From thief to prey: the $50 million phishing blowback on a hacker who drained UXLINK
An irony wrapped in code: the same hands that drained UXLINK have become targets of crypto crime themselves. Scam Sniffer reports that on Sept. 23 the attacker lost roughly 542 million UXLINK tokens, valued at more than $50 million, to a phishing scheme staged by another bad actor. SlowMist co-founder Yu Xian suggested the theft bore the hallmarks of Inferno Drainer, a notorious draining-as-a-service provider known for selling phishing kits and fake websites. The group has stolen millions from crypto users across multiple chains. This dark irony underlines how quickly a crime-maker can be undone by the same techniques they deployed.
In This Article:
How the UXLINK breach happened: the delegateCall attack and the first heist
The breach began on Sept. 22, when an attacker exploited a delegateCall function to strip admin privileges and appoint themselves as the owner of UXLINK’s smart contract. That move enabled the theft of $4 million in USDT, $500,000 in USDC, 3.7 wrapped Bitcoin, and 25 ETH. The stolen stablecoins were quickly swapped into DAI, and funds moved across Ethereum and Arbitrum. Hours later, a second address received 10 million UXLINK tokens, worth about $3 million, and began offloading them on decentralized exchanges.
A dramatic escalation: 2 billion tokens minted and $28M dumped
By Sept. 23, Lookonchain reported that the attacker minted 2 billion UXLINK tokens and sold large amounts across both decentralized exchanges and centralized platforms, netting roughly 6,732 ETH — about $28 million. In response, UXLINK confirmed the exploit and moved to limit the damage. The team said it was working with exchanges to freeze stolen assets and has enlisted the security firm PeckShield, urging platforms to suspend UXLINK trading pairs temporarily. They pledged a token swap to protect the token economy and promised details soon: We will promptly initiate a token swap plan to ensure the integrity of our token economy. Further details and instructions for the token swap will be announced shortly.
The irony and the crackdown: responses, PeckShield, and the token swap
SlowMist’s Yu Xian noted the theft bore the hallmarks of Inferno Drainer and mocked the irony that the hacker fell for basic authorization traps—the same traps the attacker had used against UXLINK. The episode shows how phishing remains a central vulnerability in crypto security and how a coordinated response — freezing assets, engaging security firms, and suspending trading pairs — is essential to limiting damage.
Lessons for crypto: phishing is a perpetual threat and resilience matters
Phishing and social engineering remain potent threats across blockchains. Even large exploits can be followed by further theft as attackers cash out through exchanges. The UXLINK incident shows why fast, coordinated responses, like asset freezes and token swaps, are crucial to protecting a token’s economy. It also reminds users to exercise extreme caution with authorization prompts and to verify any contract permissions before granting them.
