A digital heist ended in rare cooperation this week as the hacker behind CrediX’s $4.5 million exploit returned all stolen funds. The surprising turn of events followed private negotiations between the protocol and the perpetrator, marking an unusual resolution in the cutthroat world of DeFi hacks.
The attack, which occurred in early August 2025, wasn’t your typical smart contract vulnerability. Nope. This hacker played the long game. They somehow gained high-level admin rights days before executing their plan. Talk about patience.
Once in position, the attacker added themselves as a multisig admin and bridge controller. Pretty clever, honestly. They assigned themselves every important role imaginable: pool admin, risk admin, emergency admin. Then came the classic move—minting fake collateral tokens to borrow real assets. The stolen funds were quickly shuffled from Sonic network to Ethereum and split across multiple wallets.
Security firms CertiK and Cyvers traced the entire operation. But tracking is one thing. Getting the money back? That’s the hard part. While blockchain forensics can follow stolen funds, actual recovery rarely succeeds without cooperation.
Except this time, it wasn’t. CrediX initiated private talks with the hacker. No cops. No lawyers. Just negotiation. The thief agreed to return the full $4.5 million in exchange for an undisclosed payout from CrediX’s treasury. The attack happened less than a month after launch, showing how quickly new protocols can become targets. Cash for cooperation. Simple as that.
Within hours of the deal, affected users received airdrops restoring their funds. CrediX announced that all recovered assets would be refunded to affected users within 48 hours. Crisis averted.
This settlement is part of a growing trend in DeFi. With over $3.1 billion already stolen in 2025, protocols are increasingly willing to cut deals with hackers rather than pursue traditional remedies. GMX did it. Now CrediX. Who’s next?
The incident has sparked the usual debates about centralized admin controls. Security experts from Halborn and SlowMist are already using CrediX as a case study in what not to do.
For users, trust was shaken but quickly restored. No harm, no foul—this time. But the incident serves as yet another reminder: in DeFi, your security is only as good as your admin keys.
