- A rogue developer is suspected of being behind Infini’s $50 million hack
- The developer previously worked on the project’s smart contracts but secretly retained access to the platform
- The attacker retained access since November 2024
A rogue blockchain developer is suspected of siphoning $50 million from stablecoin payment firm Infini. The developer was contracted to create smart contracts but retained admin access to the protocol even after delivering his work. According to an analysis by blockchain security firm Cyvers, the developer waited for over three months before exploiting the payment platform, indicating that he may be a malicious actor masquerading as a genuine smart contract developer.
The Attacker Used Tornado Cash
Cyvers disclosed that the developer started by depositing funds into his address using crypto-mixing service Tornado Cash. The developer then “sent a small ETH transaction for gas, and exploited the contract.”
🚨ALERT🚨Today, @0xinfini suffered a $49M $USDC exploit due to an attacker abusing retained administrative privileges.
The attacker, operating from 0xc49b5e5b9da66b9126c1a62e9761e6b2147de3e1, had initially developed the contract as part of the Infini project. However, after… pic.twitter.com/olguOyNCJr
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) February 24, 2025
Infini sent the attacker an on-chain message offering him a 20% bug bounty. According to the message, the payment platform has “gathered critical IP and device information” regarding the hacker with the help of exchanges, partners, security agencies, and the community.
Important update:
We’ve identified critical info regarding the exploit and we’re monitoring involved addresses. pic.twitter.com/xqZwRYg4CS
— Infini (@0xinfini) February 24, 2025
The platform said it’ll involve law enforcement agencies if the attacker fails to return 80% of the funds within 48 hours. Infini also said that it has a “solid runway to operate” hence no need to suspend deposits, withdrawals, and other services.
We’ve got solid runway to operate. No worries.
— Infini (@0xinfini) February 24, 2025
Infini’s founder Christian Li said the platform will compensate affected users if the hacker chooses to keep the funds, adding that users have withdrawn roughly $500,000 since the hack.
Insiders Not Uncommon
The Infini hack by a rogue developer comes less than a week after a former Bybit accountant was jailed for close to 10 years for embezzling funds.
It also comes a few days after the Bybit exchange lost $1.5 billion to hackers. The exchange has since restored its balances to pre-hack levels as it continues to pursue the hacker.
With Infini offering a 20% bounty, it remains unclear whether there was some bad blood between the developer and the payment platform.
