- The UXLINK attacker converted 1,620 ETH into 6.73 million DAI on September 24.
- The swap occurred nearly 48 hours after the initial exploit.
- The phishing operation Inferno Drainer drained 542 million UXLINK tokens, worth about $43 million.
The UXLINK hack has taken another unexpected turn as the attacker continues to shuffle stolen assets while attempting to cash out.
On-chain trackers show that in the early hours of September 24, the hacker swapped 1,620 ETH for DAI stablecoins worth roughly $6.8 million.
That move came almost 48 hours after the initial exploit and represented the first major conversion of stolen funds into stable assets.
Investigators also discovered that the attacker had already lost a significant portion of the loot to a phishing operation, adding an unusual twist to one of the larger exploits in recent months.
Attacker converts ETH into stablecoins
Blockchain data indicated that on September 24 the attacker exchanged 1,620 ETH for approximately 6.73 million DAI.
This marked the first significant attempt to convert the stolen tokens into stable assets.
Prior to this swap, the hacker moved large sums across multiple wallets.
Those transfers involved a mix of decentralized and centralized exchanges, a common laundering tactic used to obscure the trail.
The fund movement was reported by on-chain monitoring accounts, which confirmed the ETH-to-DAI swap.
The activity suggests the attacker may be testing liquidity access and off-ramping strategies despite increased scrutiny from exchanges and security firms.
Phishing siphons $43 million in UXLINK tokens
In a surprising twist, the attacker’s own security lapse led to an additional loss.
Investigators found that the hacker interacted with a malicious contract linked to the phishing group Inferno Drainer.
That interaction allowed the phishing actor to withdraw 542 million UXLINK tokens, valued at roughly $43 million at the time, directly from the attacker’s wallet.
For UXLINK, this means a substantial portion of the stolen tokens now sits in the hands of a separate malicious actor.
How the exploit unfolded
The hack began on September 22 and continued into the following day.
Security researchers say the root cause was a delegatecall vulnerability in UXLINK’s multisig wallet.
The flaw granted the attacker administrator-level access, enabling unauthorized transfers and the minting of fraudulent tokens.
The attacker minted nearly 10 trillion CRUXLINK tokens on the Arbitrum blockchain.
They quickly liquidated part of those tokens for ETH, USDC and other assets, draining liquidity pools and causing the token price to collapse by more than 70%.
The immediate impact wiped out millions in market value.
In response, UXLINK reached out to major exchanges to freeze suspicious transfers and partnered with security firms to trace transactions.
However, much of the damage had already been done by the time those measures were implemented.
Protocol response and recovery efforts
UXLINK has since implemented emergency measures to restore security and market confidence.
The team migrated to a newly audited smart contract that enforces a capped supply to reduce the risk of unlimited token minting.
Audits strengthened safeguards around multisignature wallets and contract interactions.
Despite these steps, the attacker still holds assets worth millions, and the recent ETH-to-DAI swap further complicates recovery efforts.
The additional phishing loss makes the situation more complex and raises doubts about how much of the originally stolen funds can ever be recovered.
With stolen assets scattered across multiple chains, wallets and malicious actors, prospects for full recovery remain limited.