- On September 24, the UXLINK attacker converted 1,620 ETH into 6.73 million DAI.
- The swap occurred nearly 48 hours after the initial exploit.
- A phishing scam tied to Inferno Drainer drained 542 million UXLINK tokens, worth about $43 million.
The UXLINK breach has taken another unexpected turn as the actor behind the exploit continues to shuffle stolen assets in an apparent effort to cash out.
On-chain trackers show that in the early hours of September 24 the hacker swapped 1,620 ETH for DAI stablecoins, a conversion valued at roughly $6.8 million.
This transaction took place almost 48 hours after the first exploit and represents the first major conversion of the stolen funds into a stable asset.
Investigators also uncovered that the attacker had already lost a large portion of their haul to a phishing operation, adding a further twist to one of the largest incidents in recent months.
Attacker converts ETH to stablecoins
Blockchain data confirmed that on September 24 the attacker exchanged 1,620 ETH for 6.73 million DAI.
That swap marked the first sizeable attempt to convert stolen tokens into stable assets.
Prior to this transaction the hacker had been actively moving funds across multiple wallets.
Those movements involved a mix of decentralized and centralized exchanges — a common laundering technique used to obscure the trail.
Monitoring accounts on the network observed these transfers and verified the ETH-to-DAI conversion.
The activity suggests the attacker may be probing liquidity and testing cash-out strategies despite heightened scrutiny from exchanges and security firms.
Phishing drains $43 million in UXLINK tokens
In an unexpected turn, a security lapse on the attacker’s side resulted in additional losses.
Investigators determined that the hacker interacted with a malicious contract linked to the Inferno Drainer phishing group.
That interaction allowed 542 million UXLINK tokens — valued at about $43 million at the time — to be siphoned directly from the attacker’s wallet.
For UXLINK, this created a situation in which a significant portion of the stolen tokens now sits in the hands of another adversary.
How the exploit unfolded
The breach began on September 22 and continued into the following day.
Security researchers say the root of the exploit was a delegatecall vulnerability in UXLINK’s multisig wallet.
This flaw granted the attacker administrator-level access, enabling them to transfer assets without approval and to mint fraudulent tokens.
The attacker minted roughly 10 trillion CRUXLINK tokens on the Arbitrum blockchain.
They quickly liquidated portions of those tokens into ETH, USDC, and other assets, draining liquidity pools and sending the token price down by more than 70%.
The immediate impact destroyed millions in market value.
In response, UXLINK reached out to major exchanges to flag and freeze suspicious transfers and engaged security firms to trace transactions.
However, a substantial portion of the damage had already been done by the time those measures were implemented.
Protocol response and recovery efforts
Since the incident, UXLINK has implemented emergency measures aimed at restoring security and market confidence.
The team migrated to a newly audited smart contract that enforces a capped supply to prevent unlimited token minting.
Audits and tightened controls have been applied to multisig wallets and contract interactions.
Despite these steps, the attacker still controls assets worth millions, and the recent ETH-to-DAI conversion complicates recovery and tracking efforts.
Additional losses from the phishing incident further muddle the situation and leave open questions about how much of the stolen funds can ever be recovered.
Because the illicit assets are now distributed across multiple chains, wallets, and actors, prospects for a full recovery remain limited.