Since draining Japanese crypto platform UXLINK six months in the past (and shedding a bit of the proceeds), the hacker behind the assault has been making an attempt to hit it massive on-chain.
It’s not going nice.
Blockchain analytics platform Arkham has been monitoring the hacker’s buying and selling historical past, highlighting latest ETH gross sales which introduced them again to breakeven.
However given the market over the previous six months, one might argue that breakeven is nothing to be sniffed at.
THIS HACKER IS TRADING ETH WITH STOLEN FUNDS… BADLY
The UXLink Exploiter simply bought $11.8M of ETH by CoWSwap for DAI. The UXLink Exploiter has been buying and selling crypto since initially stealing the funds 6 months in the past, and has not made any cash.
He has taken a number of losses on… pic.twitter.com/iDR6ddvok3
— Arkham (@arkham) March 20, 2026
The September assault unfolded in two levels. First, UXLINK’s multi-signature pockets was compromised and drained for $11 million price of varied crypto tokens.
Hours later, the undertaking’s token contract, which had additionally been compromised, minted a billion tokens, with a theoretical greenback worth within the 9 figures.
The drama didn’t cease there, nonetheless. Whereas dumping the UXLINK tokens, and cratering its worth as liquidity depleted, the hacker fell for a phishing hyperlink, shedding half the freshly-minted tokens.
Buying and selling with home cash
Since then, the hacker’s buying and selling historical past exhibits swaps made primarily between the stablecoin DAI and WETH or WBTC.
Arkham’s revenue and loss (PnL) calculations put the hacker’s cumulative PnL at $83,000 within the inexperienced.
Whereas the features are small, simply 0.2% of the $36.6 million held within the wallets, it’s at the moment performing higher than at any time because the hack.
PnL has been down-only, except for transient durations of clawing again near breakeven. However latest weeks have seen a sudden restoration from an all-time low of -$4.8 million in late February.
Straightforward come, straightforward go
Hackers buying and selling stolen funds have had blended outcomes in recent times.
Members of North Korea’s Lazarus Group traded the proceeds of 2024’s $50 million Radiant Capital assault, ending up $40 million in revenue by final summer time.
In October final yr, a hacker who beforehand stole 400 bitcoins from a Coinbase consumer “panic sold” ether which that they had purchased with the ill-gotten features.
Throughout two crypto market crashes, every week aside, they realized a complete of $10 million in losses.
DPRK’s buying and selling profession is…uh….going…..🙈
tbh if i used to be the dude managing Hyperliquid’s 4 validators (or these fucking ghetto ass binaries on gh) I might be shitting my pants proper now.
Hyperliquid dudes dont appear anxious in any respect although so im certain its wonderful. 🫠 pic.twitter.com/JrrU7t1sJe
— Tay 💖 (@tayvano_) December 22, 2024
A barely extra unsettling incident noticed Lazarus-linked addresses liquidated for $500,000 on Hyperliquid in late 2024.
Whereas some have been pleased to see the dangerous guys get worn out, others have been involved the exercise was testing for a possible future exploit.
Additionally on Hyperliquid, a pockets linked to the $30 million zKasino “rug pull” in April 2024 suffered a $27 million liquidation a yr later.
