Jump Crypto, a Web3 infrastructure provider, and Oasis.app, a decentralized finance (DeFi), have carried out a “counter-exploit” on the Wormhole protocol hacker. As a result, the couple recovered $225 million in digital assets and moved them to a secure wallet.

The Wormhole hack took place in February 2022 and resulted in the theft of around $321 million worth of wrapped Ethereum (wETH) by exploiting a weakness in the protocol’s token bridge.

Since then, the hacker has transferred the stolen assets using a number of Ethereum-based decentralized services (DApps), such as Oasis, which recently opened vaults for wrapped stETH (wstETH) and Rocket Pool ETH (RETH).

The Oasis.app team confirmed the existence of a counter attack in a blog post published on February 24. The post explained that the team had “received an order from the High Court of England and Wales” to recover certain assets that were associated with the “address associated with the Wormhole Exploit.”

According to the team, the recovery was initiated using “Oasis Multisig and a court-authorized third party,” which was named Jump Crypto in a previous Blockworks Research report. The report also indicated that the recovery was successful.

According to the transaction histories of both vaults, Oasis transferred 120,695 wsETH and 3,213 rETH on Feb. 21 and stored them in wallets controlled by Jump Crypto. The hacker was also found to be in debt of around $78 million in the MakerDAO stablecoin known as Dai (DAI), which was returned.

“We can also certify that the assets were promptly transferred to a wallet managed by the Permitted Third Party, as required by the court ruling.” The blog post states that “we do not maintain any control or access to these assets.”

The company stressed that it was “only conceivable due to a previously undiscovered weakness in the architecture of multisig admin access,” referring to the negative ramifications of Oasis being able to harvest crypto assets from its users’ vaults.

According to the post, such a vulnerability was exposed earlier this month by hackers wearing white hats.

We would like to emphasize that this access was implemented for the express purpose of safeguarding user assets in the event of a potential attack, and that it would have allowed us to respond quickly to fix any vulnerabilities that were reported to us. It is important to stress that user assets have never been in danger of being accessed by an unauthorized third party, neither in the past nor in the present.