- UXLINK attacker converted 1,620 ETH into 6.73m DAI on September 24.
- The transaction occurred nearly 48 hours after the initial exploit.
- Inferno Drainer phishing scam drained 542m UXLINK tokens worth $43m.
The UXLINK hack has taken another unexpected turn as the attacker behind the exploit continues to shuffle stolen assets in an attempt to cash out.
On-chain trackers show that in the early hours of September 24, the hacker converted 1,620 ETH into DAI stablecoins, valued at around $6.8 million.
The movement came nearly 48 hours after the initial exploit and was the first major conversion of stolen funds.
However, investigators also discovered that the attacker had already lost a large part of their loot to a phishing scam, adding an unusual twist to one of the biggest exploits in recent months.
Attacker converts ETH to stablecoins
Blockchain data revealed that the attacker swapped 1,620 ETH for 6.73 million DAI on September 24.
This marked the first significant attempt to transform the stolen tokens into stable assets.
Before this transaction, the hacker had engaged in heavy fund shuffling across multiple wallets.
These movements used a mix of decentralised and centralised exchanges, a common laundering tactic to obscure the trail.
The fund movement was flagged by on-chain monitoring accounts, including Lookonchain, which confirmed the ETH-to-DAI swap.
The activity suggests that the attacker may be testing liquidity and off-ramping strategies despite heightened surveillance from exchanges and security firms.
Phishing drains $43 million in UXLINK tokens
In a surprising twist, the attacker’s own security misstep led to an additional loss.
Investigators found that the hacker interacted with a malicious contract linked to the Inferno Drainer phishing group.
This error allowed 542 million UXLINK tokens, worth approximately $43 million at the time, to be drained directly from the attacker’s wallet.
For UXLINK, it has created a situation where a substantial part of the stolen tokens is now in the hands of a separate malicious actor.
How the exploit unfolded
The hack began on September 22 and extended into the following day.
According to security researchers, the root of the exploit was a delegate call vulnerability within UXLINK’s multi-sig wallet.
This flaw gave the attacker administrator-level access, enabling them to transfer assets without approval and mint fake tokens.
The attacker minted close to 10 trillion CRUXLINK tokens on the Arbitrum blockchain.
They quickly liquidated a portion into ETH, USDC, and other assets, draining liquidity pools and causing the token price to collapse by more than 70%.
The immediate impact wiped out millions in market value.
In response, UXLINK contacted major exchanges to freeze suspicious transfers and partnered with security firms to trace transactions.
However, much of the damage had already been done by the time these measures were implemented.
Protocol response and recovery efforts
UXLINK has since introduced emergency measures aimed at rebuilding security and market trust.
The team migrated to a newly audited smart contract that included a capped supply to reduce the risk of unlimited token minting.
The audit strengthened safeguards around multi-signature wallets and contract interactions.
Despite these actions, the hacker continues to hold millions in assets, and the recent ETH-to-DAI swap adds new complexity to tracking recovery.
The additional phishing loss further complicates matters, leaving uncertainty over how much of the original stolen funds can ever be recovered.
With stolen assets spread across multiple chains, wallets, and malicious actors, recovery prospects remain limited.
