UXLINK attackers will wash stolen DAI into Ethereum.

CN
2 hours ago

UXLINK recently suffered an attack, where hackers controlled a large amount of DAI, which initially was just a string of silent numbers, until July 4, 2024, when this money first entered the public view of the Ethereum mainnet through a clear path. On that day, the address related to the UXLINK attack suddenly took action on-chain, spending 10.54 million DAI to buy 6,001 ETH at an average price of about 1,757 USD/ETH, smoothly completing the initial conversion from "stolen chips" to "on-chain native assets." Immediately thereafter, these 6,001 ETH did not linger in public addresses but were quickly split and pushed in batches to Tornado Cash—a mixing protocol deployed on Ethereum that jumbles and restructures multiple users' funds in an attempt to erase every traceable financial trail. This series of actions was promptly captured by Onchain Lens and disclosed by several media outlets, including BlockBeats, transforming the DAI originally hidden behind the project attack narrative into a direct confrontation between "on-chain tracking tools" and "mixing concealment technology." Among a broader sample of attacks, it is a common pattern in the industry to first convert stolen stable assets into ETH or other native assets before sending them into mixing protocols. This case follows that path as well, with all participants aware that the true determinant of the outcome is not this conversion itself, but whether the tracking party can lock in enough fund fingerprints at the entrance of Tornado Cash ahead of the attackers.

10.54 Million DAI Converted to 6,001 ETH

Just before the funds were sent to the mixing entrance, the attacker completed a crucial step of "skin swapping." According to publicly available information on-chain, the Ethereum address related to the UXLINK attack utilized the stolen large sum of DAI on July 4, 2024, spending 10.54 million DAI to complete a large single exchange on-chain for 6,001 ETH at an average price of about 1,757 USD/ETH. Onchain Lens detected that this was not a slow buildup through multiple orders, but a centralized operation completed in one go. Shortly thereafter, these 6,001 ETH were quickly split into batches and sent to the Tornado Cash contract, entering the mixing process.

From a motive perspective, the attackers' choice to switch from DAI to ETH in one go at this price level is difficult to interpret as a simple "betting on market conditions." A more reasonable explanation is that while holding DAI, the fund's form is highly clear, concentrated in a few addresses with fixed amounts, making it easy to trace externally; whereas after switching to ETH and sending it into a mixing protocol designed to obscure financial trails, the attackers can, while taking on price volatility risks, exchange for lower surface visibility. For the tracking party, the conversion of 10.54 million DAI forms a distinct anchoring point both in timing and amount, while for the attackers, switching stable-form stolen assets to ETH, which is easier to enter the mixing channel, represents a proactive balance between concealment and exposure.

Tornado Cash Mixing Cuts Off Tracking Clues

After converting 10.54 million DAI to 6,001 ETH, the address related to the UXLINK attack did not linger long on-chain but quickly began to split this 6,001 ETH into multiple transactions, transferring it to the Tornado Cash contract in batches. The batch sizes and split ratios have not been publicly disclosed, but the path is already very clear: first concentrating on converting to ETH, which is easy to enter the mixing channel, and then injecting it in multiple small amounts, effectively "shattering" the originally highly concentrated attack profits and mitigating the single-point mark left by the large exchange on-chain.

Tornado Cash itself was created for such "shattering and restructuring" purposes: multiple users deposit ETH into the same pool, the protocol jumbles the records internally, and then users withdraw equivalent assets at new addresses. From the surface transaction records, there is no longer a direct, simple mapping relationship between the deposit and withdrawal addresses. For observers attempting to track funds, once the attackers complete the deposit, determining which withdrawal corresponds to which attack funds becomes a highly uncertain issue, remaining only at the probabilistic deduction level. Although Tornado Cash has been included in the U.S. Treasury Department's sanctions list, public on-chain performance shows that this contract still continues to see funds enter and exit, and is used as a routine tool to disguise the source of stolen assets by various attackers, which is one of the core motives for the attackers’ bet on Tornado Cash in this case.

Can Funds Entering Tornado UXLink Be Traced?

From the victim's perspective, once the attackers send assets into Tornado Cash, the difficulty of recovery escalates almost exponentially. In this case, the relevant address first utilized 10.54 million DAI on Ethereum, purchasing 6,001 ETH at an average price of about 1,757 USD/ETH, then splitting this 6,001 ETH into batches and sent into the Tornado contract, with each deposit being broken apart in a larger pool of funds, completely disrupting the "point-to-point" correspondence between the original stolen assets and any subsequent withdrawal. Even if one continues to make probabilistic deductions based on time windows and amount characteristics, it is challenging to provide a sufficiently strong chain of evidence for trading platforms or judicial entities to directly identify any particular outflow as an extension of the stolen funds from UXLINK.

In industry practices, in response to similar attacks, project parties typically act quickly to pause related contracts, issue risk warnings, and communicate with major trading platforms to monitor or blacklist identified attacker addresses as soon as large financial movements appear on-chain, in an attempt to "intercept" part of the flow before assets enter high-privacy tools. Some projects may also attempt to engage in negotiation with the attackers through public on-chain shout-outs, bounties, and other means. However, based on currently available public information, there has been no detailed explanation from the UXLINK team regarding specific on-chain actions taken after the entry of these 6,001 ETH into Tornado, nor has any law enforcement agency issued a notice regarding the related fund flows. This indicates that there remains significant uncertainty about the event's future trajectory, necessitating ongoing attention to subsequent disclosures and potential new on-chain clues.

On-chain Tracking and the Tug of War with Mixing Protocols

In the UXLINK incident, 10.54 million DAI was quickly converted to 6,001 ETH on Ethereum. According to AiCoin data and publicly available on-chain information, this large exchange action was promptly captured by on-chain monitoring tools and disclosed by several media outlets including BlockBeats. For tracking teams, this represents a typical "naked shorting window": the funds have not yet entered mixing protocols like Tornado Cash, the path is complete, the amount is significant, and the addresses are concentrated, making them easier to mark, categorize, and incorporate into analytical diagrams. At this point, they can lock down the clusters of addresses related to the attack and clarify the connections with project contracts and early payment wallets, leaving anchor points for whenever an outflow behavior appears in the future.

However, once these 6,001 ETH are injected into Tornado Cash in batches, both sides enter a prolonged tug-of-war. On-chain analysis teams usually conduct systematic marking and diagram modeling of all associated addresses before and after funds enter the mixing protocol. It is hoped that at some future point when the mixed funds flow out from Tornado Cash and re-intersect with trading platforms or other on-chain assets, these "pre-fingerprints" will allow the re-establishment of fund connections. Meanwhile, around mixing protocols like Tornado Cash, regulatory bodies have pressured participants through sanctions, yet on-chain use has not disappeared, and participants including hackers and attackers continue to adjust paths and tools, such as more frequent splitting of amounts, changing transfer rhythms, and layering additional privacy tools, in an effort to weaken the effectiveness of these diagrams. This dynamic balance, where one side reinforces tracking technology and the other finely tunes concealment paths, means that every large-scale attack event is not only a security crisis for the project itself but also a continuous game concerning the boundaries of on-chain transparency.

Examining the Security Battlefield through this 10.54 Million DAI

From UXLINK being attacked to the attacker mastering a large amount of DAI, then concentrating on using 10.54 million DAI on July 4 on Ethereum to obtain 6,001 ETH at an average price of about 1,757 USD/ETH, and subsequently sending it in batches to Tornado Cash, this almost pen-by-pen inscribed path on-chain fully replicates the "standard script" of current on-chain attacks: first locking in highly liquid pegged assets, then uniformly converting them into mainstream native assets, and finally using mixing protocols to erase their origin. For project parties, the due smoothness of this path exposes weaknesses on three levels: first, whether the contract auditing, permission design, and risk control plans are sufficiently rigorous before the attack; second, whether there exists real-time monitoring and rapid response capabilities upon the first abnormal movement of funds, and whether it's possible to secure a stop-loss space before the large DAI fully escapes; third, how to organize intelligence sharing and communicate with trading platforms and regulators once funds have entered Tornado Cash, avoiding delayed information disclosure that grants the attackers a more ample "cooling-off period." Currently, there is no public information showing the destination of these 6,001 ETH after exiting Tornado Cash, and whether the attackers attempt to further withdraw funds through cross-chain, OTC, or centralized platforms remains to be observed. If related addresses later show identifiable focal addresses, repeated patterns, or intersections with known entities, it may become a breakthrough for tracking and accountability; meanwhile, regarding mixing tools like Tornado Cash, how to establish clearer boundaries and coordination mechanisms for obvious abuses related to attacks and money laundering while ensuring reasonable privacy for ordinary users remains an unavoidable institutional issue on this security battlefield.

Join our community, let's discuss and grow stronger together!
AiCoin exclusive Hyperliquid benefits: https://app.hyperliquid.xyz/join/AICOIN88
AiCoin exclusive Aster benefits: https://www.asterdex.com/zh-CN/referral/9C50e2
On-chain Telegram community: https://t.me/AiCoinWhaleData
On-chain community: https://www.aicoin.com/link/chat?cid=N6OVMor5g
AiCoin on-chain Twitter: https://x.com/aicoinwhaledata

免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。

Share To
APP

X

Telegram

Facebook

Reddit

CopyLink