Hacker Mints 120M $YU on Polygon, Launders $7.7M via Ethereum and Solana

On September 13, 2025, a hacker minted 120 million $YU tokens on Polygon. They used a fake contract to pull it off. After that, about 7.71 million $YU were moved through bridges to Ethereum and Solana and sold for 7.7 million USDC.

The USDC did not stay in one place for long. It was swapped into ETH and spread across many wallets. That makes it harder to trace. Some tokens were later returned, but the attack left the project with big problems and its users worried.

How the Attack Happened

The hack was not a smart contract bug. Instead, the hacker abused temporary deployment keys used during bridge setup. This allowed them to create an unauthorized cross-chain bridge between Polygon and Solana. Once connected, they were able to mint fake tokens and pass them off as real $YU.

A hacker minted 120M $YU on Polygon and then sold 7.71M $YU for 7.7M $USDC on Ethereum and Solana via cross-chain.

The hacker still holds 22.29M $YU on Solana and Ethereum, with another 90M $YU still on Polygon that has not been bridged.

The hacker has now exchanged 7.7M $USDC… pic.twitter.com/508QU96DpF
— Lookonchain (@lookonchain) September 14, 2025

According to Yala’s post-mortem report, the sequence was as follows:

August 4, 2025 – Hacker deployed a malicious OFTU token contract on Polygon.
August 12, 2025 – During a Solana LayerZero OFT deployment, the attacker used a temporary local key to link Solana with the fake Polygon contract.
September 13, 2025 – The attacker activated the backdoor, finalizing a connection to Yala’s production bridge.
September 13, 2025, 19:44 UTC – 120 million malicious tokens were minted on Polygon in four separate transactions.
Minutes later – 30 million were bridged to Solana, and 10 million of those went to Ethereum.

From there, the attacker began selling $YU on different platforms, routing funds across chains and into stablecoins.

Conversion of Stolen Tokens

The stolen $YU was quickly turned into liquid assets:

2 million $YU were swapped for 1.99 million USDC on Raydium.
500,000 $YU were swapped for 490,697 USDC, also on Raydium.
5.2 million $YU were converted through Yala’s PSM protocol.
7.64 million USDC were then swapped for 1,635 ETH on Uniswap.
Funds began moving through Tornado Cash to hide the trail.

The hacker still controls a large portion of $YU. About 90 million tokens remain on Polygon, while 22.29 million are spread across Ethereum and Solana.

Impact on $YU Price

The attack caused $YU to lose its peg. The token briefly dropped to $0.20 before recovering to $0.94. Though it stabilized, confidence in the asset was damaged.

In July, some community members had already questioned the project’s security. Critics argued the development team lacked proper safeguards. The exploit confirmed these warnings, showing that the team relied on weak deployment practices.

Funds Returned

Surprisingly, the hacker has returned part of the stolen tokens. So far:

17.5 million $YU have been sent back on Solana.
4.78 million $YU have been returned on Ethereum.

That leaves 7.71 million $YU still missing, which had been converted into about 1,635 ETH. Roughly 151 ETH has already been laundered through Tornado Cash, while the rest is being held in more than 140 separate wallets.

Official Response

Yala, the foundation behind $YU, released a detailed post-mortem on September 14. The team stressed that no Bitcoin reserves were touched and that the core protocol was not exploited. The problem came from deployment procedures during bridge upgrades.

Immediate actions included:

Engaging security firms SlowMist and Fuzzland to investigate.
Disabling bridge and conversion functions to stop further damage.
Coordinating with law enforcement to track the hacker.
Deploying new safeguards to prevent unauthorized bridge creation.

The team says it will destroy all illegitimate $YU on September 23, ensuring every circulating token is backed by reserves.

Recovery Plan

Yala’s roadmap to restore trust includes:

Burning Illegitimate Tokens – All 90 million on Polygon plus the returned amounts on Ethereum and Solana will be destroyed.
Restoring Liquidity – Users will be able to redeem $YU for USDC at a 1:1 ratio.
Compensation – Traders who were unfairly liquidated during the depeg will be able to file claims. Yala will process requests through Discord, with reviews expected to take several weeks.
Audits and Monitoring – New audits will be conducted with Fuzzland and Cubist. The team also plans to add real-time monitoring for all bridge and contract updates.
Governance Changes – The team will implement multi-party authorization for future upgrades, removing single-key vulnerabilities.