UXLink Hacker Tries to Trade Stolen ETH Like a Pro — Ends Up Losing Most of It

Post Content

Prashant Jha

4 min read

Key Takeaways

The UXLink hacker made repeated high-risk trades instead of safely cashing out stolen funds.
Positions were often held through losses, with exits near breakeven.
The exploit generated over $30 million in ETH, much of which was actively traded.

The hacker behind the massive UXLink breach has turned out to be surprisingly bad at trading.

After stealing tens of millions in cryptocurrency last year, the exploiter spent the past six months actively flipping the stolen ETH and other assets on decentralized exchanges.

According to blockchain intelligence firm Arkham, the results haven’t been great.

The hacker racked up repeated losses along the way and has only recently managed to crawl back to roughly breakeven.

The UXLink exploiter has spent the past six months cycling stolen funds through decentralized exchanges, primarily trading ETH and stablecoins.

On-chain data shows the scale of activity.

One snapshot reveals nearly 625 individual transactions, with frequent swaps between ETH and DAI using platforms like CoW Swap.

UXLink exploter. — UXLink explorer trading activity. Credit: Arkham.

The strategy, if it can be called that, followed a pattern.

The exploiter often bought into dips, held through volatility, and watched positions slide into losses before exiting—usually only once prices recovered close to breakeven.

Profit loss. — UXLink exploiter’s profit loss chart. Credit: Arkham.

Arkham’s profit-and-loss data highlights the outcome.

At multiple points between October 2025 and early 2026, the wallet sat as much as $4 million in the red.

Despite continued trading, there were no sustained gains beyond the original stolen funds.

The story began in September 2025, when the attacker exploited a smart contract vulnerability in UXLink, an AI-powered Web3 social platform.

The breach allowed the exploiter to take control of a multi-signature wallet and drain roughly $11.3 million in assets.

The haul included $4 million in USDT, $500,000 in USDC, $3.7 million in wrapped Bitcoin, and smaller amounts of ETH.

The attack didn’t stop there.

The hacker also minted billions of UXLINK tokens and distributed them across decentralized markets, generating an additional $28 million in ETH.

In total, the exploit produced between $30 million and $40 million, though some funds were later lost in a secondary phishing incident.

At first, the exit looked clean. Funds were split across dozens of wallets and converted into ETH and stablecoins.

But instead of disappearing, the exploiter stayed active.

On-chain watchers say this kind of behavior is common among exploiters who treat stolen funds as personal trading accounts.

Most exploiters launder stolen funds through mixers and exit after paying significant trading fees.

However, the UXLink attacker kept playing the market instead.

Arkham described the entity as both a hacker and a DAI whale, noting repeated attempts to chase profits that never materialized.

One of the few successful trades came when the exploiter sold 5,496 ETH—worth about $11.8 million—through CoW Swap, converting it into DAI.

That move generated a profit of roughly $935,000 and temporarily lifted the overall portfolio back to breakeven.

Even so, the broader picture hasn’t changed much.

Current holdings sit at approximately $36.6 million, closely aligned with the post-exploit value after market fluctuations.

The wallet includes around $22.3 million in DAI, 202.77 wrapped Bitcoin worth about $14.27 million, and smaller token positions.

Some of those positions remain underwater.

The wrapped Bitcoin allocation alone is down roughly $2.68 million after recent price movements.

The UXLink exploit had immediate consequences for the project.

The token’s price collapsed more than 70% within hours as newly minted supply flooded the market.

Trading volumes spiked while the price fell from around $0.30 to just a few cents.

In response, exchanges froze suspicious deposits, and the UXLink team moved to contain the damage.

Measures included freezing assets where possible, launching a token migration, and working with auditors to address vulnerabilities.

For users, the losses were significant. But attention quickly shifted to the unusual behavior of the attacker.

The UXLink case offers something uncommon in crypto: a transparent view of what happens after the exploit.

Instead of disappearing, the attacker stayed active, trading aggressively and absorbing losses along the way.

Months later, the outcome is clear—despite handling tens of millions in ETH, the exploiter failed to generate meaningful gains.

On-chain analysts continue to monitor the wallets.

Whether the hacker eventually exits or continues trading remains an open question.

But so far, the strategy has produced little more than volatility—and a flat bottom line.