Money market infrastructure protocol CrediX has successfully recovered $4.5 million worth of stolen crypto following a sophisticated exploit earlier this week. The recovery comes after the protocol negotiated a private settlement with the unidentified attacker, who agreed to return the assets in exchange for an undisclosed payment from the CrediX treasury.

🚨 The Q2 + H1 2025 Hack3d Report is here.

$2.47B lost in the first half of the year.
$801M lost in Q2 alone.
Phishing and wallet compromise dominated the threat landscape.

Dive into the data👇🧵 pic.twitter.com/Sxa6AGejGK

— CertiK (@CertiK) June 30, 2025

The funds are set to be airdropped back to affected users within 48 hours, the team announced in a statement posted on X (formerly Twitter). Blockchain security firm Cyvers had earlier identified that the exploit involved funds bridged to the Ethereum network using a Tornado Cash-funded wallet, a known tool for obscuring on-chain transaction trails.

“Reached successful parley with the exploiter who agreed to return the funds within the next 24–48 hours in return for money fully paid by the CrediX treasury,” the official post read.

Tornado Cash and Private Negotiation

The breach, which occurred on Monday, prompted swift analysis from Cyvers and other security firms. The attacker used a Tornado Cash-funded wallet to bridge the stolen digital assets onto Ethereum, making the assets harder to trace. Tornado Cash, a decentralised privacy protocol, has been under increased regulatory scrutiny due to its use in laundering illicit crypto.

Source: Cyvers

The attacker’s identity remains unknown, but CrediX’s private negotiation appears to have succeeded in persuading them to return the assets. The settlement amount paid by CrediX to the exploiter has not been publicly disclosed, raising questions about whether this incident qualifies as a “white hat bounty” or a forced compromise.

Cointelegraph has reached out to the CrediX team for further details about the nature of the agreement, but no official comment has been issued at the time of writing.

Growing Trend: Hackers Opt for Settlements

CrediX is not alone in pursuing private negotiations with attackers. The year 2025 has seen a noticeable rise in cryptocurrency hacks, but also in exploiters voluntarily returning funds in exchange for negotiated rewards.

In July 2025, the exploiter behind the $40 million GMX hack agreed to return the stolen funds after receiving a $5 million white hat bounty. Similarly, in May 2024, another thief returned $71 million from a wallet poisoning scam, apparently spurred by mounting pressure from investigators and firms like SlowMist, which had traced the attacker’s possible IP address to Hong Kong.

These incidents reflect a new dynamic in the Web3 security landscape, where protocols are increasingly open to negotiation and compromise rather than pursuing legal or enforcement channels, often due to the pseudonymous nature of blockchain attackers.

$2.5 Billion in Losses Highlights Security Crisis

According to blockchain security firm CertiK, crypto hacks, scams, and exploits have topped $2.47 billion in losses in 2025 alone, with Q2 accounting for over $800 million across 144 reported incidents. While that marks a 52% drop from Q1, the scale of damage remains alarming.

The reputational and financial costs are immense. A separate report from Immunefi estimates that nearly 80% of cryptocurrencies never recover in value post-hack, often suffering long-term price suppression and loss of user confidence, even after funds are restored.

It’s not just DeFi platforms that are in the crosshairs. On July 5, traditional finance infrastructure was also targeted when C&M Software, which connects Brazil’s Central Bank to domestic financial institutions, was hacked for $140 million. Local media reports indicate that a C&M employee sold access credentials for just $2,700, allowing the attackers to access six financial institutions’ reserve accounts.

What This Means for Users and Web3 Security

While the return of funds in the CrediX case is good news for affected users, the broader implications are more complex. Settlements with exploiters blur the line between enforcement and reward, potentially encouraging future attackers to use similar tactics.

The incident underlines the urgent need for robust security, smarter contracts, and better incentive structures in the Web3 space. As exploiters become more sophisticated, and recovery negotiations more common, decentralised protocols are facing a new reality, one where legal tools are often powerless, and onchain diplomacy becomes the new norm.