The wallet linked to the 2025 UXLINK exploit has resumed moving stolen funds, converting millions of dollars in stablecoins into Ether before sending more than 8,300 ETH through crypto mixer Tornado Cash.
According to blockchain security firm PeckShieldAlert on Wednesday, the exploiter swapped approximately 14.6 million DAI for 8,298.6 ETH before depositing 8,340 ETH into Tornado Cash. The address also bridged 2.64 ETH, worth roughly $4,630, from Ethereum to a Bitcoin address.
Despite the transactions, the exploiter continues to hold around 10.54 million DAI, indicating that a significant portion of the stolen assets remains under its control.
Attacker continues laundering stolen funds
The latest transfers suggest the exploiter is continuing efforts to move and obfuscate assets months after the original breach. Privacy protocol Tornado Cash has frequently been used by attackers seeking to make blockchain transactions more difficult to trace. The small bridge transaction to Bitcoin also points to attempts to move value across blockchain networks.
The latest activity follows a similar pattern observed earlier this year, when the exploiter liquidated part of its Ether holdings for stablecoins.
Previous swaps converted ETH into stablecoins
On March 20, blockchain security firms tracked another large transaction tied to the same wallet. According to PeckShieldAlert, the attacker swapped 5,496 ETH for roughly 11 million DAI, a move widely viewed as an effort to reduce exposure to Ether price volatility.
Blockchain analytics platform Lookonchain reported that the sale generated an estimated $935,000 profit, based on the exploiter’s acquisition cost. At the time, the wallet also held 203 Wrapped Bitcoin (WBTC) purchased in January, although those holdings were showing an unrealized loss.
The latest DAI-to-ETH swap effectively reverses part of that earlier strategy before routing the newly acquired Ether through Tornado Cash.
UXLINK lost more than $44 million in 2025 breach
The wallet has been linked to the compromise of UXLINK’s multisignature wallet on September 22, 2025, an attack that resulted in losses exceeding $44 million.
Following the exploit, UXLINK worked with centralized exchanges and law enforcement agencies to identify and freeze suspicious transactions. The project said a substantial portion of the stolen assets had been frozen through cooperation with exchange partners.
Exploit triggered massive token inflation
Beyond the theft of treasury assets, the attacker also minted unauthorized UXLINK tokens, severely disrupting the token’s market.
Security researchers reported that the exploiter initially created 1 billion UXLINK tokens before minting another billion. Separately, blockchain security firm Hacken estimated that nearly 10 trillion tokens were ultimately minted, although approximately 9.95 trillion were exchanged for only 16 ETH, limiting the financial gain from those inflated tokens.
The exploit contributed to a collapse in UXLINK’s token price, which remains more than 99% below its all-time high. In a separate incident following the attack, blockchain analysts reported that the exploiter also became the victim of a phishing attack, losing more than 500 billion illicitly minted UXLINK tokens.
Rising DeFi exploits
Recent attacks suggest the UXLINK exploit is part of a broader wave of security incidents affecting decentralized finance protocols. On June 15, decentralized options platform Thetanuts Finance lost about $2.1 million after attackers exploited its options token system, though security firms said roughly $2 million in option tokens were subsequently white-hatted.
A day earlier, hackers drained more than $2.19 million from the discontinued Aztec Connect privacy protocol by exploiting a flaw that allowed withdrawals without corresponding deposits. Earlier in the month, Raydium disclosed a $1.34 million exploit involving five legacy AMM V3 liquidity pools that had remained dormant since 2021.
While each incident stemmed from different vulnerabilities, they collectively underscore the continued risks posed by outdated smart contracts, legacy infrastructure, and protocol-level logic flaws across DeFi.
Also Read: DeFi Tokens Are Shifting From Hype to Hard Numbers: Grayscale
