Verdict: Partly True. Public statements and Rhea Finance’s post-mortem show that some stolen assets were returned and others were frozen, but the available record does not support saying the full loss was recovered or that the incident is fully closed.
Claim: Social media posts claimed the hacker returned funds to Rhea Finance, with some users suggesting the matter was essentially over.
Rhea Finance’s exploit story did not end with the initial hack alert. The protocol was first flagged on April 16 after CertiK said an attacker created fake token contracts and added liquidity to fresh pools, likely misleading the oracle and validation layer and draining at least $7.6 million.
Rhea’s preliminary analysis the next day said the attacker exploited a vulnerability in its margin trading feature to execute a coordinated pool manipulation attack. The protocol said the Rhea Lend smart contract was affected, while the Rhea DEX contract was not, though both were paused as a precaution while recovery efforts began.
Official updates confirm partial recovery
The strongest support for the claim comes from Rhea’s own incident report. In the post-mortem that surfaced through Rhea’s X post, the team said the attacker had deposited approximately 3.359 million USDC and 1.564 million NEAR back into the RHEA lending contract. The same summary said 4.34 million USDT had been frozen, including 3.291 million USDT frozen by Tether and another 1.053 million USDT in NEAR Intents.
That aligns with Tether CEO Paolo Ardoino’s separate public statement that 3.29 million USDT tied to the attacker had been frozen. Soon after, Alex Shevchenko posted a message thanking the attacker for returning the money, which opens up the debate: are all the funds returned?
But the “case closed” framing goes too far
The problem with the viral claim is scale. Rhea’s later post-mortem raised the estimated impact to about $18.4 million, well above the initial $7.6 million figure that circulated when the attack was first detected. So while some funds were returned or frozen, the public record does not show that the full exploit amount was recovered.
That is also why the line that the matter is “basically over” is too strong. Even after the recovery signals and Alex Shevchenko’s post, Rhea Finance separately said an official update for the community was still a work in progress, indicating the incident response was ongoing rather than fully wrapped up.
What about the broader community claim?
Community posts went further than Rhea’s public summary, claiming the attacker also returned around $3 million on Ethereum and 13,500 ZEC worth roughly $4.5 million. On-chain records reviewed by The Crypto Times appear consistent with that broader recovery narrative, including a large Ethereum transfer with hash 0xBb…11f6 recorded at April 17, 2026, 11:11:11 PM UTC. In that transaction, address 0xBb5Fa936469CaDb8907f3aEF80F5B53f55Bc11f6 sent 3,495,342.37239 Aave USDC V3-linked tokens, valued at roughly $3,494,678.26, to wallet 0x237e67d9cAcAD42b4aCE31d61f444d14BEA78E39.
A separate Zcash transaction, c4f64fd8c596c2a22c3f653de5c6bd45bf033c9a556faebc198360cedd00bce, in which a wallet received 13,500 ZEC, valued at about $4,440,150, roughly seven hours before the screenshot was captured.
But because Rhea’s public post-mortem snippets surfaced in search results explicitly break out returned USDC and NEAR plus frozen USDT, not a separate official ZEC line, that portion should be framed as on-chain-supported community evidence, not the clearest official accounting yet.
Why the claim is only partly true
The problem is not whether some funds came back. The problem is scale and finality. Rhea’s own incident summary says the exploit cost about $18.4 million, which is far higher than the early $7.6 million estimate that first circulated after the attack. So while the returned USDC and NEAR, the frozen USDT, and the visible Ethereum and Zcash transfers all support a real recovery effort, they do not prove that the entire loss has been recovered.
The “case closed” framing is also too strong. Even after Alex Shevchenko thanked the attacker for returning funds, Rhea separately said an official update for the community is a work in progress, indicating that incident response and public accounting were still ongoing.
FACT Check verdict
The claim that the hacker returned funds to Rhea Finance is partly true. There is enough public evidence to say some assets were indeed returned and others were frozen. But the stronger version of the claim, that all or most of the money is back and the incident is effectively over, is not supported by Rhea’s own recovery figures and continuing updates.
Also Read: Grinex Hack Gets Uglier: $13M Gone, and the Story Keeps Unraveling
