Hacker laundered $32M in ETH and held $10.5M in FRAX after exploiting GMX. GMX offered a 10% bounty for the return of stolen funds within 48 hours. Attacker briefly held $30M in USDC before laundering through new wallets.

A cyberattack on the decentralized exchange GMX has resulted in the theft and laundering of more than $40 million in user assets. The breach occurred early Wednesday, forcing the platform to halt trading operations as internal and external investigators worked to trace the source and scope of the exploit.

Blockchain security firm PeckShield confirmed that the exploiter quickly converted the stolen tokens into Ether. On the Ethereum network, assets including WBTC, WETH, UNI, FRAX, LINK, USDC, and USDT were exchanged for 11,700 ETH, worth roughly $32 million. An additional $10.5 million in FRAX stablecoin remains held on Arbitrum.

#PeckShieldAlert #GMX Exploiter has swapped stolen funds (WBTC/WETH/UNI/FRAX/LINK/USDC/USDT) for 11.7K $ETH (~$32M) on #Ethereum & retained 10.5M $FRAX on #Arbitrum pic.twitter.com/Us664AEdsK

PeckShield tracked the movement of 4,308.80 ETH from a wallet labeled “GMX Exploiter 1” to a second address, also linked to the attacker. That wallet then distributed the funds to four newly generated intermediary wallets. Three of these received exactly 3,000 ETH each, while the fourth received 2,699.95 ETH. These addresses had no prior transaction history and are suspected of being used to obfuscate the laundering path.

GMX confirmed the incident on social media and stated that trading had been suspended while a full investigation was being conducted. The company also noted that its platform had undergone multiple security audits by independent firms before the exploit.

In an on-chain message addressed to the hacker, GMX proposed a 10% bounty, equivalent to over $4 million, in exchange for the return of the remaining funds within 48 hours. The company said it would not pursue legal action if the offer was accepted.

The exploiter briefly held close to $30 million in USDC, the stablecoin issued by Circle, before moving those funds through additional transactions. Some community members criticized the delay in freezing addresses connected to the exploit, pointing to the centralized control Circle maintains over USDC as a potential opportunity to block illicit flows.

GMX, launched in 2021, has reported over 714,000 users and a cumulative trading volume of $305 billion. This incident marks one of the largest individual thefts targeting a decentralized platform in 2025. Trading remains suspended as investigators continue to examine the attacker’s methods and movement of funds.

292 +