These days, even hackers are losing money

Author: Chloe, ChainCatcher

In September 2025, the multi-signature wallet of the Web3 social platform UXLink was severely robbed, with hackers stealing over ten million dollars in assets within just a few hours, and maliciously crashing the token price by minting a massive amount of tokens, leading to a sudden drop of over 70%. However, the most absurd aspect of this disaster was not the attack itself, but the hacker's "amateur" performance afterward.

Unlike typical money laundering schemes, this hacker did not rush to disappear; instead, they frequently traded the stolen ETH and stablecoins on DEX, particularly on CoW Swap. According to on-chain data from Arkham, within just six months, this address accumulated nearly 625 transactions, with paper losses reaching as high as 4.8 million dollars at one point.

Restoring the technical path of this attack reveals the hacker's unusual behavioral patterns and the harsh reality behind it: in this bear market cycle, even with advanced technology to steal money on-chain, once back in market trading, everyone is treated equally.

UXLink Multi-Signature Wallet Security Vulnerability, Loss Exceeds Ten Million Dollars

Blockchain security company Cyvers first detected abnormal activity in the UXLink multi-signature wallet on September 22, 2025, and issued an emergency alert. Subsequently, UXLink officials confirmed that their core multi-signature wallet had been breached, with losses exceeding 11.3 million dollars.

The technical path of this attack is quite clear; the hacker targeted the delegateCall function vulnerability in the multi-signature wallet, successfully altering the contract logic using this vulnerability. The attacker first removed the original legitimate administrator permissions of the wallet; then, by calling the addOwnerWithThreshold function, they forcibly implanted themselves as the new wallet owner. At this point, the multi-signature security mechanism that UXLink relied on was completely bypassed, and control of the wallet was entirely transferred.

What followed was a frenzied on-chain asset heist. The list of stolen assets included approximately 4 million dollars in USDT, 500,000 dollars in USDC, 3.7 WBTC, 25 ETH, and about 3 million dollars worth of UXLINK native tokens. Meanwhile, the hacker minted a massive amount of UXLINK tokens on the Arbitrum chain and dumped them into the market, causing the token price to plummet over 70% in a short time, crashing from about 0.30 dollars to below 0.10 dollars, with a market cap evaporating by over 70 million dollars.

Taking an Unconventional Path: Abandoning Mixing and Cashing Out, Staying on-Chain to Trade

According to the standard script of crypto crime, the next plot should have unfolded like this: the hacker would funnel the assets into Tornado Cash for anonymization, laundering through countless intermediary addresses in batches, ultimately completing the entire money laundering and cash-out process. However, this attacker chose an unconventional route.

About 48 hours after the attack, the hacker exchanged 1,620 ETH for approximately 6.73 million DAI, which should have been the first wave of "selling" signals expected by the market. Multiple on-chain analysts quickly locked onto this on-chain behavior, but in the following six months, this address's behavioral pattern completely deviated from the calm and concealment typical of professional hackers, instead engaging in frenzied trading on-chain.

According to on-chain data tracking from Arkham, this address accumulated as many as 625 transaction records within just six months, with activities highly concentrated on the decentralized trading platform CoW Swap. The trading targets frequently oscillated between WETH and DAI, with a trading frequency far exceeding that of typical long-term holders. Therefore, rather than being a hacker who stole tens of millions of dollars, it would be more accurate to describe them as a trader, or perhaps a retail investor accustomed to "buying the dip, holding through volatility, and only exiting when close to the cost line."

Poor Trading Skills: Once Facing Over 4 Million Dollars in Paper Losses, Nearly Stagnant for Half a Year

According to Arkham's profit and loss tracking data, from October 2025 to early February 2026, the attacker's address experienced paper losses exceeding 3 million dollars multiple times; by February, losses peaked at 4.8 million dollars. Their trading pattern was highly consistent: continuously increasing positions at lows, stubbornly holding through volatility, and only choosing to exit when the price finally rose back near the cost line.

It wasn't until late March that this hacker finally saw a turnaround. On CoW Swap, they exchanged 5,496 ETH for approximately 11.86 million DAI at an average price of 2,150 dollars, bringing them about 935,000 dollars in paper profit and allowing their overall investment portfolio to finally return to the breakeven line. However, during the same period, the WBTC position they held was eroding this profit; on January 30, 2026, the hacker bought 203 WBTC at an average price of 83,225 dollars, and as of recently, they had incurred a paper loss of about 2.68 million dollars, having bought at a relative high point during a brief market rebound.

A Transparent Prison and a Long Road to Recovery

The UXLink incident provides a unique perspective on the history of crypto crime: an attacker under the spotlight, continuously leaving a highly visible trading trail, allowing global on-chain analysts to fully document their behavior.

This may not stem from the hacker's negligence, but rather from an outdated perception of "security." They might believe that as long as assets are dispersed across multiple addresses and traded on DEX to avoid the real-name verification hurdles of CEX, they can maintain anonymity. However, the rapid evolution of on-chain analytical tools has made this judgment overly optimistic. Institutions like Arkham, Lookonchain, PeckShield, and SlowMist almost instantly lock onto every significant abnormal movement, and every entry and exit of the hacker is laid bare under public scrutiny. Although this hacker possesses tens of millions of dollars, they seem to be trapped in a transparent digital prison.

For the UXLink project team, this situation is both a slight comfort and a significant dilemma. Although the assets have not disappeared and remain traceable on the blockchain, in a world without judicial jurisdiction intervention, the gap between "visible" and "recoverable" still looms large.

Despite UXLink quickly completing new contract audits, token exchanges, and user compensation plans after the incident in an attempt to rebuild market confidence, the token price has fallen from a high of 3.75 dollars in December 2024 to about 0.0044 dollars, a drop of 99%. For UXLink, fixing code vulnerabilities may only take a few weeks, but rebuilding the ecosystem from the near-zero ruins remains a long and arduous journey.

Equal Treatment in the Face of a Bear Market

The story of the UXLink hacker has become a microcosm of "market reality," rather than just a security incident.

Although they possess superb skills, able to precisely capture the delegateCall vulnerability and bypass multi-signature defenses, completing a meticulous harvest within hours; however, once the funds were deposited, they faced the same dilemmas as ordinary retail investors: the market does not care where the chips come from, ETH continued to decline during the holding period, and BTC remained trapped after the position was established.

This outcome is devoid of any need for pity, yet it is filled with irony. The assets that the attacker painstakingly stole were ultimately worn down by market fluctuations, and the paper value six months later was nearly the same as when they entered the market. They are not the first ETH holder to suffer losses in a bear market, nor will they be the last speculator to be bitten by the market when trying to bottom fish WBTC.