Skip to content
Unveil the Latest GadgetsStrengthen Your Digital Fortress

Stablecoin Heist Nets Infini a Loss of $49 Million

Ex-developer's secret funding through Tornado Cash exposed by CertiK, as they unearthed his utilization of hidden admin rights for Infini hack

 and  Administrator
3 min read

The Great Escape: An Ex-Developer Pulls Off a $49 Million Heist on Stablecoin Bank Infini

Stablecoin Heist Nets Infini a Loss of $49 Million

In a blockbuster move that's shaking the crypto world, a notorious ex-developer has successfully pilfered over $49 million from digital-only neobank Infini, making away with a whopping 49.5 million USDC.

On February 24, CertiK first reported unauthorized fund transfers from an Infini-associated contract on Ethereum, setting off alarm bells in the crypto community. Lookonchain later confirmed that the fickle-fingered hacker converted the entire 49.5 million USDC into 49.5 million DAI before purchasing 17,696 ETH – all of which were swiftly moved to a newly created wallet with the address 0xfcc8...6e49.

But here's where it gets juicy – Cyvers Alerts later revealed that the cunning crook behind the incident, operating from the address 0xc49b...3e1, was none other than a developer who had worked on Infini's contract. Although the project was completed and handed over, the imaginative scoundrel managed to hold onto some administrative control, allowing them to exact their audacious plan over 100 days later.

After funding their wallet using Tornado Cash and conducting a discreet ETH transaction to cover gas fees, the ex-developer finally pulled off the heist, exploiting the system with style.

However, the daring swindle didn't go unnoticed. PeckShield Alert suggested that a private key leak might have been the culprit, but Infini founder Christian Li quickly dismissed such speculation, admitting to previous oversights in transferring control. He took full responsibility for the situation, viewing it as a harsh reality check.

Meanwhile, co-founder Christine moved swiftly to reassure customers, announcing that Infini would compensate them for their losses, as the company had the means to cover the damages. Having launched in 2024, Infini offers stablecoin transactions, yield-generating accounts, and traditional banking services through its mobile platform.

A Chain of Exploits: The Rise of Crypto Heists

The Infini heist is far from an isolated incident, as it joins a growing list of major breaches in the crypto sector. Just days prior, crypto exchange Bybit suffered a $1.5 billion exploit on February 21, marking the largest thefts in the industry's history.

Bybit CEO Ben Zhou confirmed that the attack resulted in the loss of most of the exchange's ETH holdings. Over 400,000 Ether mysteriously vanished from the exchange's wallet before being converted into ETH through a series of swift swaps, "staking" mETH and stETH tokens in the process.

Bybit is working tirelessly with blockchain investigators and security firms to recover the stolen assets, offering a generous $140 million bounty to incentivize assistance. blockchain investigator ZachXBT has even traced the North Korean hacking group Lazarus as the likely culprit behind the incident.

The Hacker's Playbook: Common Attack Vectors and Mitigation Strategies

While Infini's breach hasn't revealed its exact method, the Bybit hack provides insights into common attack vectors and industry-wide preventative measures:

  1. Enhanced Developer Training: Teaching developers about phishing awareness and secure software deployment practices.
  2. Multi-signature Wallets: Using multi-party authorization for high-value transactions to limit single-point failures.
  3. Third-party Audits: Engaging firms like Mandiant to conduct regular code reviews and penetration testing.
  4. Immutable Code Verification: Utilizing blockchain-based hashing to detect unauthorized UI changes.

Infini may still be silent on the specific countermeasures they'll employ, but these practices are becoming the norm across crypto platforms following the Q1 2025 breaches.

For precise and Infini-related findings, monitoring updates from cybersecurity firms like Mandiant or official Infini statements would be advisable. Keep an eye on this developing story, as the detective work continues.

  1. The stolen funds from Infini were initially reported as being held in a wallet with an Ethereum address starting with '0xfcc8'.
  2. The hack on Infini was carried out by a developer who had worked on their contract, despite the project being completed and handed over.
  3. Despite initial speculation, a private key leak might not have been the cause of the Infini hack, with oversights in transferring control being admitted by the project founder.
  4. The crypto industry has suffered another major breach, with crypto exchange Bybit losing over $1.5 billion on February 21.
  5. The Bybit hack involved the theft of 400,000 Ether and the conversion of these funds through a series of swift swaps and the staking of mETH and stETH tokens.
  6. The crypto sector has seen a growing list of major breaches, with the Infini heist being just one example, and Bybit marking the largest thefts to date in the industry's history.
  7. To prevent similar attacks, industry-wide preventative measures such as enhanced developer training, multi-signature wallets, third-party audits, and immutable code verification have emerged as best practices in the fintech and technology sector, especially given the recent breaches in Q1 2025.
Ex-developer's rogue actions uncovered through CertiK analysis, with Tornado Cash serving as a means of capital and exploitation of retained admin privileges used for Infini hack.
Ex-Developer's Deceitful Acts Revealed: Tornado Cash Used for Funding Prior to Infiltration and Abuse of Retained Admin Rights by CertiK.

Read also:

    Related

    Latest