Crypto Hackers Are Losing Money Too: UXLink Trader, ZKLend Phishing Victim

A crypto hacker who stole $11.3 million from Web3 social platform UXLink in September 2025 spent the next six months day-trading the proceeds on a decentralized exchange, executing 625 transactions, absorbing a $4.8 million unrealized loss, and ultimately netting roughly $935,000. In a separate case, the attacker who drained $9.6 million from ZKLend lost $5.4 million of it to a fake Tornado Cash phishing site. The bear market, it turns out, does not discriminate between victims and perpetrators.

The UXLink Hacker Stole $11.3M, Then Became Crypto’s Worst Day Trader

UXLink, a Web3 social platform, was exploited in September 2025 through a delegateCall function vulnerability in its multi-signature wallet. The attacker drained approximately $11.3 million: around $4 million in USDT, $500,000 in USDC, 3.7 WBTC, 25 ETH, and roughly $3 million in UXLINK native tokens.

What happened next was unusual. Instead of routing funds through Tornado Cash or other mixing protocols, the hacker converted 1,620 ETH into approximately 6.73 million DAI within 48 hours, then began actively trading on CoW Swap, a decentralized exchange. Every transaction was fully visible on-chain.

Over the following six months, the attacker executed 625 transactions on CoW Swap, frequently swapping between WETH and DAI. The pattern resembled retail day-trading more than any recognizable laundering strategy.

The Trades Went Badly

The hacker’s most consequential position was a purchase of 203 WBTC at an average price of $83,225. By February 2026, that position alone was underwater by approximately $2.68 million.

At its worst point, the hacker’s total portfolio showed an unrealized loss of $4.8 million. Six months of active trading on an $11.3 million haul had produced a net loss.

By March 2026, the attacker sold 5,496 ETH at approximately $2,150 per unit, totaling around $11.8 million. The net gain after six months of trading: roughly $935,000, less than 10% of the original stolen amount.

Meanwhile, the UXLINK native token, which made up approximately $3 million of the initial theft, collapsed independently. The token fell 99% from $3.75 in December 2024 to $0.0044, a market cap loss exceeding $70 million. That portion of the haul was wiped out regardless of anything the hacker did.

The ZKLend Hacker Stole $9.6M, Then Got Phished for $5.4M

If the UXLink case is a story about bad trading, the ZKLend case is something darker: a hacker falling victim to the same class of attack they perpetrated.

In February 2025, an attacker exploited ZKLend, a lending protocol on StarkNet, for $9.6 million. The vulnerability was a flash loan rounding error in the protocol’s lending accumulator.

When the hacker attempted to launder the proceeds, they sent 2,930 ETH, worth approximately $5.4 million, to what they believed was Tornado Cash. It was not. The domain tornadoeth[.]cash was a phishing site designed to mimic the real mixer.

The hacker subsequently posted an on-chain message that became one of the most widely circulated quotes in DeFi security circles:

“I am devastated. I am terribly sorry for all the havoc and losses caused. Everything gone with one wrong website.”

ZKLend responded by offering a $960,000 bounty, 10% of the stolen amount, plus immunity from prosecution if the hacker returned the remaining funds by a specified deadline. This type of white-hat bounty negotiation has become standard practice in DeFi exploit recovery.

One important caveat: the phishing loss has not been independently verified by blockchain forensics firms. Some community analysts have raised the possibility that the on-chain message could be a cover story to conceal the movement of funds elsewhere. That skepticism is worth noting, as it has not been resolved. If the phishing loss was genuine, the attacker who stole $9.6 million was left with under $4.2 million and ongoing legal exposure.

Why the Bear Market Hits Stolen Crypto Just as Hard

Both cases unfolded against the backdrop of one of the most punishing stretches in recent crypto markets. The broader risk-off sentiment driving investors toward safe haven assets has not spared digital currencies. The Crypto Fear & Greed Index sits at 14, deep in “Extreme Fear” territory, as of March 2026.

The UXLink hacker bought WBTC at an average of $83,225. ETH traded near $2,150 by March 2026, well below levels when the exploit occurred in September 2025. The same price environment that punished retail holders punished the hacker identically.

According to Chainalysis data, total crypto hack losses in 2025 reached $3.4 billion. The scale of theft across the industry is enormous, but the assumption that stolen funds retain their value does not hold in a falling market.

The structural problem is straightforward. Stolen crypto assets are denominated in volatile tokens, not stable fiat. Large thefts require more time to move, convert, and liquidate without triggering alerts. That delay increases exposure to exactly the kind of drawdown the UXLink hacker experienced. A thief who steals $11 million in ETH during a bull market may hold $7 million worth by the time they can safely move it.

The same price volatility that makes crypto attractive to hackers, the reason a single exploit can yield millions, is precisely what erodes the value of stolen funds during extended downturns. This dynamic is not unique to these two cases; it is a structural feature of stealing volatile assets.

On-Chain Transparency Is Closing the Window for Hackers

The UXLink case illustrates a shift in how stolen funds can be tracked. The hacker’s 625 CoW Swap transactions created a six-month behavioral record, fully public and verifiable by anyone with access to a block explorer. Every trade, every swap between WETH and DAI, every WBTC purchase is permanently recorded.

The choice to use CoW Swap instead of Tornado Cash or other mixing services is itself revealing. Whether driven by overconfidence or poor operational security, the decision created a traceable trail that blockchain analysts can reconstruct in detail. For context, on-chain transparency has also been central to recent token manipulation investigations, where public ledger data has been used to verify or disprove claims of insider activity.

The Laundering Infrastructure Is Adversarial

The ZKLend case adds a second dimension. The tools hackers rely on to obscure stolen funds, mixers and privacy protocols, are themselves targets for phishing and spoofing. The fake Tornado Cash domain that captured $5.4 million in ETH demonstrates that the laundering environment is adversarial. Hackers face the same phishing risks as any other crypto user, arguably more, because they cannot report losses or seek help.

The white-hat bounty model, exemplified by ZKLend’s 10% offer plus immunity, has become the de facto response mechanism for DeFi exploits. No law enforcement path reliably exists for decentralized protocol thefts. The bounty negotiation is often the only realistic recovery option available to affected protocols.

There is an important limitation to acknowledge. On-chain data reveals behavior, not identity. The UXLink hacker’s 625 transactions tell analysts what they traded, when, and how much they lost. They do not reveal who the hacker is. Neither case has resulted in an arrest. Real-world identification still requires off-chain investigation, exchange KYC records, IP logs, and operational mistakes that link a wallet to a person.

But the window is narrowing. Each traceable transaction is a data point. Each on-chain swap is evidence. And as institutional products like spot ETFs bring more regulated infrastructure into crypto markets, the gap between anonymous on-chain activity and real-world identity continues to shrink.

FAQ: Crypto Hackers Losing Money

How did the UXLink hacker lose money if they stole $11.3 million?

The hacker lost money through two channels. First, active day-trading on CoW Swap produced a peak unrealized loss of $4.8 million, driven primarily by a poorly timed WBTC position bought at an average of $83,225. Second, the approximately $3 million in UXLINK native tokens collapsed 99% in value independently. After 625 trades over six months, the hacker netted roughly $935,000, less than 10% of the original theft.

Did the ZKLend hacker really get phished, or is it a cover story?

This has not been independently verified by blockchain forensics firms. The hacker posted an on-chain apology claiming to have lost 2,930 ETH to a fake Tornado Cash domain. Community skepticism exists, as some analysts believe the message could be a diversion to mask where funds actually went. ZKLend still extended its 10% bounty offer regardless.

Can hackers be identified from on-chain transactions alone?

On-chain data reveals trading patterns, wallet behavior, and fund flows, but not real-world identity. The UXLink hacker’s 625 transactions are fully public, yet no arrest has been made. Identification requires off-chain evidence: exchange KYC records, IP address logs, or operational security mistakes that link a wallet address to a person.

How much did crypto hackers steal in total in 2025?

Approximately $3.4 billion, according to Chainalysis data. The UXLink and ZKLend exploits represent a small fraction of total losses, but they illustrate a pattern where stolen funds do not necessarily retain their value in volatile market conditions.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.

Follow us on Google News

No tags available.

Mayowa Adebajo

25 March 2026, 05:37:52 GMT +0000

Mayowa is a seasoned freelance writer specializing in creating compelling, high-converting content across diverse industries.

With extensive experience working with major news outlets, personal blogs, and private clients, he brings a deep understanding of audience engagement and storytelling. His expertise spans SEO optimization, persuasive copywriting, and niche versatility, ensuring content that resonates and delivers results.

Armed with a strong command of the English language and a keen eye for detail, he crafts content that is both impactful and strategically tailored to meet client goals.

Related Posts

• Venus Protocol pauses, forces liquidation after phishing
• Minisforum N5 Max AI NAS faces scrutiny after CNCERT alert
• Music royalties draw scrutiny as DOJ charges $8M bot scheme
• FBI warns on AI voice cloning amid tax-season IRS scams
• Coinbase Commerce weighs phishing risk in recovery sitemap
• Pudgy Penguins flags PENGU airdrop phishing amid fake ads
• OpenClaw draws review amid China uptake, ClawJacked risk

Other Posts

[tptn_list limit="8" title_length="0" heading="0" show_date="0" daily="1"]