Infini loses $50M in exploit; developer deception suspected

Stablecoin payment firm Infini lost $50 million in an exploit suspected to have been conducted by a developer who retained administrative privileges after project delivery.

The perpetrator is believed to have worked on the Infini project for contract development and secretly retained admin rights after the project was completed, according to security firm Cyvers.

The attacker funded the wallet used in the hack with 1 Ether (ETH) from the cryptocurrency mixing service Tornado Cash. They then transferred $49.52 million worth of USD Coin (USDC) from Infini through a contract they created in November 2024.

The USDC was immediately swapped for Dai (DAI), a stablecoin that doesn’t have a freeze function. The funds were then converted to 17,696 ETH and had been moved to a secondary address at the time of writing.

The Infini team did not pause withdrawals, and founder Christian Li claimed in an X post that full compensation would be paid in a worst-case scenario. Li added that the platform has observed $500,000 in withdrawals since the theft.

Related: Bybit stolen funds likely headed to crypto mixers next: Elliptic

In a now-deleted tweet, Infini team member “Christine” stated that the engineer responsible for the theft had been identified and reported to the police. Still, when asked by Cointelegraph to confirm the information, she said: “We are still investigating.”

Infini exploit follows largest hack in history

The attack on Infini comes after cryptocurrency exchange Bybit suffered a record-breaking hack, losing $1.4 billion in Ether and related tokens on Feb. 21.

The large-scale attack on a major exchange spread concerns about possible insolvency. However, the exchange opted for a rare strategy of keeping withdrawals open and vowed to cover the loss if the funds could not be recovered.

Related: In pictures: Bybit’s record-breaking $1.4B hack

Bybit relied on loans from partners and rival exchanges to meet the immediate liquidity demands of customer withdrawals, which totaled over $5 billion, according to DefiLlama data.

On Feb. 24, Bybit CEO Ben Zhou announced that the exchange had fully closed its Ether gap.

Onchain detective ZachXBT identified North Korea’s state-sponsored hacking group Lazarus as the prime suspect in the attack on Bybit. ZachXBT linked the Bybit hacker’s wallet to an attack carried out on Phemex in January, as well as to an attack against BingX, both of which have been attributed to North Korea.

Magazine: ETH whale’s wild $6.8M ‘mind control’ claims, Bitcoin power thefts: Asia Express