Although hackers possess sophisticated skills and can complete a meticulous harvest in a few hours, the market does not care where the chips come from; in the face of a bear market, everyone is treated equally.

Article by: Chloe

Article source: ChainCatcher

In September 2025, the multisignature wallet of the Web3 social platform UXLink was hacked. Hackers absconded with more than ten million US dollars in assets in just a few hours and maliciously dumped the tokens by minting a huge amount of tokens, causing the price of the tokens to plummet by more than 70% in an instant. However, the most absurd thing about this disaster was not the attack itself, but the hackers' "amateurish" performance afterward.

Unlike typical money laundering schemes, this hacker didn't rush to disappear. Instead, he invested the stolen ETH and stablecoins into a DEX and traded them frequently on CoW Swap. According to Arkham's on-chain data, the address accumulated nearly 625 transactions in just six months, with paper losses reaching as high as $4.8 million.

By reconstructing the technical path of this attack, we can discover the hacker's unusual behavior patterns and the harsh reality behind it: in the face of this bear market cycle, even if there is advanced technology to steal money on the blockchain, once it returns to the market for trading, everyone is equal.

UXLink multisignature wallet security vulnerability resulted in losses exceeding ten million magnesium.

On September 22, 2025, blockchain security company Cyvers was the first to detect unusual activity in the UXLink multi-signature wallet and issued an emergency alert. Subsequently, UXLink officially confirmed that its core multi-signature wallet had been compromised, resulting in a loss of over $11.3 million.

The attack's technical path was quite clear: the hacker targeted a vulnerability in the delegateCall function of the multi-signature wallet, successfully altering the contract logic. The attacker first removed the wallet's original legitimate administrator privileges; then, by calling the addOwnerWithThreshold function, they forcibly implanted themselves as the new wallet owner. Thus, UXLink's core multi-signature security mechanism was completely bypassed, and wallet control was permanently transferred.

What followed was a frenzied looting of on-chain assets. The stolen assets included approximately $4 million USDT, $500,000 USDC, 3.7 WBTC, 25 ETH, and approximately $3 million worth of UXLINK native tokens. Simultaneously, the hackers minted a massive amount of UXLINK tokens on the Arbitrum chain and dumped them on the market, causing the token price to plummet by over 70% in a short period, from approximately $0.30 to below $0.10, wiping out over $70 million in market capitalization.

Taking an unconventional approach: Abandoning coin mixing and withdrawal, remaining on-chain for trading and competition.

According to the standard script for cryptocrime, the next step should have been this: the hacker would transfer assets to Tornado Cash for anonymization, launder the money in batches through numerous jump addresses, and finally complete the entire money laundering and withdrawal process. But this attacker did not follow the usual path.

About 48 hours after the attack, the hacker exchanged 1,620 ETH for about 6.73 million DAI. This should have been the first wave of "shipment" signal expected by the market, and several on-chain analysts also immediately identified this on-chain behavior. However, in the following six months, the behavior pattern of this address completely deviated from the calmness and stealth of professional hackers, and instead began to trade frantically on the chain.

According to Arkham's on-chain data tracking, this address accumulated a staggering 625 transactions in just six months, with activity highly concentrated on the decentralized exchange CoW Swap. Its trading pairs frequently oscillated between WETH and DAI, an activity frequency far exceeding that of typical long-term holders. Therefore, rather than a hacker who stole millions of dollars, he seems more like a trader, or perhaps a retail investor accustomed to "buying on dips, weathering volatility, and exiting only when nearing their cost basis."

Poor trading skills: once suffered a floating loss of over 4 million magnesium, and almost stagnated for six months.

According to Arkham's profit and loss tracking data, from October 2025 to early February 2026, the attacker's address repeatedly suffered paper losses exceeding $3 million; in February, the losses reached a peak of $4.8 million. Their trading pattern was highly consistent: continuously adding to positions at low points, stubbornly holding on during fluctuations, and only exiting when the price finally recovered to near the cost line.

The hacker's fortunes turned around in late March. He exchanged 5,496 ETH for approximately 11.86 million DAI on CoW Swap at an average price of $2,150, earning him a paper profit of about $935,000 and bringing his overall portfolio back to break-even. However, his WBTC holdings from the same period were eroding these profits. The hacker bought 203 WBTC on January 30, 2026, at an average price of $83,225, and as of recently, they have a paper loss of approximately $2.68 million. This entry point coincided with a brief market rebound high; once again, he bought at a relatively high price.

A transparent prison and a long road to recovery

The UXLink incident provides a unique perspective on the history of cryptocrime: an attacker, under the spotlight, continuously leaves a highly visible trail of transactions, allowing global on-chain analysts to fully document his actions.

This may not stem from the hacker's negligence, but rather from an outdated understanding of "security." He may have believed that by distributing assets across multiple addresses and operating on DEXs to bypass the real-name authentication checks of CEXs, he could maintain anonymity. However, the rapid evolution of on-chain analytics tools has rendered this assessment overly optimistic. Institutions like Arkham, Lookonchain, PeckShield, and SlowMist almost instantly detected every large transaction, exposing the hacker's every move under public scrutiny. This hacker, despite possessing millions of dollars, seemed to be living in a transparent digital prison.

For the UXLink project team, this situation is both a small consolation and a huge predicament. Although the assets have not disappeared and are still on the traceable blockchain, in the on-chain world lacking judicial jurisdiction, there is still a difficult-to-cross gap between "being able to see" and "being able to recover."

Although UXLink quickly completed a new contract audit, token swap, and user compensation plan after the incident in an attempt to rebuild market confidence, the token price has plummeted from a high of $3.75 in December 2024 to approximately $0.0044, a drop of 99%. For UXLink, patching the code vulnerability may only take a few weeks, but rebuilding the ecosystem from near-zero ruins will be a long and arduous journey.

In the face of a bear market, treat everyone equally.

The UXLink hacking story became a microcosm of "market reality," rather than just a security incident.

Although he possesses superb skills, enabling him to accurately exploit delegateCall vulnerabilities and bypass multi-signature defenses, completing a meticulous harvest within hours; however, after the funds are deposited, he faces the same predicament as ordinary retail investors: the market does not care where the chips come from, ETH continues to fall during the holding period, and BTC is still trapped after the position is established.

This ending demands no pity, yet it is undeniably ironic. The assets the attacker painstakingly stole were ultimately eroded by market fluctuations, with their book value six months later nearly unchanged from their initial purchase price. He is not the first ETH holder to lose money in a bear market, nor will he be the last speculator to suffer a market backlash when buy the dips WBTC at the bottom.