A rogue developer allegedly stole $50 million in USDC from crypto payments firm Infini after secretly keeping administrative access to the platform.
Developer With Secret Admin Access Blamed for $50M Theft
Security firm Cyvers reported that the attacker had worked on the Infini project’s contract development. However, instead of fully relinquishing control after completing the project, the developer allegedly retained admin rights, allowing them to exploit the system.
A developer who secretly kept administrative access to Infini’s smart contract stole $50 million in USDC. Source: Cyvers on XThe attacker funded their wallet with 1 Ether (ETH) from Tornado Cash, a cryptocurrency mixing service often used to hide transaction trails. They then transferred $49.52 million in USD Coin (USDC) from Infini using a smart contract they had created in November 2024.
To prevent the stolen funds from being frozen, the attacker quickly swapped USDC for Dai (DAI), a stablecoin that does not have a freeze function. They then converted the DAI into 17,696 ETH and moved the funds to a secondary address.
The attacker transferred a small amount of Ethereum for gas fees. Source: ExVulInfini Promises Full Compensation Despite Major Breach
Despite the attack, Infini did not pause withdrawals. The company’s founder, Christian Li, stated that full compensation would be provided in a worst-case scenario. He also mentioned that $500,000 had been withdrawn from the platform since the theft.
Shortly after the hack, an Infini team member named Christine posted on X that the team had identified the engineer responsible and reported them to the police. However, she later deleted the tweet.
Infini Exploit Follows Record-Breaking Bybit Hack
Infini’s attack comes just days after Bybit suffered a $1.4 billion hack, the largest crypto theft in history.
Following the Bybit hack, concerns spread about possible insolvency at the exchange. However, instead of shutting down withdrawals, Bybit continued operations and promised to cover any unrecovered losses. To handle the crisis, Bybit secured loans from partners and rival exchanges to meet user withdrawals, which totaled over $5 billion according to DefiLlama data.
On Feb. 24, Bybit CEO Ben Zhou confirmed that the exchange had fully recovered its lost Ether. Blockchain investigator ZachXBT identified North Korea’s state-sponsored hacker group Lazarus as the primary suspect behind the attack. The same hacker wallet linked to Bybit was also tied to previous attacks on Phemex and BingX, both attributed to Lazarus.
Crypto Security Under Fire After Back-to-Back Attacks
Besides Infini and Bybit, other crypto firms have also suffered major crypto theft where attackers stole millions in crypto.
On Feb. 12, decentralized lending protocol zkLend lost $9.5 million in an exploit on Starknet, according to Cyvers. The attacker transferred the stolen funds to Ethereum and attempted to launder them through Railgun, a privacy protocol. However, due to protocol restrictions, Railgun returned the funds to the original address.
Cryptocurrency options exchange Deribit also fell victim to hackers. In November 2024, attackers breached one of its hot wallets and stole $28 million. The exchange reported that the hack only affected its Bitcoin (BTC), Ethereum (ETH), and USDC hot wallets. To prevent further losses, Deribit halted all withdrawals, including those from third-party custodians Copper Clearloop and Cobo.
The post Infini Hit by Theft of $50 Million in Crypto, Developer Foul Play Suspected appeared first on Coinchapter.
%%featured_image%%
