These days, even hackers are losing money

Author: Chloe, ChainCatcher

In September 2025, the multi-signature wallet of the Web3 social platform UXLink was ruthlessly robbed, with hackers making off with over ten million dollars in assets in just a few hours. They maliciously crashed the token price by minting a massive amount of tokens, causing the price to plummet by over 70% in an instant. However, the most absurd aspect of this disaster was not the attack itself, but the hacker's "amateur" behavior afterward.

Unlike typical money laundering schemes, this hacker did not rush to disappear but instead frequently traded the stolen ETH and stablecoins on DEX, particularly on CoW Swap. According to on-chain data from Arkham, this address accumulated nearly 625 transactions in just six months, with paper losses peaking at 4.8 million dollars.

By restoring the technical path of this attack, one can observe the hacker's unconventional behavior patterns and the harsh reality behind it: in this bear market cycle, even with advanced technology to steal money on-chain, once back in market trading, everyone is treated equally.

UXLink Multi-Signature Wallet Security Vulnerability, Loss Exceeds Ten Million Dollars

Blockchain security company Cyvers first detected abnormal movements in the UXLink multi-signature wallet on September 22, 2025, and issued an emergency alert. Subsequently, UXLink officials confirmed that their core multi-signature wallet had been breached, with losses exceeding 11.3 million dollars.

The technical path of this attack is quite clear; the hacker targeted the delegateCall function vulnerability in the multi-signature wallet, successfully altering the contract logic using this vulnerability. The attacker first removed the original legitimate administrator rights of the wallet; then, by calling the addOwnerWithThreshold function, they forcibly implanted themselves as a new wallet owner. At this point, the multi-signature security mechanism that UXLink relied on was completely bypassed, and control of the wallet was entirely transferred.

What followed was a frenzied on-chain asset heist. The list of stolen assets included approximately 4 million dollars in USDT, 500,000 dollars in USDC, 3.7 WBTC, 25 ETH, and about 3 million dollars worth of UXLINK native tokens. Meanwhile, the hacker minted a massive amount of UXLINK tokens on the Arbitrum chain and dumped them into the market, causing the token price to plummet over 70% in a short time, from about 0.30 dollars to below 0.10 dollars, with a market cap evaporating by over 70 million dollars.

Not Following the Usual Path: Abandoning Mixing and Cashing Out, Staying on-Chain to Trade

According to the standard script of crypto crime, the next plot should have unfolded like this: the hacker would funnel the assets into Tornado Cash for anonymization, laundering through countless jump addresses in batches, ultimately completing the entire money laundering and cash-out process. However, this attacker chose not to follow the usual path.

About 48 hours after the attack, the hacker exchanged 1,620 ETH for approximately 6.73 million DAI, which should have been the first wave of "selling" signals expected by the market. Multiple on-chain analysts quickly locked onto this on-chain behavior, but in the following six months, this address's behavior pattern completely deviated from the calm and concealment typical of professional hackers, instead engaging in frenzied trading on-chain.

According to on-chain data tracking from Arkham, this address accumulated as many as 625 transaction records in just six months, with activities highly concentrated on the decentralized trading platform CoW Swap. The trading targets frequently oscillated between WETH and DAI, with a trading frequency far exceeding that of typical long-term holders. Therefore, rather than being a hacker who stole ten million dollars, it would be more accurate to describe them as a trader, or perhaps a retail investor accustomed to "buying the dip, holding through volatility, and only exiting when close to the cost line."

Poor Trading Skills: At One Point, Paper Losses Exceeded 4 Million Dollars, Nearly Stagnant for Six Months

According to Arkham's profit and loss tracking data, from October 2025 to early February 2026, the attacker's address experienced paper losses exceeding 3 million dollars multiple times; entering February, losses peaked at 4.8 million dollars. Their trading pattern was highly consistent: continuously increasing positions at low points and stubbornly holding through volatility, only choosing to exit when the price finally rose back near the cost line.

It wasn't until late March that this hacker finally saw a turnaround. They exchanged 5,496 ETH for approximately 11.86 million DAI at an average price of 2,150 dollars on CoW Swap, bringing them about 935,000 dollars in paper profit and finally returning their overall investment portfolio to the breakeven line. However, the concurrently held WBTC position was eroding this profit; the hacker had purchased 203 WBTC at an average price of 83,225 dollars on January 30, 2026, and as of recent times, they had incurred a paper loss of about 2.68 million dollars. This entry point coincidentally fell at the market's brief rebound peak, and once again, they bought at a relatively high position.

A Transparent Prison and a Long Road to Recovery

The UXLink incident provides a unique perspective on the history of crypto crime: an attacker, under the spotlight, continuously leaves a highly visible trading trail, allowing global on-chain analysts to fully document their behavioral process.

This may not stem from the hacker's negligence but rather from an outdated perception of "security." They might believe that as long as assets are dispersed across multiple addresses and traded on DEX to avoid CEX's real-name verification hurdles, they can remain hidden. However, the rapid evolution of on-chain analytical tools has made such judgments overly optimistic. Institutions like Arkham, Lookonchain, PeckShield, and SlowMist almost instantly lock onto every significant abnormal movement; every entry and exit of the hacker is fully exposed under public scrutiny. Although this hacker possesses millions of dollars, they seem to be trapped in a transparent digital prison.

For the UXLink project team, this situation is both a slight comfort and a significant dilemma. While the assets have not disappeared and remain traceable on the blockchain, in the on-chain world lacking judicial jurisdiction intervention, the gap between "visible" and "recoverable" remains a chasm that is difficult to cross.

Although UXLink quickly completed new contract audits, token exchanges, and user compensation plans after the incident in an attempt to rebuild market confidence, the token price has plummeted from a high of 3.75 dollars in December 2024 to about 0.0044 dollars, a drop of 99%. For UXLink, fixing code vulnerabilities may only take a few weeks, but rebuilding the ecosystem from the near-zero ruins remains a long and arduous journey.

In the Face of a Bear Market, Everyone is Treated Equally

The story of the UXLink hacker has become a microcosm of "market reality," rather than just a security incident.

Although they possess superb skills, able to precisely capture the delegateCall vulnerability and bypass multi-signature defenses, completing a meticulous harvest in just a few hours; however, once the funds were deposited, they faced the same dilemmas as ordinary retail investors: the market does not care where the chips come from, ETH still declines during the holding period, and BTC remains trapped after the position is established.

This outcome is devoid of any need for pity, yet it is filled with irony. The assets that the attacker painstakingly stole were ultimately worn down in market fluctuations, and six months later, their paper value was nearly the same as when they entered. They are not the first ETH holder to suffer losses in a bear market, nor will they be the last speculator to be bitten by the market when trying to bottom fish WBTC.