TL;DR:
- UXLink suffered an exploit in September 2025; nine months after the episode, the attacker reactivated the laundering of the stolen funds.
- The hacker deposited approximately $8.1 million in ETH into Tornado Cash through 46 transactions of 100 ETH each.
- The total laundered assets amount to $19.1 million. The attacker still retains around $16 million in stolen funds.
UXLink, the Web3 social network that fell victim to an exploit in September 2025, is back in the news. According to Specter, an on-chain researcher, the perpetrator of the attack reactivated the movement of stolen funds almost nine months after the original incident. The thief converted part of the stolen DAI into Ethereum and deposited approximately $8.1 million in ETH into Tornado Cash, the cryptocurrency mixer that criminals repeatedly use to obscure the tracking of illicit transactions on the blockchain.
The laundering process was carried out through 46 separate deposits of 100 ETH each, a common tactic to blend illegal funds with legitimate transactions and hinder on-chain tracing. With this operation, the total laundered assets from the exploit amount to $19.1 million. However, the attacker retains control of approximately $16 million more, suggesting that the fund dispersal process could continue.
The UXLink attacker has returned depositing the stolen funds into Tornado Cash.
So far, the attacker has deposited $8.1M after swapping the funds from DAI into ETH.
100 ETH X 46
In total, the attacker has laundered approximately $19.1M of the stolen funds and is still holding… https://t.co/V5sDzssQLR pic.twitter.com/5mgtvAkRgO
— Specter (@SpecterAnalyst) June 17, 2026
UXLink: Nine Trillion Tokens and a Theft Within a Theft
The original exploit was notable both for its scale and its development. In September 2025, the attacker minted more than 9 trillion UXLINK tokens, maintained access to the system for hours after the initial attack, and continued issuing tokens fraudulently. They then began moving funds to centralized exchanges and dumping the fake tokens through decentralized exchanges, which led to liquidity being drained from Uniswap.
The episode took an unusual turn when the attacker themselves signed a malicious transaction and lost 542 million UXLINK tokens to another malicious actor, a case of theft within a theft. Even so, the primary exploiter retained around 900 million UXLINK, leaving a considerable portion of compromised assets in the hands of different criminals.
The case adds to the long list of illicit activity in the ecosystem. On June 12, Humanity Protocol reported a phishing attack targeting one of its directors, which resulted in token minting and unauthorized transfers on Ethereum and BNB Smart Chain. Three days later, the Router contract of Aztec Network recorded a suspicious transaction involving the draining of assets worth approximately $2.19 million.
