These days, even hackers are losing money.

Author: Chloe, ChainCatcher

In September 2025, the Web3 social platform UXLink’s multi-signature wallet was looted. Hackers drained over $10 million worth of assets within hours and maliciously dumped tokens by minting大量 tokens, causing the coin price to plummet over 70% instantly. However, the most absurd part of this disaster wasn’t the attack itself, but the hacker’s “amateur” behavior afterward.

Unlike typical token laundering schemes, the hacker didn’t rush to hide or disappear. Instead, they used the stolen ETH and stablecoins to trade frequently on DEXes, specifically on CoW Swap. According to on-chain data from Arkham, within just six months, this address accumulated nearly 625 transactions, with a paper loss reaching up to $4.8 million.

Reconstructing the technical path of this attack reveals the hacker’s unusual behavior pattern and the harsh reality behind it: in this bear market cycle, even with advanced techniques to steal on-chain funds, once it hits the market, everyone is on equal footing.

UXLink Multi-Signature Wallet Security Flaw, Losses Exceed $10 Million

On September 22, 2025, blockchain security firm Cyvers was the first to detect abnormal activity in UXLink’s multi-signature wallet and issued an emergency alert. Soon after, UXLink confirmed that its core multi-sig wallet had been compromised, with losses exceeding $11.3 million.

The attack’s technical approach was quite clear: the hacker exploited a delegateCall vulnerability in the multi-sig wallet, successfully tampering with the contract logic. The attacker first removed the legitimate admin permissions, then called addOwnerWithThreshold to forcibly set themselves as the new owner. At this point, UXLink’s multi-signature security mechanism was completely bypassed, and control of the wallet was fully seized.

This led to a frenzy of on-chain asset theft. The stolen assets included about $4 million USDT, $500,000 USDC, 3.7 WBTC, 25 ETH, and approximately $3 million worth of UXLINK tokens. Meanwhile, the hacker minted大量 UXLINK tokens on Arbitrum and dumped them on the market, causing the token price to crash over 70%, from about $0.30 to below $0.10, wiping out over $70 million in market cap.

Unconventional Approach: Abandoning Mixing and Withdrawing, Staying on Chain to Trade

According to standard crypto crime scripts, the next steps would typically be: transfer assets into Tornado Cash for anonymity, launder through numerous relay addresses, and finally cash out. But this attacker took a different route.

About 48 hours after the attack, the hacker exchanged 1,620 ETH for roughly 6.73 million DAI. This should have been the market’s first “dump” signal, and many on-chain analysts quickly identified this activity. However, over the next half-year, the address’s behavior diverged sharply from that of a typical hacker—rather, it resembled a trader, or a retail investor habitually “buying dips, holding through volatility, and only exiting near cost.”

According to Arkham’s tracking data, this address accumulated up to 625 transactions in just six months, mainly on the decentralized exchange CoW Swap. The trades frequently shifted between WETH and DAI, with activity far exceeding that of a long-term holder. Instead of a stealthy hacker, it looked more like a trader or a retail investor following a “buy low, hold, sell high” strategy.

Poor Trading Skills: Initially Lost Over $4 Million, Nearly Stagnant for Half a Year

Arkham’s profit and loss tracking shows that from October 2025 to early February 2026, the attacker’s address repeatedly experienced unrealized losses exceeding $3 million; by February, losses peaked at $4.8 million. The trading pattern was highly consistent: increasing positions at lows, holding through volatility, and only exiting when the price finally rebounded to near break-even.

It wasn’t until late March that the hacker finally turned a profit. On CoW Swap, they exchanged 5,496 ETH at an average price of $2,150 for about 11.86 million DAI, netting roughly $935,000 in unrealized gains and finally bringing their overall portfolio back to break-even. However, their WBTC holdings were eroding this profit. On January 30, 2026, they bought 203 WBTC at an average of $83,225 each, and recent data shows an unrealized loss of about $2.68 million. This purchase coincided with a brief market rebound, meaning they bought at a relatively high point again.

Transparent Prison and a Long Road to Recovery

The UXLink incident offers a unique perspective in crypto crime history: the attacker left a trail of highly visible transactions, allowing global on-chain analysts to fully document their behavior.

This may not stem from hacker negligence but from an outdated understanding of “security.” The attacker might have believed that dispersing assets across multiple addresses and trading on DEXes to avoid CEX KYC would keep them hidden. But the rapid evolution of on-chain analysis tools has made such assumptions overly optimistic. Firms like Arkham, Lookonchain, PeckShield, and SlowMist can almost instantly detect large movements, exposing every entry and exit. Though the hacker controls millions of dollars, they seem to be in a transparent digital prison.

For UXLink’s team, this situation is both a slight comfort and a major dilemma. The assets haven’t disappeared—they remain on the traceable blockchain—but without judicial authority intervention, the gap between “seeing” and “recovering” remains vast.

Despite quickly completing new contract audits, token swaps, and user compensation plans to rebuild confidence, the token price has plummeted from a high of $3.75 in December 2024 to about $0.0044—a 99% decline. Fixing code vulnerabilities might only take weeks, but rebuilding the ecosystem from near zero is a long, arduous journey.

In the Bear Market, Everyone Is Equal

The story of the UXLink hacker reflects the “market reality,” not just a security incident.

While they possess technical skill—exploiting delegateCall vulnerabilities and bypassing multi-sig defenses to execute a meticulous harvest within hours—they face the same market challenges as ordinary retail investors: the market doesn’t care where the chips come from. ETH held during the process still declines; BTC bought in also remains trapped.

This ending is merciless but ironic. The assets the attacker painstakingly stole are worn down by market volatility, and after half a year, their paper value is nearly the same as at entry. They are not the first to lose in a bear market, nor will they be the last to get burned when bottom-fishing WBTC.