Lookonchain: Hacker Mints 120M YU on Polygon, Sells $7.7M and Converts to 1,501 ETH

According to on-chain analyst Lookonchain, an attacker minted 120 million YU tokens on Polygon, bridged liquidity and sold 7.71 million YU on Ethereum and Solana for ~7.7 million USDC, then swapped the USDC for ~1,501 ETHand dispersed funds across multiple wallets. The wallet cluster still holds ~22.29 million YU on Ethereum and Solana and ~90 million YU on Polygon, suggesting³ further sell pressure remains possible.

Key Points

• Exploit scale: 120M YU minted on Polygon; 7.71M YU realized into ~$7.7M USDC on Ethereum + Solana via cross-chain routing.
• Cash-out path: USDC proceeds converted^q to ~1,501 ETH, then fanned out to multiple addresses, complicating recovery.
• Residual risk: Attacker wallets reportedly retain ~22.29M YU on ETH/SOL and ~90M YU on Polygon, which could pressure secondary-market liquidity if sold.
• Source note: Figures are from Lookonchain’s live on-chain tracing; a project-side incident report had not been posted at press time.

What Happened (Timeline)

1. Attacker mints 120M YU on Polygon (presumed contract-level privilege abuse or compromised role).
2. Funds are bridged/cross-chained, with 7.71M YU sold on Ethereum and Solana, yielding ~$7.7M USDC.
3. Proceeds are swapped into ~1,501 ETH and split across new wallets; remaining 112.29M YU sits across ETH/SOL/Polygon.

Market Impact & Risk

• Price/liquidity: Large unauthorized supply plus residual attacker balances can deepen slippage and dampen recovery rallies for YU.
• Exchange exposure: CEX/DEX pools connected to YU pairs may face volatile spreads; LPs risk impermanent loss.
• Forensic angle: ETH dispersals increase tracing complexity; however, clustering and off-ramp monitoring can still flag consolidation points.

Community & Security Notes

• Immediate actions for holders:
  • Verify the official YU contract addresses on each chain; beware spoofed pairs.
  • Avoid interacting with airdropped/unsolicited YU; revoke approvals if previously granted to unknown routers.
  • Track project communications for contract pauses, migrations, or redemptions.
• For projects:
  • Enforce multi-sig and timelocks on mint/bridge roles; log role transfers; and publish post-mortems with affected addresses.
  • Consider circuit breakers and mint-caps to limit blast radius of compromised privileges.

Quote of Record

“A hacker minted^J 120M $YU on Polygon and then sold 7.71M $YU for 7.7M $USDC on Ethereum and Solana via cross-chain… still holds 22.29M $YU on ETH & SOL and 90M $YU on Polygon.”

7VEF59MH