CrediX hacker agrees to return $4.5m after successful negotiations

The attacker behind the $4.5 million exploit on CrediX Finance has agreed to return the stolen funds following a settlement with the protocol.

In an update shared late Monday, CrediX revealed that it has successfully negotiated with the exploiter who drained $4.5 million from its protocol, and is now expecting the return of the stolen funds within 24 to 48 hours. 

The deal includes an undisclosed payout from CrediX’s treasury to the hacker in exchange for the safe return of assets, with no mention of legal action or additional terms.

“We have good news for our users. Reached successful parley with the exploiter who agreed to return the funds within the next 24-48 hours in return for money fully paid by the credix treasury,” the protocol wrote .

Once received, the funds will be used to reimburse affected users. CrediX said it will airdrop each user’s share of the returned assets, ensuring full recovery of losses from the hack.

How the CrediX hack happened

The attack on CrediX came less than a month after the protocol launched as a real-world asset lending platform, allowing borrowers to receive loans backed by off-chain income and collateral from DeFi lenders.

According to security firm SlowMist, the exploit began nearly a week prior to the attack, when hackers gained unauthorized access to the protocol’s multisig admin and bridge wallets.

With full control over key infrastructure, the attackers minted collateral tokens, borrowed against the protocol, and quickly drained its liquidity. The stolen funds were then bridged from Sonic to Ethereum.

The CrediX hack is the latest in a growing list of DeFi protocols hit by major exploits this year. In July alone, more than $153 million was lost to crypto hacks and scams, pushing total industry losses for 2025 so far above $3.1 billion.

Meanwhile, another recent victim, GMX, which was hacked for $42 million on July 9, also managed to recover stolen funds last month after offering its attacker a 10% bounty.

But even with these successful recoveries, the consistent trend of attacks points to a deeper problem. Despite being labeled as decentralized, many DeFi protocols still rely on centralized controls, such as admin keys, upgradable contracts, and emergency pause functions. These features are now common entry points for attackers, underscoring the need for stronger security and better defense mechanisms.

As of now, CrediX has not confirmed receipt of the funds, and it remains to be seen whether the attacker follows through on the agreement.