πŸ’° Read News and Earn $USDT Β· Cryptews β€” Read to Earn Platform Get Started

TrustedVolumes attacker returns 1,122 ETH, keeps $2M in bounty deal

1 hour ago 1049

A negotiated settlement has once again outpaced a long asset recovery process as one of the attackers of TrustedVolumes, a liquidity resolver linked to 1inch Fusion, has returned 1,122.12 ETH in an Ethereum transfer, more than two months after the incident. The hacker has allegedly retained a similar amount as part of a negotiated bug bounty agreement, as reported by Defimon Alerts.

When the deal was made, Ether’s price was roughly estimated at $1,843, thus making the total value of the recovery approximately $2.07 million and clarifying why this event is usually called the β€œ$2 million recovery.”

The importance of the deal is not defined by how large it is, but by the fact that it reflects the increasing tendency in decentralized finance. Increasingly, organizations are turning to negotiating with their attackers as opposed to relying only on law enforcement or lengthy court cases. While this approach may provide quicker results, it raises the fear that extortionists will begin to view bug bounty negotiations as a way to avoid being caught rather than as an exception.

Both parties posted a message on-chain confirming the settlement.

β€œWe have finalized the negotiations with the original exploiter,” the message said

More than 2 months after $5.8M @trustedvolumes exploit one of the attackers returned 1,122 ETH ($2M):https://t.co/N2nZ3xSVPn https://t.co/auPXtWRLT1

β€” Defimon Alerts (@DefimonAlerts) July 17, 2026

Moreover, the exploiter β€œreturned the funds and received their bug bounty,” the message added, encouraging any remaining attackers to write to tvbugbounty@proton.me. TrustedVolumes hinted at this approach right after the exploit, saying that the company was willing to have β€œconstructive communication regarding a bug bounty and a mutually acceptable resolution.”

What was taken in May

TrustedVolumes worked as a resolver in the 1inch Fusion environment, allowing for the operation of a Request-For-Quote (RFQ) market, which provided liquidity for token exchanges when needed. On 7 May, an attack took place whereby the resolver was exploited and approximately $5.87 million worth of digital assets were withdrawn in a single Ethereum transaction. Later data by the protocol suggested that the damage after accounting for asset values and related losses could reach about $6.7 million.

According to the analysis of Blockaid, in total $5.87 million was lost, which included 1,291 WETH, 1.26 million USDC, 206,282 USDT, and 16.93 WBTC. The compromised resolver contract was determined to be 0x9bA0CF1588E1DFA905eC948F7FE5104dD40EDa31, while the attack was connected to a bespoke RFQ proxy contract launched at 0xeEeEEe53033F7227d488ae83a27Bc9A9D5051756. The main attacker wallet 0xC3EBDdEa4f69df717a8f5c89e7cF20C1c0389100, however, was classified as a TrustedVolumes exploit address by Etherscan.

Cybersecurity researchers found that methods that were used in this attack were very similar to those used in the hack from March 2025 involving the 1inch Fusion V1 system.

Investigators determined that the hack happened due to an access-control vulnerability rather than the theft of private keys or some previously unknown exploit. Halborn discovered that due to a public function, any individual could register as an authorized order signer. The attackers then approved unauthorized orders transferring money that had already been approved for the proxy contract. Blockaid was able to identify the exploit while it happened and noted that neither 1inch’s infrastructure nor user funds were affected.

Why the incentives cut both ways

The settlement showcases the challenges the DeFi industry faces. It is often more desirable to negotiate and reclaim stolen funds rather than face the possibility of losing everything at the end of long and unpredictable investigations. However, these settlements can create a financial rationale that leads criminals to believe that they can steal money and then negotiate for a large payoff afterward.

Calculating the theft is becoming increasingly complex as the forensics in blockchain keep getting better. TRM Labs found that cryptocurrency scams robbed people of $2.87 billion in 2025 through approximately 150 incidents, but at the same time, investigators have been rather successful in tracing the stolen crypto and following the laundering routes. For instance, in the TrustedVolumes case, Blockaid, CertiK, and SlowMist were able to monitor the theft as soon as it happened and to track how the hacker converted the stolen goods into ETH, which helped make the criminals feel more uneasy before the deal was cut.

Only part of the case was settled through the deal. One attacker returned 1,122.12 ETH or approximately $2.07 million at the moment of the transaction; however, held a similar amount as stated in the proposed bug bounty. Recovery of the rest of the stolen funds may come from either reaching a settlement in the future or laundering the stolen money and will be an excellent gauge of how future hacks’ offenders weigh their chances of being traced by blockchain security against the possibility of negotiating their way out.

The smartest crypto minds already read our newsletter. Want in? Join them.

Read Entire Article
πŸ’¬ Comments
Loading…

Log in to leave a comment.