UXLINK Exploiter Sends 3,700 ETH Through Tornado Cash

Wallets tied to the UXLINK exploit have transferred 3,700 ETH into Tornado Cash, moving another large portion of the stolen funds beyond the attacker’s publicly visible wallet cluster.

The latest onchain movement marks a shift from asset management into direct obfuscation. The deposits do not erase the transaction history, but they break the simple link between the exploit wallets and the addresses that eventually receive the funds, narrowing the options available to exchanges, investigators and the project.

The Ethereum was moved months after the attacker had already converted large holdings into dollar-linked assets. In March, an exploiter wallet swapped 5,496 ETH into approximately 11 million DAI, following an earlier conversion of 248 WBTC into roughly 23 million DAI.

Those trades reduced exposure to volatile assets while keeping the value liquid enough for later routing. The new Tornado Cash deposits suggest that at least part of that inventory is now progressing through the laundering chain.

September Breach Reached Beyond The Initial Wallet Drain

UXLINK disclosed a multisignature wallet breach on September 22, 2025, after an attacker gained administrative control and moved assets through centralized and decentralized exchanges.

The incident expanded when the compromised permissions were used to mint unauthorized UXLINK tokens. The attacker sold newly created supply into available liquidity, sending the token sharply lower and forcing the project to halt trading, replace its token contract and organize a migration for affected holders.

Directly removed treasury assets were initially valued below the later headline estimate. Broader damage approached $42 million once unauthorized minting, token sales and secondary-market losses were included.

UXLINK later attributed the initial access failure to compromised personal devices rather than a breach of its core systems. The project rebuilt its token infrastructure with a new contract designed to remove the control paths used during the attack.

DPRK Link Raises The Recovery Stakes

The UXLINK incident has been assessed as potentially connected to North Korean threat actors, although no public law-enforcement attribution has conclusively assigned the attack to a specific DPRK unit.

The laundering pattern remains consistent with methods seen across other suspected or confirmed North Korea-linked thefts: stolen assets are consolidated into ETH, converted across liquid markets, divided between fresh wallets and eventually passed through mixers or cross-chain infrastructure.

A similar recovery problem emerged after the KelpDAO attacker laundered approximately $220 million through Tornado Cash, THORChain, Wasabi and Umbra. Once funds move across several privacy layers, direct freezes become harder and recovery depends more heavily on mistakes made at later exchange or over-the-counter exit points.