The fallout from the recent UXLINK hack continues to unfold as the attacker behind the exploit begins cashing out stolen assets. On-chain data shows the hacker converted around 1,620 ETH—worth approximately $6.8 million—into DAI stablecoins in the early hours today.
This marks the first major liquidation attempt since the exploit occurred nearly 48 hours earlier. Until now, the attacker had primarily shuffled funds between multiple wallets and across centralized and decentralized exchanges in an effort to obscure the trail.
The hacker who attacked $UXLINK dumped 1,620 $ETH for 6.73M $DAI 2 hours ago.https://t.co/nYRXsq0T6Vhttps://t.co/M8tbPYAdiq pic.twitter.com/1vTpuaDrU9
— Lookonchain (@lookonchain) September 24, 2025
In a surprising twist, the attacker has already suffered heavy losses. Blockchain security analysts revealed that the hacker inadvertently approved a malicious contract linked to the Inferno Drainer phishing group. As a result, roughly 542 million UXLINK tokens, valued at about $43 million at the time, were drained from their wallet—significantly reducing the stolen haul.
How the Exploit Unfolded
The UXLINK breach began on September 22 and lasted several hours. According to investigators, the attacker exploited a delegate call vulnerability in the project’s multi-signature wallet, gaining administrator-level access. This allowed them to move assets freely and mint large quantities of fake tokens.
Within hours, nearly 10 trillion CRUXLINK tokens were created on the Arbitrum blockchain. The attacker quickly swapped a portion of these for ETH, USDC, and other assets, draining liquidity pools and triggering a crash of more than 70% in token value.
UXLINK responded by alerting exchanges, freezing suspicious transactions where possible, and engaging security partners to trace movements. The protocol has since rolled out emergency measures, including migrating to a newly audited smart contract with stricter controls and a capped supply to prevent similar exploits.
What’s Next?
Despite the phishing setback, the attacker still controls millions in assorted assets, with today’s ETH-to-DAI swap signaling a possible strategy to gradually liquidate holdings. The constant movement of funds complicates recovery efforts, leaving questions about whether any meaningful portion of the stolen assets can be reclaimed.
