UXLINK goes from bad, to worse, to weird after hacker loses stolen tokens

Yesterday, a hack hit Japanese “AI-powered web3 social platform and infrastructure” UXLINK, initially draining $11 million worth of crypto from the project’s multi-signature wallets.

The hack was flagged by blockchain security firm Cyvers before being acknowledged by UXLINK around an hour later.

Cyvers noted the change of ownership and the loss of ether, bitcoin, stablecoins USDC and USDT, and UXLINK tokens. 

Following the initial loss, however, things took a turn for the worse, both for UXLINK and the hacker.

In a later update, the UXLINK team notified users that their token contract had also been compromised, and freshly-minted UXLINK tokens flooded into the attacker’s addresses.

Almost 12 hours passed between the initial compromise and the attacker minting a billion UXLINK.

🚨🚨🚨 Do *NOT* interact with $UXLINK token !!!

The token is now compromised as today's @UXLINKofficial hacker has gained the mint role and 1B $UXLINK tokens were just minted on arbitrum.

Here is the unauthorized 1B mint: https://t.co/JEiJ5HS8iR https://t.co/39j31kKw9I pic.twitter.com/yqqxzbpelT

— PeckShield Inc. (@peckshield) September 23, 2025

Read more: The solution to crypto’s Lazarus problem could be simpler than expected

As other security researchers looked into the transactions, more losses were uncovered, with tokens worth over $40 million (excluding UXLINK) reportedly sitting in hacker-controlled addresses.

The UXLINK tokens had a theoretical value in the hundreds of millions of dollars when minted. It had been trading around $0.32 pre-hack, but crashed as the hacker sold tokens and depleted liquidity.

According to CoinMarketCap data, it is down 99.99%, worth fractions of a cent.

Things get weird

With all eyes on the hacker’s addresses, many were surprised to see a (presumably) security-aware individual fall for one of the oldest tricks in the book.

Clearly in a rush to dump UXLINK tokens, the hacker first depleted liquidity on Uniswap before looking for a new venue to sell. Moving to CoW Swap, they appear to have clicked a bad link and “signed a malicious ‘increaseAllowance’ approval to a phishing contract.”

500 million tokens, with a purported value of $42 million at the time, were lost.

🚨 ~41 minutes ago, the UXLINK exploiter address appears to have signed a malicious `increaseAllowance` approval to a phishing contract,
resulting in ~542M UXLINK being moved to phishing addresses.

Tx:https://t.co/8Dsjym0gl2 https://t.co/OUtZkbULW1 pic.twitter.com/Ar5z2QwMVo

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) September 23, 2025

Read more: 48% of Ethereum EIP-7702 uses linked to crime, says Wintermute

Undeterred, however, the hacker simply moved to mint more tokens and continue dumping, within minutes.

Neither the phishing scammer, nor the drainer provider (which took its 20% cut) were able to liquidate the hacker’s UXLINK.

Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.