Infini Drained of $50 Million—Insider Access Blamed for Security Breach

According to cybersecurity firm Cyvers, the individual involved worked on Infini’s smart contract development and secretly retained control, which allowed them to carry out the attack.

The attacker’s wallet was initially funded with 1 Ethereum ETH $4,208.45 through Tornado Cash, a cryptocurrency mixing service. Using a contract they had created in November 2024, they withdrew $49.52 million in USD Coin USDC $0.9997 from Infini.

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

What is Crypto Arbitrage? (Risks & Tips Explained With Animation)

SUBSCRIBE

ON YOUTUBE

The USDC was immediately exchanged for Dai DAI $0.9999 , a stablecoin without a freeze function, to prevent the stolen funds from being frozen. The funds were then converted into 17,696 ETH and transferred to another wallet.

Infini did not halt withdrawals despite the major loss. In a February 24 post on X, Christian Li, the platform's founder, stated:

We are still sorting out and tracking the details. Withdrawals are normal and in the worst case scenario, full compensation will be paid, so you can rest assured.

He also noted that around $500,000 had been withdrawn from the platform following the incident.

An Infini team member, identified as “Christine”, posted on X that the person behind the exploit had been identified and reported to the authorities. However, the post was later deleted.

Recently, Elliptic explained the typical process used by the Lazarus Group, the hackers behind the $1.4 billion theft from Bybit $3.11B , to cover their tracks. How? Read the full story.