Jump Crypto Just Counter-Exploited the Wormhole Hacker for $140 Million

The Chicago trading firm appears to have recovered the 120,000 ether stolen during the 2022 Wormhole exploit


Gotgo2/Shutterstock modified by Blockworks


In what appears to be the result of a coordinated effort between Jump Crypto and Oasis, the exploiter behind the infamous Wormhole attack of February 2022… has become the exploited.

Just over a year ago, the Wormhole bridge was attacked in one of the largest crypto loss events of 2022. Altogether, around 120,000 ETH was stolen — $325 million at the time.

Those funds were replaced by Jump Crypto, the Chicago-based crypto arm of Jump Trading, which was involved in the development of the Wormhole protocol. Jump’s motive was “to make community members whole and support Wormhole now as it continues to develop” according to a tweet issued by the company at the time.

Wormhole offered a $10 million bug bounty and white hat agreement to the hackers in exchange for returning the funds. It appears that never happened.

Dave Olsen, Jump Trading Group’s president and CIO, told Bloomberg a month later that “We’re working in very close consultation with government resources, with private resources. There is a lot of firepower that is expert at tracking down criminals like this. And we are in this fight permanently. So this is not something that we will become distracted by next month or next year — this is a permanent condition.”

According to a blockchain-based analysis by Blockworks Research, Jump finally won that fight. And it appears that as of three days ago, those funds have now been recovered.

Jump Crypto declined to comment on the findings, and Oasis did not reply to a request for comment.

However, Oasis released a statement following publication of this article, noting that:

“On 21st February 2023, we received an order from the High Court of England and Wales to take all necessary steps that would result in the retrieval of certain assets involved with the wallet address associated with the Wormhole Exploit on the 2nd February 2022. This was carried out in accordance with the requirements of the court order, as required by law, using the Oasis Multisig and a court authorised third party.

We can also confirm the assets were immediately passed onto a wallet controlled by the authorised third party, as required by the court order. We retain no control or access to these assets.”

Blockworks Research analyst Dan Smith detailed the process:

“The transaction history suggests that Jump Crypto and Oasis worked together to counter exploit an upgradable Oasis contract, securing the stolen funds from the original Wormhole Exploiter’s vaults. 

The Exploiter has continuously moved the stolen funds through various Ethereum applications. They recently opened two Oasis vaults, creating a levered long position on two ETH staking derivatives. Importantly, both vaults used the automation services offered by Oasis. 

Several wallets were involved in the counter exploit. Each address is defined and given an alias that is used throughout the analysis. 

  • Oasis Multisig: A 4 of 12 multisig that owns the Oasis proxy contracts. 
  • Holder: Currently holds the recovered funds and appears to be owned by Jump. 
  • Sender: Responsible for executing the counter exploit and appears to be owned by Jump.

The process began on February 21 when the Sender was added as a signer to the Oasis Multisig. The Sender executed five transactions to facilitate the counter exploit and was subsequently removed as a signer from the Oasis Multisig

The bulk of the recovery process was executed in the Sender’s third transaction to the Oasis Multisig. To quickly summarize this transaction, the Sender tricked the Oasis contracts into allowing it to move the collateral and debt from the Exploiter’s vaults into the Sender’s own vaults.

After taking control of the Exploiter’s vaults, a wallet tagged Jump Crypto by several analytics firms sent 80M DAI to the Sender. This DAI was used to repay the open loans on the vault and withdraw the $218M of collateral. The recovered collateral was then sent to the Holder, where the funds currently reside.

It is currently unknown if the Sender and Holder are owned by Oasis or Jump. However, the base case hypothesis is that Jump has control of these addresses, given Jump paid down the debt to withdraw the collateral. Neither Jump nor Oasis have confirmed this. 

Thus, it appears Jump successfully counter-attacked the Wormhole Exploiter and retrieved the ETH that was stolen from it one year ago. After considering the DAI repayment to retrieve the collateral, the net return from the counter exploit was around $140M.”

See the full analysis at Blockworks Research

Cross-chain bridge hacks have accounted for many of the largest thefts in the crypto industry, and include the Ronin hack that resulted in the loss of $540 million, later attributed to the North Korean Lazarus state hacking group.

But permissionless blockchains, being transparent and open to the public, are proving to be exceptional tools for those fighting financial crime.

The ethics, and perhaps even the legality, of exploiting the exploiter may be debated in the coming days. But for now, it seems Jump Crypto is about $140 million better off than it was last week.

And one hacker may be ruing the missed opportunity to secure $10 million and a Get Out of Jail Free card.

Updated on Feb 24 2023 at 5:04pm ET: Added statement from Oasis.


Upcoming Events

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

MON - WED, MARCH 18 - 20, 2024

Crypto’s premier institutional conference returns to London in March 2024. The DAS: London Experience:  Attend expert-led panel discussions and fireside chats  Hear the latest developments regarding the crypto and digital asset regulatory environment directly from policymakers and experts   Grow your network […]

recent research

Pyth Cover.jpg


Pyth is a low latency pull-based oracle. In a future that looks increasingly high frequency, with various alt L1s and L2s that have significantly shorter block times than Ethereum, and an explosion of “high-frequency” protocols such as oracle or CLOB perp DEXs, Pyth’s low latency oracle product looks much better positioned to capture a significant amount of market share in comparison to competitors.


The Binance executive is also reportedly set to make an appearance in a Seattle courtroom Tuesday


Monday developments reaffirmed the US as unfriendly to crypto while also offering a potential bullish outlook for segment firms, industry watchers say


It’s unclear what “actions” the CFTC, DOJ and Treasury will announce Tuesday afternoon


Some 18,000 accounts have already sent $27 million in crypto to a one-way bridge controlled by a Blast multisig


Telegram bots have seen a cumulative trading volume of over $4 billion


Avalanche has been inundated with transactions for inscriptions, similar to the Ordinals that already hit Bitcoin, Litecoin and Dogecoin