- The UXLINK attacker converted 1,620 ETH into 6.73 million DAI on Sept. 24.
- The transaction occurred almost 48 hours after the initial exploit.
- An Inferno Drainer phishing scam drained 542 million UXLINK tokens worth about $43 million.
The UXLINK hack has taken another unexpected turn as the exploiter continues to mix stolen assets in attempts to cash out.
On-chain trackers show that in the early hours of September 24 the attacker swapped 1,620 ETH for DAI stablecoins, valued at roughly $6.8 million.
The move occurred nearly 48 hours after the original exploit and marked the first major conversion of stolen funds into a stable asset.
Investigators also discovered the attacker had already lost a large portion of the loot to a phishing scam, adding an unusual twist to one of the largest exploits in recent months.
Attacker converts ETH into stablecoins
Blockchain data revealed that the attacker exchanged 1,620 ETH for 6.73 million DAI on Sept. 24.
This was the first significant attempt to turn stolen tokens into stable assets.
Prior to that swap, the attacker had been actively moving funds across multiple wallets.
Those transfers used a mix of decentralized and centralized exchanges—a common laundering tactic intended to obscure the trail.
The movement was flagged by on-chain monitoring accounts, which confirmed the ETH-to-DAI swap.
The activity suggests the attacker may be probing liquidity and off-ramp options despite increased scrutiny from exchanges and security firms.
Phishing drains $43 million in UXLINK tokens
In a surprising twist, the attacker suffered additional losses due to their own security lapse.
Investigators found the attacker interacted with a malicious contract tied to the Inferno Drainer phishing group.
That interaction allowed 542 million UXLINK tokens—worth roughly $43 million at the time—to be drained directly from the attacker’s wallet.
For UXLINK, this created a scenario where a significant portion of the stolen tokens are now controlled by a separate malicious actor.
How the exploit unfolded
The hack began on Sept. 22.
According to security researchers, the root cause was a delegate call vulnerability in UXLINK’s multi-signature wallet.
That flaw granted the attacker administrator-level access, enabling transfers without authorization and the creation of bogus tokens.
The attacker minted nearly 10 trillion CRUXLINK tokens on the Arbitrum blockchain.
They quickly liquidated a portion into ETH, USDC and other assets, drained liquidity pools, and drove the token price down by more than 70%.
The immediate impact wiped out millions in market value.
In response, UXLINK reached out to major exchanges to freeze suspicious transfers and worked with security firms to trace transactions.
However, much of the damage had already been done by the time those measures were implemented.
Protocol response and recovery efforts
UXLINK has since implemented emergency measures aimed at rebuilding security and market confidence.
The team migrated to a recently audited smart contract that enforces a capped supply to reduce the risk of unlimited minting.
The audit also strengthened safeguards around multi-signature wallets and contract interactions.
Despite these steps, the attacker still holds millions in assets, and the recent ETH-to-DAI swap adds complexity to recovery and tracking.
The additional phishing loss further complicates the situation, leaving uncertainty over how much of the originally stolen funds can ever be recovered.
With stolen assets dispersed across multiple chains, wallets and malicious actors, recovery prospects remain limited.