Jump Crypto Just Counter-Exploited the Wormhole Hacker for $140 Million

The Chicago trading firm appears to have recovered the 120,000 ether stolen during the 2022 Wormhole exploit

article-image

Gotgo2/Shutterstock modified by Blockworks

share

In what appears to be the result of a coordinated effort between Jump Crypto and Oasis, the exploiter behind the infamous Wormhole attack of February 2022… has become the exploited.

Just over a year ago, the Wormhole bridge was attacked in one of the largest crypto loss events of 2022. Altogether, around 120,000 ETH was stolen — $325 million at the time.

Those funds were replaced by Jump Crypto, the Chicago-based crypto arm of Jump Trading, which was involved in the development of the Wormhole protocol. Jump’s motive was “to make community members whole and support Wormhole now as it continues to develop” according to a tweet issued by the company at the time.

Wormhole offered a $10 million bug bounty and white hat agreement to the hackers in exchange for returning the funds. It appears that never happened.

Dave Olsen, Jump Trading Group’s president and CIO, told Bloomberg a month later that “We’re working in very close consultation with government resources, with private resources. There is a lot of firepower that is expert at tracking down criminals like this. And we are in this fight permanently. So this is not something that we will become distracted by next month or next year — this is a permanent condition.”

According to a blockchain-based analysis by Blockworks Research, Jump finally won that fight. And it appears that as of three days ago, those funds have now been recovered.

Jump Crypto declined to comment on the findings, and Oasis did not reply to a request for comment.

However, Oasis released a statement following publication of this article, noting that:

“On 21st February 2023, we received an order from the High Court of England and Wales to take all necessary steps that would result in the retrieval of certain assets involved with the wallet address associated with the Wormhole Exploit on the 2nd February 2022. This was carried out in accordance with the requirements of the court order, as required by law, using the Oasis Multisig and a court authorised third party.

We can also confirm the assets were immediately passed onto a wallet controlled by the authorised third party, as required by the court order. We retain no control or access to these assets.”

Blockworks Research analyst Dan Smith detailed the process:


“The transaction history suggests that Jump Crypto and Oasis worked together to counter exploit an upgradable Oasis contract, securing the stolen funds from the original Wormhole Exploiter’s vaults. 

The Exploiter has continuously moved the stolen funds through various Ethereum applications. They recently opened two Oasis vaults, creating a levered long position on two ETH staking derivatives. Importantly, both vaults used the automation services offered by Oasis. 

Several wallets were involved in the counter exploit. Each address is defined and given an alias that is used throughout the analysis. 

  • Oasis Multisig: A 4 of 12 multisig that owns the Oasis proxy contracts. 
  • Holder: Currently holds the recovered funds and appears to be owned by Jump. 
  • Sender: Responsible for executing the counter exploit and appears to be owned by Jump.

The process began on February 21 when the Sender was added as a signer to the Oasis Multisig. The Sender executed five transactions to facilitate the counter exploit and was subsequently removed as a signer from the Oasis Multisig

The bulk of the recovery process was executed in the Sender’s third transaction to the Oasis Multisig. To quickly summarize this transaction, the Sender tricked the Oasis contracts into allowing it to move the collateral and debt from the Exploiter’s vaults into the Sender’s own vaults.

After taking control of the Exploiter’s vaults, a wallet tagged Jump Crypto by several analytics firms sent 80M DAI to the Sender. This DAI was used to repay the open loans on the vault and withdraw the $218M of collateral. The recovered collateral was then sent to the Holder, where the funds currently reside.

It is currently unknown if the Sender and Holder are owned by Oasis or Jump. However, the base case hypothesis is that Jump has control of these addresses, given Jump paid down the debt to withdraw the collateral. Neither Jump nor Oasis have confirmed this. 

Thus, it appears Jump successfully counter-attacked the Wormhole Exploiter and retrieved the ETH that was stolen from it one year ago. After considering the DAI repayment to retrieve the collateral, the net return from the counter exploit was around $140M.”

See the full analysis at Blockworks Research


Cross-chain bridge hacks have accounted for many of the largest thefts in the crypto industry, and include the Ronin hack that resulted in the loss of $540 million, later attributed to the North Korean Lazarus state hacking group.

But permissionless blockchains, being transparent and open to the public, are proving to be exceptional tools for those fighting financial crime.

The ethics, and perhaps even the legality, of exploiting the exploiter may be debated in the coming days. But for now, it seems Jump Crypto is about $140 million better off than it was last week.

And one hacker may be ruing the missed opportunity to secure $10 million and a Get Out of Jail Free card.

Updated on Feb 24 2023 at 5:04pm ET: Added statement from Oasis.

Tags

Upcoming Events

Javits Center North | 445 11th Ave

Tues - Thurs, March 18 - 20, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

Brooklyn, NY

TUES - THURS, JUNE 24 - 26, 2025

Permissionless IV serves as the definitive gathering for crypto’s technical founders, developers, and builders to come together and create the future.If you’re ready to shape the future of crypto, Permissionless IV is where it happens.

recent research

LTIPPanalysis.png

Research

This report is a retroactive analysis of Arbitrum's Long Term Incentives Pilot Program (LTIPP). We collect relevant data at a protocol level and review bi-weekly updates to analyze recipients, their strategies, and the impact of the incentives on high level growth metrics. In particular, we want to highlight outperformers and underperformers, and glean any best practices or lessons learned for protocols distributing ARB incentives in the future. The overarching goal is to synthesize lessons learned that the DAO can reference as it begins thinking about future incentives programs–namely, the working group for incentives that is being actively discussed–especially as Timeboost introduces new conditions for trading and economic activity.

article-image

Sponsored

AI project Zerebro intersects the spheres of artificial intelligence, finance, art, music, and culture

article-image

Allmight is focused on furthering the United States’ leadership in crypto

article-image

The conditions Charles Schwab is waiting for before jumping headfirst into crypto could take shape soon

article-image

The FCA’s director of payments and digital assets shared some takeaways from chats with crypto companies and law firms

article-image

Let’s take a look at how US equities typically perform this time of year and what we might see in the coming days

article-image

Lumina introduces transparency and permissionless integration via an OP stack-based optimium, challenging traditional oracle designs