UXLINK Suffers $11.3M Hack as $UXLINK Tanks 70%, Hacker Loses $50M in Phishing Twist

UXLINK, an AI-powered Web3 social platform and DApp launchpad, has suffered a massive security breach, resulting in the loss of $11.3 million worth of crypto assets held in its multi-sig wallet, including 542 million $UXLINK, most of which were minted by the hacker, causing the token’s price to plummet over 70% in less than 24 hours.

The attack first came to light on September 22, when blockchain security firm Cyvers Alerts discovered suspicious activity on UXLINK’s smart contracts. The UXLINK team soon confirmed via their official X account that they had identified a security breach involving a multi-signature wallet, leading to a significant amount of assets being “illicitly” transferred to both centralized (CEX) and decentralized (DEX) exchanges.

UXLINK Multi-Sig Hack: Hacker Mints 10 Trillion $UXLINK, Nets $28.1M ETH

The hacker apparently exploited a “delegateCall” vulnerability, giving them administrator privileges on the multi-sig. Cyvers researchers discovered that an ETH address executed a delegateCall that removed the admin role on the wallet and added a new owner. The hacker then transferred at least $4 million in USDT, $500,000 in USDT, 3.7 WBTC ($418,590), and 25 ETH ($105,326) to a wallet controlled by them.

The hacker also managed to mint between 1 and 2 billion UXLINK tokens on Arbitrum, of which 490 million tokens were later sold across Decentralized Exchanges (DEXs) through six wallets. According to on-chain analytics firm Lookonchain, the proceeds were first bridged to Ethereum and swapped for ETH, netting at least 6,732 ETH, worth roughly $28.1 million, in the process.

UXLINK warned on Monday that the attacker continued to mint UXLINK tokens, with on-chain data showing that approximately 10 trillion units have been minted since the exploit. This has resulted in the price of $UXLINK plummeting over 70% from $0.30 to $0.08912, erasing around $70 million in market cap.

The platform was quick to react, notifying community members not to trade $UXLINK on DEXs to avoid potential losses caused by the unauthorized tokens. The team said that it is in contact with major exchanges to temporarily halt trading. Despite quick interventions from platforms like Upbit to freeze $UXLINK deposits, the minting exploit has left its supply severely compromised.

UXLINK emphasized that user wallets were not directly affected by the hack, and most of the stolen funds have been frozen on exchanges, with law enforcement agencies involved in the recovery process. Cybersecurity firm is aiding with the investigation and auditing.

Users Criticize UXLINK’s Plan to Conduct Token Swap to Restore Original Supply

UXLINK has announced that it will be rolling out a token swap program to protect existing holders and restore supply integrity with the whitepaper rules. The team reiterated its focus is to protect the 55 million users of the platform and ensure transparency during the recovery process.

However, users and $UXLINK holders didn’t take the notion too well, with many accusing the platform of being a “scam” and a “rug pull”. X user “kicks658520” replied under the official post that they suffered “significant financial loss” because the project changed its stance from freezing unauthorized mints to releasing an upgrade to issue a fresh token supply. Another user, “Han9201737”, called on users to sue the UXLINK Foundation for negligence, while others are demanding a faster solution. Meanwhile, some users are optimistic about the UXLINK team overcoming the crisis.

UXLINK Hacker Loses $50 Million in Stolen Funds to Phishing Scam

In a surprising turn of events, the hacker behind the multi-million dollar exploit has reportedly become the target of a phishing scam. On-chain data shows that about 542 million UXLINK tokens, worth nearly $50 million, were drained from their wallet after they signed off on a malicious transaction.

Blockchain security analyst Scam Sniffer discovered that the hacker responsible for draining UXLINK’s multi-sig accidentally approved a phishing contract that gave the attackers access to their wallet, draining all the stolen funds using an “increaseAllowance” command. Inferno Drainer, the group behind the attack, tricked the hacker into signing the approval just before the tokens were siphoned out to various addresses.

Also Read: Top 5 Biggest Crypto Scams In History

On-chain data shows two major transfers from the hacker’s address: one involving 108,395.883 UXLINK, valued at around $9.7 million, and the other, 433,583.532 UXLINK, valued at over $39 million.

The strategy used by Inferno Drainer involves bad actors creating fake contracts that mimic a legitimate platform, and when the victim signs the contract, they unknowingly grant the attacker permission to move tokens out of their wallet. In this case, the UXLINK hacker is likely to have believed that they were moving the funds to a safe place or swapping them for other cryptocurrencies on a DEX or token mixer. Instead, they handed over control of their wallet to the phishing address, resulting in millions of dollars worth of UXLINK tokens being stolen in minutes, leaving the hacker empty-handed.

Crypto security researcher ‘Cos’ called the situation “hilarious”, pointing out that not even hackers are safe from tasting their own medicine, while many in the UXLINK community joked that it was “karma” doing its work.

The phishing exploit has brought about an unexpected twist to UXLINK’s efforts to recover lost funds. The platform is actively working with exchanges, security experts, and law enforcement to recoup investors. No one expected the story to encounter such a dramatic turn.