These days, even hackers are losing money

Author: Chloe, ChainCatcher

In September 2025, the multi-signature wallet of the Web3 social platform UXLink was severely robbed, with hackers absconding with over ten million dollars' worth of assets in just a few hours. They maliciously crashed the token price by minting a massive amount of tokens, causing a sudden drop of over 70%. However, the most absurd aspect of this disaster was not the attack itself, but the hacker's "amateur" performance afterward.

Unlike typical money laundering schemes, this hacker did not rush to disappear but instead frequently traded the stolen ETH and stablecoins on a DEX, particularly on CoW Swap. According to on-chain data from Arkham, this address accumulated nearly 625 transactions in just six months, with paper losses peaking at 4.8 million dollars.

By restoring the technical path of this attack, one can observe the hacker's unusual behavioral patterns and the harsh reality behind it: in this bear market cycle, even with advanced technology to steal money on-chain, once back in market trading, everyone is treated equally.

UXLink Multi-Signature Wallet Security Vulnerability, Loss Exceeds Ten Million Dollars

On September 22, 2025, blockchain security company Cyvers was the first to detect abnormal movements in the UXLink multi-signature wallet and issued an emergency alert. Subsequently, UXLink officials confirmed that their core multi-signature wallet had been compromised, with losses exceeding 11.3 million dollars.

The technical path of this attack is quite clear. The hacker targeted the delegateCall function vulnerability in the multi-signature wallet, successfully altering the contract logic using this vulnerability. The attacker first removed the legitimate administrator rights of the wallet; then, by calling the addOwnerWithThreshold function, they forcibly implanted themselves as a new wallet owner. At this point, the multi-signature security mechanism that UXLink relied on was completely bypassed, and control of the wallet was entirely transferred.

What followed was a frenzied on-chain asset heist. The list of stolen assets included approximately 4 million dollars in USDT, 500,000 dollars in USDC, 3.7 WBTC, 25 ETH, and about 3 million dollars worth of UXLINK native tokens. Meanwhile, the hacker minted a massive amount of UXLINK tokens on the Arbitrum chain and dumped them into the market, causing the token price to plummet over 70% in a short time, from about 0.30 dollars to below 0.10 dollars, with a market cap evaporating by over 70 million dollars.

Not Following the Usual Path: Abandoning Mixing and Cashing Out, Staying in On-Chain Trading

According to the standard script of crypto crime, the next scene should have unfolded like this: the hacker would funnel the assets into Tornado Cash for anonymization, laundering them in batches through countless jump addresses, ultimately completing the entire money laundering and cash-out process. However, this attacker chose not to follow the usual path.

About 48 hours after the attack, the hacker exchanged 1,620 ETH for approximately 6.73 million DAI, which should have been the first wave of "selling" signals expected by the market. Multiple on-chain analysts quickly locked onto this on-chain behavior, but in the following six months, the behavior pattern of this address completely deviated from the calm and concealment typical of professional hackers, instead engaging in frenzied trading on-chain.

According to on-chain data tracking from Arkham, this address accumulated as many as 625 transaction records in just six months, with activities highly concentrated on the decentralized trading platform CoW Swap. The trading targets frequently oscillated between WETH and DAI, with a trading frequency far exceeding that of typical long-term holders. Therefore, rather than being a hacker who stole tens of millions of dollars, it would be more accurate to describe him as a trader, or perhaps a retail investor accustomed to "buying the dip, holding through volatility, and only exiting near the cost line."

Poor Trading Skills: At One Point, Paper Losses Exceeded 4 Million Dollars, Almost Stagnant for Six Months

According to Arkham's profit and loss tracking data, from October 2025 to early February 2026, the hacker's address experienced paper losses exceeding 3 million dollars multiple times; by February, losses peaked at 4.8 million dollars. Their trading pattern was highly consistent: continuously adding positions at lows, stubbornly holding through volatility, and only choosing to exit when the price finally rose near the cost line.

It wasn't until late March that this hacker finally saw a turnaround. On CoW Swap, at an average price of 2,150 dollars, he exchanged 5,496 ETH for approximately 11.86 million DAI, bringing him about 935,000 dollars in paper profit and allowing his overall investment portfolio to finally return to the breakeven line. However, during the same period, the WBTC position he held was eroding this profit; on January 30, 2026, he bought 203 WBTC at an average price of 83,225 dollars, and as of recently, he had incurred a paper loss of about 2.68 million dollars. This entry point happened to coincide with a brief market rebound, and once again, he bought at a relatively high level.

A Transparent Prison and a Long Road to Recovery

The UXLink incident provides a unique perspective on the history of crypto crime: an attacker under the spotlight, continuously leaving a highly visible trading trail, allowing global on-chain analysts to fully document their behavior.

This may not stem from the hacker's negligence but rather from an outdated perception of "security." He might have believed that as long as he dispersed assets across multiple addresses and operated on DEXs to avoid the real-name verification hurdles of CEXs, he could maintain anonymity. However, the rapid evolution of on-chain analytical tools has made this judgment overly optimistic. Institutions like Arkham, Lookonchain, PeckShield, and SlowMist almost instantly locked onto every significant abnormal movement, and every entry and exit of the hacker was fully exposed under public scrutiny. Although this hacker possessed tens of millions of dollars, it was as if he were trapped in a transparent digital prison.

For the UXLink project team, this situation is both a slight comfort and a significant dilemma. Although the assets have not disappeared and remain traceable on the blockchain, in the on-chain world lacking judicial jurisdiction intervention, the gap between "visible" and "recoverable" remains a chasm that is difficult to cross.

Despite UXLink quickly completing new contract audits, token exchanges, and user compensation plans after the incident in an attempt to rebuild market confidence, the token price has plummeted from a high of 3.75 dollars in December 2024 to about 0.0044 dollars, a drop of 99%. For UXLink, fixing code vulnerabilities may take only a few weeks, but rebuilding the ecosystem from the near-zero ruins remains a long and arduous journey.

In the Face of a Bear Market, Everyone is Treated Equally

The story of the UXLink hacker has become a microcosm of "market reality," rather than just a security incident.

Although he possessed excellent skills, able to precisely capture the delegateCall vulnerability and bypass multi-signature defenses, completing a meticulous harvest in just a few hours; however, once the funds were in, he faced the same dilemmas as ordinary retail investors: the market does not care where the chips come from, ETH still fell during the holding period, and BTC remained stuck after the position was established.

This outcome is devoid of any need for pity, yet it is full of irony. The assets that the attacker painstakingly stole ultimately wore down amidst market fluctuations, and six months later, their paper value was nearly the same as when he entered. He is not the first ETH holder to suffer losses in a bear market, nor will he be the last speculator to be bitten by the market while trying to bottom-fish WBTC.