TrustedVolumes Hacker Returns 1,122 ETH in Partial Repayment of May’s $5.8M DeFi Exploit
The attacker behind May's $5.87M TrustedVolumes DeFi exploit sent back 1,122.12 ETH (~$2.07M) on July 17 — roughly 35% of stolen funds — with no official statement from the protocol.
The hacker who drained roughly $5.87 million from TrustedVolumes in May has sent 1,122.12 EETH$1,857.17▲1.02% — about $2.07 million — back to a wallet controlled by the protocol, marking the first partial repayment from one of this year’s larger DeFi exploits and raising urgent questions about what motivated the return.
On July 17, one of the exploiter’s wallets transferred the funds to a TrustedVolumes-controlled address. That detail comes from a post on X by @Tokensfund that was surfaced on Reddit’s r/CryptoCurrency. Both are unverified social sources, and neither TrustedVolumes nor 1inch has issued any official statement.
The returned amount represents roughly 35% of the lower-bound estimate of the original theft. ETH was trading at $1,845 — up 0.67% over 24 hours — at the time of the transfer, putting 1,122.12 ETH at approximately $2.07 million, consistent with the figure reported when the transaction hit the chain.
The original exploit landed on May 7, 2026. TrustedVolumes, an independent DeFi liquidity provider and RFQ (Request for Quote) market maker integrated with 1inch Fusion, lost somewhere between $5.87 million and $6.7 million in a single transaction. The attacker exploited a vulnerability in TrustedVolumes’ custom RFQ swap proxy, walking away with roughly 1,291 WETH, 206,000 UUSDT$0.9993▲0.00%, about 17 WBTC, and approximately 1.27 million UUSDC$0.9999▲0.00%.
This is not a one-off breach. The same operator has been identified as the force behind the March 2025 1inch Fusion V1 exploit — a track record that now spans more than a year and keeps targeting the same ecosystem. That history makes the July transfer hard to read cleanly. A serial exploiter returning a third of the loot does not fit the standard white-hat template, where attackers typically send back the bulk of stolen funds within days, not months, and almost always do it with a public message or through a third-party intermediary.
Several explanations remain plausible. The partial return could signal a negotiated settlement — perhaps TrustedVolumes offered a bounty or agreed not to pursue legal action in exchange for repayment. It could reflect pressure from law enforcement or chain-analysis firms that have made it harder for the attacker to cash out. Or the move might be purely tactical: returning a portion of the funds could be an attempt to reduce scrutiny while retaining the majority of the stolen assets. None of those readings can be confirmed from what’s publicly available.
The silence from TrustedVolumes and 1inch is conspicuous. More than two months after the exploit and a full day after the partial repayment, neither party has publicly acknowledged the transfer, outlined a recovery plan for affected users, or disclosed whether any negotiations with the attacker took place. That leaves affected parties and observers parsing on-chain data and social media posts for clues — a fragile foundation when millions of dollars are on the table.
The wider market backdrop offers little comfort. The crypto Fear & Greed Index sits at 25 out of 100, deep in Extreme Fear territory, with total market capitalization at $227.38 billion. ETH’s modest 24-hour gain of 0.67% to $1,845 does nothing to shift sentiment in a climate where investors are already risk-averse. A partial recovery of stolen funds is welcome, but it is unlikely to move the needle on confidence in DeFi protocols — particularly those built on custom, unaudited swap proxies.
The TrustedVolumes case also puts a persistent weakness in the RFQ model back under the microscope. Custom smart contracts that route large quotes are attractive targets, and a single vulnerability can drain millions in one transaction. The fact that the same attacker returned to the ecosystem more than a year after the first exploit suggests the attack surface has not been fully closed — or that new integrations keep introducing fresh entry points.
Roughly 65% of the stolen funds — the remaining balance of WETH, USDT, WBTC, and USDC not returned on July 17 — is still unaccounted for. Whether the attacker sends another transfer, TrustedVolumes finally breaks its silence, or law enforcement actions surface publicly will determine whether this partial repayment is the start of a full recovery or just the first installment of a negotiated loss.