The latest security breach on the decentralized crypto exchange GMX has resulted in the theft and laundering of over $40 million worth of digital assets.
The latest security breach on the decentralized crypto exchange GMX has resulted in the theft and laundering of over $40 million worth of digital assets.
The platform, which allows users to trade and speculate on various cryptocurrencies, was exploited early Wednesday, prompting an immediate suspension of trading services and a formal investigation into the incident.
The blockchain security firm PeckShield began tracking the exploiter’s activity shortly after the incident. According to its analysis, the attacker converted the stolen assets including WBTC, WETH, UNI, FRAX, LINK, USDC, and USDT into 11,700 ETH, equivalent to approximately $32 million, on the Ethereum network.
The exploiter also retained $10.5 million in the FRAX stablecoin on the Arbitrum blockchain. Blockchain data shows that 4,308.80 ETH was initially transferred from a wallet labeled “GMX Exploiter 1” to a second address, also linked to the same actor. From there, the ETH was split and forwarded to four new wallets; three received 3,000 ETH each, and one received 2,699.95 ETH.
The use of these intermediary wallets shows a clear attempt to launder and obscure the path of the stolen funds. These actions came just hours after the original exploit and indicate a premeditated strategy for dispersing the assets.
GMX confirmed the exploit through a public statement and disclosed that it had previously undergone multiple security audits by well-known firms. Despite those efforts, more than $43 million in user funds were taken in the attack.
In a direct and unconventional move, the platform sent a message to the hacker via the Ethereum blockchain, offering 10% of the stolen funds as a bounty if the remaining 90% was returned within 48 hours. GMX also stated it would not pursue legal action if the funds were returned. This offer, which aligns with similar tactics used in previous DeFi exploits, holds no formal legal weight.
Critics on social media have raised concerns over the crypto industry’s response time in freezing the stolen funds.
The exploiter held nearly $30 million in USDC, a stablecoin managed by the company Circle, before further laundering the assets. No confirmations have yet emerged indicating whether blacklisting actions were taken by Circle during that critical window.
