The stablecoin payment platform Infini reported a loss of $50 million due to a recent exploit. It is assumed that the attack was conducted by a developer who retained administrative privileges after the project completion.
Circumstances of the Exploit
The perpetrator is believed to have worked on the Infini project as a contract developer but secretly kept admin rights. According to Cyvers, the attacker funded the wallet used in the hack with 1 Ether from Tornado Cash. Subsequently, $49.52 million worth of USD Coin was transferred from Infini through a contract created in November 2024. These funds were immediately swapped for Dai, a stablecoin that doesn’t have a freeze function. Eventually, the funds were converted to 17,696 Ether and moved to a secondary address.
Infini Team's Response
The Infini team did not pause withdrawals, and founder Christian Li claimed in an X post that full compensation would be paid in a worst-case scenario. Li also noted that $500,000 had been withdrawn since the theft. Christine, an Infini team member, stated the responsible engineer had been identified and reported to the police. However, confirmation of these claims is still under investigation.
History of Previous Attacks
The attack on Infini followed a record-breaking hack on the cryptocurrency exchange Bybit, which lost $1.4 billion in Ether and related tokens. The large-scale hack raised concerns about possible insolvency, but Bybit kept withdrawals open and vowed to cover losses. The investigation into Bybit's hack was led by analyst ZachXBT, who linked the attack to North Korea's Lazarus group.
The Infini incident underscores the need for heightened cybersecurity measures in the cryptocurrency sector. It illustrates the critical importance of strict controls over administrative access post-project to prevent similar occurrences in the future.
