UXLINK Hack

On September 22, 2025, UXLINK, a social Web3 platform, lost about $44 million in what PeckShield ranked as the largest crypto exploit of the month. Attackers first manipulated the project’s multi-signature wallet, stripping away admin controls and draining roughly $11.3 million in stablecoins and other assets. They then abused the seized privileges to mint billions of new UXLINK tokens on Arbitrum, nearly doubling the circulating supply and crashing the token more than 70%. Stolen funds were swapped and bridged across chains, and despite freeze attempts by exchanges including Upbit, most assets stayed in the attacker’s wallets. In a rare twist later flagged by ZachXBT, the UXLINK attacker was themselves phished and lost a portion of the looted funds. The team paused affected contracts, coordinated with security firms and exchanges, and worked on a token migration to neutralise the inflated supply. The incident, set against 2025’s record theft total, underscores the danger of concentrated multisig admin keys and unbounded mint functions, advocating timelocked governance, mint caps, and hardware-isolated signer keys.