Azoundria: COMPLETE 30 minutes. Reviewed, substantially improved, and sourced the introduction paragraph. Moved post-incident information from reality section to technical details. Added sources and fixed typos in the timeline. Added description for quote in immediate reactions section. Filling in more detailed information on losses and recovery. Spreading around the sources to different article sections. Completed an initial prevention section with policies for individuals, platforms, and regulators.

2025-03-06T00:42:01Z

COMPLETE 30 minutes. Reviewed, substantially improved, and sourced the introduction paragraph. Moved post-incident information from reality section to technical details. Added sources and fixed typos in the timeline. Added description for quote in immediate reactions section. Filling in more detailed information on losses and recovery. Spreading around the sources to different article sections. Completed an initial prevention section with policies for individuals, platforms, and regulators.

Show changes

Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/infinimoneyanonymousdeveloperbackdoorvaulttheft.php}} {{Unattributed Sources}} Infini Money Logo/HomepageInfini Money, a crypto payment solution, suffered a major exploit when a rogue developer retained admin privileges and drained $49.5 million from the platform. The hacker used the access to steal USDC, swapped it for DAI, and laundered it through Tornad..."

2025-03-03T22:18:29Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/infinimoneyanonymousdeveloperbackdoorvaulttheft.php}} {{Unattributed Sources}} thumb|Infini Money Logo/HomepageInfini Money, a crypto payment solution, suffered a major exploit when a rogue developer retained admin privileges and drained $49.5 million from the platform. The hacker used the access to steal USDC, swapped it for DAI, and laundered it through Tornad..."

New page

{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/infinimoneyanonymousdeveloperbackdoorvaulttheft.php}}
{{Unattributed Sources}}

[[File:Infinimoney.jpg|thumb|Infini Money Logo/Homepage]]Infini Money, a crypto payment solution, suffered a major exploit when a rogue developer retained admin privileges and drained $49.5 million from the platform. The hacker used the access to steal USDC, swapped it for DAI, and laundered it through Tornado Cash. Despite Infini's founder, Christian, acknowledging his mistake and pledging to cover the losses, including offering a 20% bounty for the return of funds. The hacker ignored the offer. The Infini Money project continues to operate with decreased confidence, and it appears that fund losses have been limited to the project investors. It appears that Christian remains on the hook for the loss personally.<ref name="rektnews-18167" /><ref name="transfer1eth-18168" /><ref name="lookonchaintweet-18169" /><ref name="yieldsandmoretweet-18170" /><ref name="infinilinktree-18171" /><ref name="infinihomepage-18172" /><ref name="infinichristiantweet-18173" /><ref name="infinitwitternote-18174" /><ref name="infinitwitteroffer-18175" /><ref name="infinioperationupdate-18176" /><ref name="firstthefttx-18177" /><ref name="secondthefttx-18178" /><ref name="infinitwitter-18179" /><ref name="transferwallets-18180" />

== About Infini Money ==
Infini Money is a crypto payment solution designed for the masses, allowing users to make instant crypto payments globally with the Infini Card. It offers daily interest on balances, democratizing access to premium yield opportunities without requiring a physical card. Infini Card users can pay at over 100 million merchants worldwide, both online and offline, using their digital assets, with compatibility for platforms like Apple Pay, Google Pay, and AliPay. Infini emphasizes security, with audited smart contracts and a licensed custody partner, Cobo, ensuring asset protection. The service is globally accessible, free of monthly or annual fees, and includes a virtual card, with a physical card launching soon.

== The Reality ==
Beneath the technical jargon and blockchain complexity lies a disappointingly simple truth about Infini's collapse.

A complete lack of basic access control hygiene. No mandatory privilege transfers. No time-based access expirations. No multi-signature requirements for critical functions.

== What Happened ==
An anonymous developer who helped to develop the Infini smart contract appears to have retained control, and used this control to withdraw $49.5m USDC of investor funds from the smart contract.
{| class="wikitable"
|+Key Event Timeline - Infini Money Anonymous Developer Backdoor Vault Theft
!Date
!Event
!Description
|-
|February 23rd, 2025 5:57:47 PM MST
|Initial TornadoCash Withdrawal
|The attacker withdraws one ETH from TornadoCash.
|-
|February 23rd, 2025 7:15:59 PM MST
|Both Theft Transactions
|The first theft transaction steals 11,455,666.712564 USDC from the smart contract. The second theft transaction (in the same block) steals 38,060,996.264534 USDC from the smart contract. In the same block, the 49516662.977098 USDC is swapped for 49,516,662.977 DAI.
|-
|February 23rd, 2025 8:40:59 PM MST
|Funds To Second Address
|Stolen funds start to be moved by the hacker to a second Ethereume wallet address.
|-
|February 23rd, 2025 8:44:00 PM MST
|LookOnChain Tweet Made
|LookOnChain first spotted the anomaly, “A newly created wallet spent 49.5M $DAI to buy 17,696 $ETH at $2,798 in the past hour.”
|-
|February 23rd, 2025 8:53:00 PM MST
|yieldsandmore Announcement
|yieldsandmore posts an announcement on Twitter/X where they believe that the Infini smart contract address was hacked into a tornado-sourced address.
|-
|February 23rd, 2025 9:48:00 PM MST
|Christian Post On Twitter/X
|Christian posts on Twitter about the recent security issue, reflecting on a previous comment made by a friend about how smooth his journey has been. He admits that after the incident with Bybit, the next issue came unexpectedly from his own situation. Christian clarifies that his private key was not compromised, but a mistake occurred during the delegation of permissions, ultimately making it his responsibility. He expresses gratitude for the support from friends, assures that liquidity is not a problem, and promises full compensation while investigating the funds. He apologizes for causing worry and acknowledges that rebuilding trust will be challenging, but they won't give up.
|-
|February 24th, 2025 3:36:00 AM MST
|Infini Releases Statement
|Infini releases a statement on Twitter/X addressing reports of a security breach. They express regret for the concern caused and assure users that their team is actively investigating and securing all systems. The company confirms that all transfers, deposits, withdrawals, and payments are functioning normally. Despite the issue, Infini reaffirms its commitment to its vision of becoming a crypto neo bank and encourages continued progress.
|-
|February 24th, 2025 7:22:00 AM MST
|Bounty Offered To Hacker
|The Infini team offers the hacker a 20% bounty in exchange for not pursuing further. They claim to have "critical IP and device information" regarding the exploit.
|-
|February 25th, 2025 7:58:00 AM MST
|Fund And Operation Update
|Infini shares an update with their community regarding the status of funds and operations. They confirm that Infini's funds are securely stored in the Cobo Custodian Wallet. All Infini Card functions, including transfers, deposits, withdrawals, and payments, remain fully operational. The team is focused on securing the Infini Earn feature, with an estimated 3-4 week timeline to resolve the issue, during which yield distribution will be paused. Infini is actively working with legal authorities and the @SlowMist_Team on the investigation, with progress being made. They thank the community for their patience and support, emphasizing that tough times don't last, but tough people do.
|}

== Technical Details ==
The Infini situation ended in a major exploit where the platform lost $49.5 million due to a rogue developer who maintained admin privileges after completing their work. The hacker, who had patiently waited for months, drained funds from Infini’s vault using privileged access, then laundered the stolen funds through Tornado Cash, converting them to ETH.

"Just blind trust in a faceless developer who built a backdoor, bided their time, and struck when the vault was fattest."

== Total Amount Lost ==
11,455,666.712564 + 38,060,996.264534 = 49516662.977098 or 49517k USDC

The total amount lost has been estimated at $49,517,000 USD.

== Immediate Reactions ==
"A friend once joked that I had been having too smooth sailing along the way. I said that I was always ready for the first disaster, but I didn’t expect that I would be the one to run into trouble right after bybit.

My personal private key has not been leaked, so there is no need to worry too much. I was negligent when transferring the authority before. It is ultimately my responsibility. This has sounded the alarm.

Thank you friends for your voice and support. There is no problem with liquidity. Full compensation can be paid and the funds are being traced.

I'm sorry to have worried everyone who trusted us. I know rebuilding trust will be a difficult process, but we won't give up."

== Ultimate Outcome ==
Infini's founder, Christian, acknowledged his mistake in transferring authority to the developer and pledged to personally cover the losses, especially for significant investors. Despite his efforts, including offering 20% of the stolen amount for the return of funds, the situation ended in a loss for Infini. Many lessons have been highlighted including the importance of proper access control and security protocols. Industry analysts note a hard lesson about the risks of placing too much trust in developers.

== Total Amount Recovered ==
There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
The hacker continues to move and swap funds around, and appears to have no intention of engaging with the bounty offered.
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="rektnews-18167">[https://rekt.news/infini-rekt/ Rekt - Infini - Rekt] (Accessed Feb 28, 2025)</ref>

<ref name="transfer1eth-18168">[https://etherscan.io/tx/0x03db8172ada9778e168fb1903d513782161d3e63a57004244d9437de89c68741 Transfer Of 1 ETH From TornadoCash To Hacker] (Accessed Mar 3, 2025)</ref>

<ref name="lookonchaintweet-18169">[https://twitter.com/lookonchain/status/1893869666717585756 LookOnChain - "A newly created wallet spent 49.5M $DAI to buy 17,696 $ETH at $2,798 in the past hour." - Twitter/X] (Accessed Mar 3, 2025)</ref>

<ref name="yieldsandmoretweet-18170">[https://twitter.com/yieldsandmore/status/1893871757666275587 yieldsandmore - "Seems like $50m of @0xinfini Earn Funds just got hacked, into Torn-sourced addy 0x3ac96134fb0e42a52d33045aee50b89790f05ed0. Funds were taken from Morpho MEVCapital Usual USDC Vault." - Twitter/X] (Accessed Mar 3, 2025)</ref>

<ref name="infinilinktree-18171">[https://linktr.ee/0x.infini Infini Linktree] (Accessed Mar 3, 2025)</ref>

<ref name="infinihomepage-18172">[https://www.infini.money/ Infini Money Homepage] (Accessed Mar 3, 2025)</ref>

<ref name="infinichristiantweet-18173">[https://twitter.com/Christianeth/status/1893885666557411712 Christian - "A friend once joked that I had been having too smooth sailing along the way. I said that I was always ready for the first disaster, but I didn’t expect that I would be the one to run into trouble right after bybit." - Twitter/X Translation] (Accessed Mar 3, 2025)</ref>

<ref name="infinitwitternote-18174">[https://twitter.com/0xinfini/status/1893973307596435871 Infini Money - "We're aware of reports on a security compromise affecting Infini. We're deeply sorry for the concern this causes - our team is working around the clock to investigate and secure all systems at the moment." - Twitter/X] (Accessed Mar 3, 2025)</ref>

<ref name="infinitwitteroffer-18175">[https://twitter.com/0xinfini/status/1894030200490315887 Infini Money - "We’ve identified critical info regarding the exploit and we’re monitoring involved addresses." - Twitter/X] (Accessed Mar 3, 2025)</ref>

<ref name="infinioperationupdate-18176">[https://twitter.com/0xinfini/status/1894401496508502099 Infini Money - "All Infini Card functions—transfers, deposits, withdrawals, and payments—are fully operational." - Twitter/X] (Accessed Mar 3, 2025)</ref>

<ref name="firstthefttx-18177">[https://etherscan.io/tx/0xacf84c5944f662a4fcf783806993d713a150994932008e72e4e47a58d6665f7f Transfer Of 11,455,666.712564 USDC From Infini To Hacker] (Accessed Mar 3, 2025)</ref>

<ref name="secondthefttx-18178">[https://etherscan.io/tx/0xecb31ff694c0e6c5e5b225c261854c0749ecf5d53c698fcda61f2d8e3db8f9fc Transfer Of 38,060,996.264534 USDC From Infini To Hacker] (Accessed Mar 3, 2025)</ref>

<ref name="infinitwitter-18179">[https://twitter.com/0xinfini 0xInfini Twitter] (Accessed Mar 3, 2025)</ref>

<ref name="transferwallets-18180">[https://etherscan.io/tx/0xd9796b6a4dc6c32f5b9599407dabac58e5c5f2efa9a96f7b32ec254d6335fa04 Transfering ETH Funds To New Wallet By Hacker] (Accessed Mar 3, 2025)</ref></references>

Infini Money Anonymous Developer Backdoor Vault Theft - Revision history