Jump Crypto Just Counter-Exploited the Wormhole Hacker for $140 Million

The Chicago trading firm appears to have recovered the 120,000 ether stolen during the 2022 Wormhole exploit


Gotgo2/Shutterstock modified by Blockworks


In what appears to be the result of a coordinated effort between Jump Crypto and Oasis, the exploiter behind the infamous Wormhole attack of February 2022… has become the exploited.

Just over a year ago, the Wormhole bridge was attacked in one of the largest crypto loss events of 2022. Altogether, around 120,000 ETH was stolen — $325 million at the time.

Those funds were replaced by Jump Crypto, the Chicago-based crypto arm of Jump Trading, which was involved in the development of the Wormhole protocol. Jump’s motive was “to make community members whole and support Wormhole now as it continues to develop” according to a tweet issued by the company at the time.

Wormhole offered a $10 million bug bounty and white hat agreement to the hackers in exchange for returning the funds. It appears that never happened.

Dave Olsen, Jump Trading Group’s president and CIO, told Bloomberg a month later that “We’re working in very close consultation with government resources, with private resources. There is a lot of firepower that is expert at tracking down criminals like this. And we are in this fight permanently. So this is not something that we will become distracted by next month or next year — this is a permanent condition.”

According to a blockchain-based analysis by Blockworks Research, Jump finally won that fight. And it appears that as of three days ago, those funds have now been recovered.

Jump Crypto declined to comment on the findings, and Oasis did not reply to a request for comment.

However, Oasis released a statement following publication of this article, noting that:

“On 21st February 2023, we received an order from the High Court of England and Wales to take all necessary steps that would result in the retrieval of certain assets involved with the wallet address associated with the Wormhole Exploit on the 2nd February 2022. This was carried out in accordance with the requirements of the court order, as required by law, using the Oasis Multisig and a court authorised third party.

We can also confirm the assets were immediately passed onto a wallet controlled by the authorised third party, as required by the court order. We retain no control or access to these assets.”

Blockworks Research analyst Dan Smith detailed the process:

“The transaction history suggests that Jump Crypto and Oasis worked together to counter exploit an upgradable Oasis contract, securing the stolen funds from the original Wormhole Exploiter’s vaults. 

The Exploiter has continuously moved the stolen funds through various Ethereum applications. They recently opened two Oasis vaults, creating a levered long position on two ETH staking derivatives. Importantly, both vaults used the automation services offered by Oasis. 

Several wallets were involved in the counter exploit. Each address is defined and given an alias that is used throughout the analysis. 

  • Oasis Multisig: A 4 of 12 multisig that owns the Oasis proxy contracts. 
  • Holder: Currently holds the recovered funds and appears to be owned by Jump. 
  • Sender: Responsible for executing the counter exploit and appears to be owned by Jump.

The process began on February 21 when the Sender was added as a signer to the Oasis Multisig. The Sender executed five transactions to facilitate the counter exploit and was subsequently removed as a signer from the Oasis Multisig

The bulk of the recovery process was executed in the Sender’s third transaction to the Oasis Multisig. To quickly summarize this transaction, the Sender tricked the Oasis contracts into allowing it to move the collateral and debt from the Exploiter’s vaults into the Sender’s own vaults.

After taking control of the Exploiter’s vaults, a wallet tagged Jump Crypto by several analytics firms sent 80M DAI to the Sender. This DAI was used to repay the open loans on the vault and withdraw the $218M of collateral. The recovered collateral was then sent to the Holder, where the funds currently reside.

It is currently unknown if the Sender and Holder are owned by Oasis or Jump. However, the base case hypothesis is that Jump has control of these addresses, given Jump paid down the debt to withdraw the collateral. Neither Jump nor Oasis have confirmed this. 

Thus, it appears Jump successfully counter-attacked the Wormhole Exploiter and retrieved the ETH that was stolen from it one year ago. After considering the DAI repayment to retrieve the collateral, the net return from the counter exploit was around $140M.”

See the full analysis at Blockworks Research

Cross-chain bridge hacks have accounted for many of the largest thefts in the crypto industry, and include the Ronin hack that resulted in the loss of $540 million, later attributed to the North Korean Lazarus state hacking group.

But permissionless blockchains, being transparent and open to the public, are proving to be exceptional tools for those fighting financial crime.

The ethics, and perhaps even the legality, of exploiting the exploiter may be debated in the coming days. But for now, it seems Jump Crypto is about $140 million better off than it was last week.

And one hacker may be ruing the missed opportunity to secure $10 million and a Get Out of Jail Free card.

Updated on Feb 24 2023 at 5:04pm ET: Added statement from Oasis.


Upcoming Events

Salt Lake City, UT

MON - TUES, OCT. 7 - 8, 2024

Blockworks and Bankless in collaboration with buidlbox are excited to announce the second installment of the Permissionless Hackathon – taking place October 7-8 in Salt Lake City, Utah. We’ve partnered with buidlbox to bring together the brightest minds in crypto for […]

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research



Aerodrome is a "MetaDEX" that combines elements of various DEX primitives such as Uniswap V2 and V3, Curve, Convex, and Votium. Since its launch on Base, it has become the largest protocol by TVL with more than $495M in value locked, doubling Uniswap's Base deployment.


And a look into the newest name on the Trump ticket: Sen. JD Vance


Plus, Imran Khan’s intriguing experiment on the speeds of crypto onramps


The SEC has signaled a timeline to issuers that could lead to a July 23 launch for the ETH funds, people close to the process told Blockworks


PayPal has unequivocally made a name for itself as a crypto adopter among fintech giants


Also, a look into how the highly-debated SAB 121 could end up shaking out for crypto custodians


Vance, an Ohio Republican, is largely seen as crypto-friendly