Stolen tens of millions of dollars, the celebrity social project UXLINK faces its "darkest" moment.

Hacker year after year, this year is no exception. Since the beginning of Crypto Assets, network attacks targeting it have emerged and evolved into more complex attack methods, more ingenious attack logic, and more deceptive technical means as technology continues to mature. However, sometimes it must be admitted that even the most stringent prevention and control cannot withstand the weaknesses of human nature. Recently, the Web 3 star social project UXLINK fell victim.

In the early morning, theft occurred, contract issuance increased, and the token plummeted. In less than half a day, UXLINK experienced its most devastating moment in history, even staging a classic scene of “Hacker eating Hacker.”

The security of crypto projects seems to ultimately be a messy affair.

Unlike other projects, users outside the circle may not be unfamiliar with UXLINK. UXLINK is a social project built on Telegram, which is different from the previous pan-social model. UXLINK focuses on “familiar socializing,” allowing one-click login through Telegram, WhatsApp, TikTok, and EOA wallets, providing deep social scenarios and token incentives to retain users for driving growth, emphasizing community-driven group functions and asset issuance.

From a technical and traffic acquisition perspective, UXLINK is undoubtedly standing on the shoulders of giants. Telegram, the host, not only provides support in terms of technology and components but also tilts towards traffic acquisition, seamlessly integrating everything from onboarding to graphic formation, group tools to social trading within Telegram.

This has led to UXLINK performing exceptionally well since its launch in April 2023. On the funding side, it has garnered the favor of crypto-native capital such as OKX Ventures, Matrixport Ventures, SevenX Ventures, HashKey Capital, and Animoca Brands, and its application direction has completed cold startup ahead of regular social DAPPs. By April 2024, UXLINK had 5.3 million registered users and built nearly 90,000 group chats. As of August 2025, data released on the official website shows that UXLINK's registered users have reached 54 million, with daily active wallets exceeding 24 million, making it a leading platform in Web3 social with its enormous user scale.

In terms of assets, UXLINK adopts a dual-token model, consisting of the native utility token based on UXUY and the UXLINK token, which is governance-focused. The former is mainly used for community and ecosystem development, where users can obtain UXUY through invitations or other community activities. The latter emphasizes governance functionality, with a total supply of 1 billion coins, of which 65% is allocated to the community, 40% to users, and 25% to developers and partners. In April last year, UXLINK launched its first airdrop event, where users could claim airdrops with airdrop voucher NFTs, resulting in over 1.4 million NFTs being minted, with 15% of users receiving airdrops. However, it is worth noting that the performance of the tokens can only be described as mediocre. After UXLINK was listed on the exchange on July 18 last year, it soared from $0.0998 to a peak of $3.85 but subsequently continued to decline, stabilizing around $0.32-0.35 before this incident occurred.

Despite the poor performance of the token, UXLINK's operations remain online among a plethora of social projects. Not only has it strategically launched a social growth chain and entered PayFi, but it has also initiated staking and airdrop activities to capture user attention. Its performance in ecosystem building has also been quite impressive, with over 500 industry projects reaching cooperation with it, and the market is continuously expanding from Japan and South Korea to North America. In short, among social projects, UXLINK's presence remains online, and it can be regarded as one of the frontrunners.

Building a project is difficult, but to destroy a project, it only takes one theft.

On September 23 at 00:43, the security company Cyvers issued a warning stating that its system detected suspicious transactions involving UXLINK, amounting to 11.3 million USD. The reason stems from within the project; due to a private key leak, an attacker executed a deleGateCall operation on the UXLINK multi-signature wallet at 22:53 on September 22, removing the original multi-signature administrator and setting themselves as the sole controller of the project. Subsequently, this address called addOwnerWithThreshold, transferring 4 million USDT, 500,000 USDC, 3.7 WBTC, 25 ETH, and approximately 3 million UXLINK, which were partially bridged to the mainnet.

Just 5 minutes after the news broke, the market reacted strongly. The spot price of UXLINK swiftly dropped from around $0.3 to below $0.18, showing a continuous downward trend. One hour later, UXLINK officially acknowledged the attack. Nine hours later, UXLINK tweeted that it is working around the clock with internal and external security experts to identify the root cause and control the situation. They have contacted major CEX and DEX to urgently freeze suspicious UXLINK deposits, and subsequently stated that most of the stolen assets have been frozen, emphasizing that there are no signs of personal user wallets being attacked.

According to the normal process, acknowledging theft, emergency public relations, and starting post-disaster reconstruction have basically marked the end of the event, but the hacker clearly thinks otherwise. At 9:54 AM on the 23rd, the most destructive step began. The attack address, armed with management power, used the contract minting function without permission to issue an additional 1 billion UXLINK tokens. The key to maintaining the stability of the currency system lies in the stability of the coin value, and the primary condition for stable coin value is controlling the currency circulation. A large amount of issuance undoubtedly brings the entire ecosystem to the brink of collapse. UXLINK plunged continuously, with the lowest price approaching zero, and the market value of the chain hit a low of $80, while before the incident, UXLINK's market value was $150 million. According to current CEX data, the market value has only recovered to $65 million.

What is even more despicable is that after the issuance increase, the hacker continued to sell on major exchanges, exchanging the increased UXLINK through different wallets, accumulating 6,732 ETH and making a profit of 28.1 million USD. It is worth mentioning that during this period, some users followed empirical methods to bottom-fish after the announcement of UXLINK, but due to the hacker's issuance path, their losses further expanded, and even one address spent 900,000 USD, ultimately approaching zero.

At this point, it seems there is a sense of conclusion, but a dramatic scene unfolds again. The hacker who stole the UXLINK assets encountered a “black eats black” situation, as they authorized the address to a phishing team and fell victim to an Inferno Drainer phishing attack. Upon verification, approximately 542 million $UXLINK tokens that were illegally obtained have been stolen using the “authorized phishing” method. After working hard to steal, they didn't forget to make a wedding dress for others, which is quite unexpected.

According to the latest progress, UXLINK has launched a token contract migration plan. The new UXLINK smart contract has successfully passed a security audit and will be deployed on the Ethereum mainnet. The minting and burning functions have been removed, and its cross-chain functionality will be maintained through cross-chain partner services. The new UXLINK smart contract is ready, with the contract address being 0x3991B07b2951a4300Da8c76e7d2c7eddE861Fef3. CEX and on-chain users holding legally circulated UXLINK tokens will receive a 1:1 exchange, while tokens deemed to be illegally issued will not qualify for exchange. For some tokens that are still trading, the team will provide a separate compensation plan for affected users.

From this incident, the project's response speed was quite rapid, not only stabilizing user emotions quickly but also providing a solution at the first opportunity. The performance in emergency management is still commendable. However, that being said, the essence of this attack lies in the lack of multi-signature management. Although a Safe multi-signature mechanism was adopted and multiple multi-signature accounts were configured, the actual management was extremely lacking, rendering the multi-signatures virtually meaningless, which led to the crisis.

It is worth noting that the method of issuing additional tokens has been very frequent recently. In the same way as UXLINK, the Web3 project incubation and launch platform Seedify.fund was also hacked and issued an additional 3 trillion tokens, causing significant damage to the SFUND token, which saw its price drop from $0.42 to $0.08, and is now stabilizing at $0.27.

Just today, the European Web3 project Griffin AI was attacked by a hacker just 12 hours after the completion of the Binance Alpha airdrop, maliciously issuing 5 billion tokens GAIN, causing its token to plummet nearly 95% from $0.163 to close to zero. According to official disclosures, the attack address initiated the attack by introducing an unauthorized LayerZero Peer, deploying a forged Ethereum contract to bypass the official contract, and then realizing on-chain issuance of forged tokens on the BNB Chain via LayerZero's cross-chain functionality. The hacker GAIN profited by dumping the abnormal issuance address, acquiring 2,955 BNB (, which is approximately $3 million ), and exchanged it for 720.81 ETH through the cross-chain bridge deBridge, then transferred it all into Tornado Cash for mixing. As of now, Griffin AI has removed the official liquidity pool of GAIN on the BNB Chain and officially requested all CEXs to suspend trading, deposits, and withdrawal functions for GAIN (BSC) tokens. However, it should be noted that the project team has not proposed a solution for the compensation of the stolen assets.

The only consolation is that, unlike UXLINK and SFUND, some bottom buyers of GAIN have successfully harvested good returns, with one address buying in at an average price of 0.00625 dollars for 20,200 dollars worth of GAIN, realizing a floating profit of 107,000 dollars in one hour.

Overall, compared to previous one-time attack behaviors, the current attack methods have begun to focus on contract permissions and token issuance control. Although both are means of attack, the latter is obviously much worse. For projects, malicious token issuance destroys the entire ecosystem centered around the token, which will greatly reduce user trust in the project and trigger a series of chain reactions. A typical example is that as incidents of issuance increase, there are already voices in the market suggesting that project parties are self-directing and self-acting through multi-signature.

From a security perspective, the management of multi-signature (multi-sig) is also worth paying attention to. Nowadays, project parties generally adopt multi-sig in their smart contracts, but management should also keep up. The primary requirement is to enforce the use of hardware wallets to achieve physical isolation. Secondly, the signing parties should be as decentralized as possible, avoiding centralized risks from the perspectives of time and space, hardware, and backups. In addition to avoiding technical hard risks, the soft environment is also crucial. Multi-sig holders should ensure identity concealment and establish cross-verification processes for effective secondary checks, building an artificial defense line. Moreover, drills are essential; maintaining a sense of crisis and conducting regular drills while preparing crisis plans is vital, as in the industry, a fake drill can turn into a real battle in an instant.

The founder of Slow Fog, Yu Xian, also suggested to the project party that the multi-signature owners should match hardware wallets that only support complex signatures and have large screens, encompassing the entire process from mnemonic generation to usage, and also compatible with Passphrase or SSS backup to enhance security. In daily usage, one should remain vigilant, be highly cautious about signature requirements, and reduce potential risks.