Originally published on MRTD.NET — fast, sourced news on crypto security, cyber & SEO.
What's happening now
The wallet attributed to the UXLINK exploiter has resumed moving its haul. On June 17, 2026, the address swapped roughly 14.6 million DAI for about 8,298.6 ETH, then deposited 8,340 ETH into Tornado Cash, according to on-chain alerts from PeckShield and corroborating reporting from The Crypto Times and FX Daily Report.
The Tornado Cash deposits were broken into uneven tranches — amounts like 100 ETH, 10 ETH and 2.6458848 ETH — a routine obfuscation pattern meant to frustrate clustering. The same wallet also bridged about 2.64 ETH (~$4,600) from Ethereum to a Bitcoin address. Even after this round, blockchain trackers say the wallet still holds roughly 10.54 million DAI that has not moved — a large, fully traceable balance sitting in the open.
Background, in brief
UXLINK, a Web3 social protocol, disclosed a security breach on September 22, 2025, tied to a compromise of its administrative multisig. Headline loss estimates have clustered around $44 million, though component figures vary across outlets and were never fully reconciled. Early attribution and forensic tracking came from SlowMist and PeckShield. This article does not detail how the breach was carried out; our focus is the public, on-chain movement of the already-stolen funds.
The Tornado Cash factor
Why route through Tornado Cash now? Because the legal calculus changed. OFAC delisted Tornado Cash from the SDN list on March 21, 2025, following the Fifth Circuit's Van Loon v. Treasury ruling that its immutable smart contracts are not sanctionable "property." In April 2025, a federal judge in the Western District of Texas issued a permanent injunction barring OFAC from re-sanctioning the protocol (CoinDesk).
That means simply using the mixer is no longer an OFAC violation per se — which is precisely why exploiters can now route funds through it with less friction. The caveats matter, though: laundering criminal proceeds remains illegal regardless, co-founder Roman Semenov is still individually SDN-listed, and developer Roman Storm's criminal case continued into 2026 (CoinDesk). Delisting the tool did not decriminalize what it's being used for.
A months-long laundering pattern
This is not a one-off. Trackers have watched the same wallet alternate between ETH and stablecoins for months. Back around March 20, 2026, it ran the opposite leg — swapping 5,496 ETH for roughly 11 million DAI, with Lookonchain estimating about $935,000 in trading profit on that move alone (The Crypto Times). The pattern — park value in DAI when ETH looks rich, rotate back to ETH before mixing — suggests an actor managing the haul actively rather than dumping it.
What UXLINK has done
In the aftermath, UXLINK coordinated with centralized exchanges and law enforcement across Singapore, South Korea and Japan to flag and freeze suspicious transfers, recovering a portion of the assets. The project ran a two-phase user-compensation plan and executed a first token buyback in October 2025 using recovered funds. There is no reported freeze or seizure of the specific ETH now headed into Tornado Cash, and no public negotiation with the attacker.
The takeaway
Two lessons stand out. For projects: an admin multisig is critical infrastructure — signer hygiene, hardware isolation and spending limits are not optional once a treasury or mint authority is attached. For the ecosystem: tracing still works. The funds are labeled, followed and reported in near-real-time; ~$10.5M of the haul remains frozen-in-place by visibility alone. What the mixer delisting changed is the exit — the off-ramp is now legally cleaner, which shifts more of the deterrence burden onto exchanges and on-chain analytics rather than sanctions designations.
See this incident alongside other 2026 exploits in our Crypto Hack Tracker.
Informational only — not financial or security advice. Figures are based on third-party on-chain analytics and may be revised.
Top comments (0)