Hacker returns cryptocurrency stolen from GMX exchange after $5 million bounty payment

The person behind a $42 million theft from decentralized exchange GMX has returned the stolen cryptocurrency in exchange for a $5 million bounty. 

After the theft came to light on Wednesday, GMX promised the hacker not to pursue litigation if the funds were returned.

“You’ve successfully executed the exploit; your abilities in doing so are evident to anyone looking into the exploit transactions,” the company said in a subsequent note on Thursday. 

“It’s likely already clear to you that the decision between accepting this bounty and keeping the exploited funds is the difference between being able to spend the funds freely versus taking additional risks to access them.” 

GMX claimed in that message that their users would be made whole through bug bounty funds in their treasury. 

In a message on the blockchain, the unidentified hacker wrote: “ok, funds will be returned later,” and on Friday GMX confirmed that the company had exchanged the bounty for the stolen funds. 

The person behind the theft began transferring the funds in $5 million chunks, according to several blockchain security companies, eventually transferring about $40.5 million worth of cryptocurrency to GMX accounts. The funds were split into 10,000 ETH, worth about $30 million, and $10.5 million worth of the FRAX coin.

GMX released an in-depth post-mortem explaining the vulnerability that was used to steal the money, noting that the bug has been resolved in recent updates to the platform.

The platform allows users to purchase and speculate on many different cryptocurrencies. It was launched in 2021 and now claims to have 714,000 users and a total trading volume of $305 billion. 

Despite the bounty agreement, the hacker behind the incident could still face legal liability if identified. Last year, a man behind a $110 million theft from defunct crypto platform Mango Markets was convicted in federal court despite having negotiated with the platform to return the funds. 

The hacker, Avraham Eisenberg, eventually refunded $67 million in exchange for an agreement that Mango Markets would not go to the police. Nonetheless, Eisenberg was still pursued by federal law enforcement and was eventually convicted of commodities fraud, commodities market manipulation, and wire fraud.

A judge is still mulling a potential retrial on the charges related to Mango Markets but Eisenberg was sentenced in May to 52 months in prison for a separate charge of possession of child sexual abuse material.