UXLINK Hacker Stole $36 Million in ETH 6 Months Ago But Struggles With Constant Losses on Trading

The UXLINK ETH exploiter is back in the news, and not for successfully cashing out. Arkham Intelligence flagged the wallet this week after the hacker sold $11.8 million worth of ETH through CoWSwap for DAI. The trade itself isn’t the story. The story is what the on-chain record shows when you zoom out: a wallet tagged as Suspicious, Hacker, and DAI Whale across 57 addresses that has been actively trading stolen funds for six months and is currently sitting at break-even.

What the Arkham Data Actually Shows

The Arkham portfolio snapshot tells a specific story. The UXLINK exploiter currently holds $36,646,506 across a handful of assets. The two largest positions are 22.358 million DAI worth $22.36 million and 202.773 WBTC worth $14.27 million.

There is a small ETH position of 6.642 ETH at around $14,200, a few hundred thousand XOXO tokens worth roughly $70, and negligible amounts of USDT, BNB, and KILO rounding out the portfolio.

The DAI position is the direct result of the latest CoWSwap trade, converting $11.8 million in ETH into a stablecoin. It is the kind of move you make when you are tired of watching a volatile position swing against you and want to lock in where you are. The problem is where the hacker currently is: back at the starting line, six months later, after a string of trades that went nowhere.

Six Months of Active Trading and Net Zero Results

The timeline here is worth sitting with. The UXLINK exploiter took roughly $36 million in stolen funds and, rather than doing what most sophisticated crypto criminals do, which is run the money through a mixer and convert to fiat quickly, decided to trade it. Actively. For half a year.

According to Arkham’s tracking, the pattern is consistent. The hacker takes positions, those positions move against them, they hold through the loss, and then sell when the price recovers enough to get back to where they started. The $11.8 million ETH to DAI conversion is the latest iteration of that exact cycle. ETH was bought, ETH went down or sideways, ETH was sold at break even to DAI.

There is something almost impressive about the consistency of it. Most traders who take repeated losses eventually change their approach or stop trading. This one keeps going back, keeps taking losses, and keeps ending up where they started.

Why This Is Unusual for a Crypto Exploit

The typical post-exploit playbook for a hacker of this scale involves speed and obfuscation. Stolen funds get moved through Tornado Cash or a similar mixer quickly, converted to assets that are harder to trace, and cashed out through exchanges with lax KYC requirements or peer-to-peer markets. The goal is to put as much distance as possible between the stolen funds and any traceable wallet activity.

What the UXLINK exploiter has done instead is the opposite. They have kept the funds in traceable on-chain wallets, traded them openly through DEXs like CoWSwap where every transaction is publicly recorded, and built up six months of documented trading history that Arkham can now map in detail across 57 identified addresses. Every trade is on-chain. Every loss is on-chain. The break-even status is on-chain.

Conclusion

This level of on-chain activity from a known exploit wallet is unusual, and it raises an obvious question about whether the hacker understands how thoroughly their activity is being tracked. Arkham’s ability to label the wallet, map its holdings, and publish real-time updates on its trades suggests the answer is not particularly reassuring for the exploiter.

The UXLINK hack was a serious exploit. Thirty-six million dollars in stolen funds is not a minor incident. But six months on, with the money still sitting in traceable wallets and a trading record that amounts to an elaborate way of going nowhere, the hacker’s position is complicated in ways that have nothing to do with the original theft. The funds are still there. So is everyone watching them.