- On September 24, the UXLINK attacker converted 1,620 ETH into 6.73 million DAI.
- The swap occurred roughly 48 hours after the initial exploit.
- The Inferno Drainer phishing incident led to the loss of 542 million UXLINK tokens, worth about $43 million.
The UXLINK hack has taken another unexpected turn as the attacker continues to shuffle and attempt to cash out stolen assets.
On-chain trackers report that early on September 24 the attacker swapped 1,620 ETH for roughly $6.8 million worth of DAI stablecoins.
This move represented the first major liquidation of the stolen funds, occurring about 48 hours after the original exploit.
Investigators also discovered that the attacker had already lost a large portion of the loot to a phishing operation, adding an unusual twist to one of the largest exploits in recent months.
Attacker Converts ETH into Stablecoins
Blockchain data shows the attacker exchanged 1,620 ETH for 6.73 million DAI on September 24.
That transaction was the first significant attempt to convert the stolen tokens into a more stable asset.
Prior to this swap, the hacker had been moving large sums between multiple wallets.
Those transfers combined decentralized exchanges and centralized platforms, a common laundering tactic intended to obscure the trail.
On-chain monitoring accounts, including Lookonchain, flagged the ETH-to-DAI swap.
Despite heightened surveillance from exchanges and security firms, the activity suggests the attacker may have been testing liquidity and off-ramp strategies.
$43 Million in UXLINK Lost to Phishing
Surprisingly, the attacker’s own security lapse resulted in further losses.
Investigators found the hacker had interacted with a malicious contract associated with the Inferno Drainer phishing group.
As a result, approximately $43 million worth of 542 million UXLINK tokens were drained directly from the attacker’s wallet.
For UXLINK, this meant a significant portion of the stolen tokens ended up in the hands of another malicious actor.
How the Exploit Unfolded
The hack began on September 22 and extended into the following day.
Security researchers say the root cause was a delegate call vulnerability within UXLINK’s multisig wallet.
This flaw allowed the attacker to gain administrator-level access, enabling unauthorized transfers and the minting of fake tokens.
On the Arbitrum blockchain, the attacker minted nearly 10 trillion CRUXLINK tokens.
They quickly liquidated portions into ETH, USDC, and other assets, draining liquidity pools and sending the token’s price down by more than 70%.
The immediate fallout wiped out millions of dollars in market value.
In response, UXLINK contacted major exchanges to freeze suspicious withdrawals and partnered with security firms to track the movement of funds.
By the time those measures were in place, however, much of the damage had already been done.
Protocol Response and Recovery Efforts
UXLINK implemented emergency measures aimed at restoring security and market confidence.
The team migrated to newly audited smart contracts that include a capped supply to mitigate the risk of unlimited token minting.
Audits also strengthened safeguards around multisignature wallets and contract interactions.
Despite these steps, the attacker still holds millions in assets, and the recent ETH-to-DAI swap complicates ongoing recovery efforts.
Additional losses from phishing have further muddied the situation, leaving uncertainty over how much of the original stolen funds can be recovered.
With the stolen assets spread across multiple chains, wallets, and malicious actors, prospects for full recovery remain limited.