds, GMX may emerge from this stronger, learning from a near-catastrophic event. But it’s also a clear reminder: DeFi is powerful, but not without risk.