The hacker behind the $4.5 million CrediX DeFi protocol exploit agreed to return stolen funds within 24 to 48 hours following successful negotiations with the protocol team.
CrediX announced the agreement on social media, stating that the exploiter will receive compensation “fully paid by the CrediX treasury“, while affected users receive airdrops of their asset shares.
Multisig Wallet Compromise Exposes Bridge Role Vulnerabilities
The resolution follows a six-day compromise where attackers gained administrative control of CrediX’s multisig wallet and abused bridge privileges to mint unbacked collateral tokens on the Sonic network.
The hacker used Tornado Cash-funded addresses to exploit BRIDGE role permissions, directly minting acUSDC tokens before borrowing against worthless collateral to drain approximately $2.64 million from lending pools.
CrediX has joined a growing list of 2025 DeFi protocols that successfully negotiated fund returns with exploiters, including GMX’s massive $40.5 million recovery.
The trend contrasts sharply with 2025’s devastating security record, showing $2.29 billion in net losses across 344 incidents during the first half.
Security experts note that most hackers realize that keeping stolen cryptocurrency creates more problems than benefits due to enhanced blockchain forensics and legal risks.
However, speaking with Cryptonews, Immunefi CEO Mitchell Amador warned that “relying on a hacker’s change of heart is not a viable strategy for protocol security,” while noting that nearly 80% of hacked projects never fully recover their value after exploits.
White-Hat Negotiations Emerge as Recovery Strategy Amid Rising Exploits
The CrediX recovery continues a pattern of successful negotiations between DeFi protocols and exploiters seeking legal amnesty in exchange for fund returns.
GMX protocol recovered $40.5 million in July after offering a $5 million bounty to the attacker who exploited re-entrancy vulnerabilities to manipulate token pricing through flash loans.
Similarly, ZKsync Association recovered $5 million in April when a hacker exploited the airdrop distribution contract’s sweepUnclaimed() function to mint 111 million unclaimed tokens.
The attacker accepted a 10% bounty and returned 90% of the stolen assets within a designated 72-hour safe harbor window.
KiloEx also achieved complete fund recovery in April after issuing an ultimatum to attackers who exploited price oracle vulnerabilities to manipulate ETH/USD feeds.
The protocol offered 90% return terms with a 10% white-hat bounty while threatening legal pursuit and exchange collaboration to freeze associated addresses.
These successful negotiations contrast with major 2025 losses, including Bybit’s $1.5 billion theft, Cetus Protocol’s initial $225 million drain, and the ongoing $234 million WazirX legal proceedings.
Regarding the Cetus case, Sui validators intervened, freezing and redistributing $162 million through blockchain governance rather than hacker cooperation.
CertiK data reveals that crypto investors lost $2.47 billion across 344 incidents in 2025’s first half, with wallet-related breaches accounting for $1.7 billion across just 34 attacks.
Source: Certik Report
Phishing scams contributed $410 million in losses through 132 separate incidents, while smart contract vulnerabilities caused $229 million in losses in May alone.
Security Expert Warns Against Reactive Measures as Prevention Remains Key
Mitchell Amador of Immunefi emphasized that successful fund recoveries represent exceptions rather than standard outcomes, noting that most exploited projects suffer permanent devaluation beyond initial losses.
He criticized reactive security measures like post-hack bug bounties.
“Prevention always beats negotiation. Whereas reactive measures like launching a bug bounty only after a hack exacerbate the problem.”
He added, “that not only signals weakness or lack of preparedness but also potentially creates a ‘race to the bottom’ where underincentivized researchers might further exploit rather than report.”
Amador advocated for unified security stacks integrating AI-powered agents for constant vulnerability scanning and immediate threat detection rather than human-dependent monitoring systems.
He warned that inadequate bug bounty rewards and slow response programs discourage legitimate security researchers while potentially turning warnings into actual attacks.
Additionally, July hack losses jumped 27.2% to $142 million across seventeen major incidents, reversing June’s temporary decline.
Major exploits included CoinDCX’s $44.2 million insider breach and various DeFi protocol vulnerabilities affecting BigONE, WOO X, and Future Protocol platforms.
Recovery efforts returned $187 million through law enforcement action, white-hat agreements, and exchange cooperation during the first half of 2025.
However, net losses still totaled approximately $2.29 billion, with average incident losses reaching $7.1 million despite partial recovery successes.
The post CrediX Hacker Returns $4.5M After 6-Day Heist – Is DeFi Negotiation the New Normal? appeared first on Cryptonews.
