Infini Money Anonymous Developer Backdoor Vault Theft

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 16:18, 3 March 2025 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/infinimoneyanonymousdeveloperbackdoorvaulttheft.php}} {{Unattributed Sources}} thumb|Infini Money Logo/HomepageInfini Money, a crypto payment solution, suffered a major exploit when a rogue developer retained admin privileges and drained $49.5 million from the platform. The hacker used the access to steal USDC, swapped it for DAI, and laundered it through Tornad...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Infini Money Logo/Homepage

Infini Money, a crypto payment solution, suffered a major exploit when a rogue developer retained admin privileges and drained $49.5 million from the platform. The hacker used the access to steal USDC, swapped it for DAI, and laundered it through Tornado Cash. Despite Infini's founder, Christian, acknowledging his mistake and pledging to cover the losses, including offering a 20% bounty for the return of funds. The hacker ignored the offer. The Infini Money project continues to operate with decreased confidence, and it appears that fund losses have been limited to the project investors. It appears that Christian remains on the hook for the loss personally.[1][2][3][4][5][6][7][8][9][10][11][12][13][14]

About Infini Money

Infini Money is a crypto payment solution designed for the masses, allowing users to make instant crypto payments globally with the Infini Card. It offers daily interest on balances, democratizing access to premium yield opportunities without requiring a physical card. Infini Card users can pay at over 100 million merchants worldwide, both online and offline, using their digital assets, with compatibility for platforms like Apple Pay, Google Pay, and AliPay. Infini emphasizes security, with audited smart contracts and a licensed custody partner, Cobo, ensuring asset protection. The service is globally accessible, free of monthly or annual fees, and includes a virtual card, with a physical card launching soon.

The Reality

Beneath the technical jargon and blockchain complexity lies a disappointingly simple truth about Infini's collapse.

A complete lack of basic access control hygiene. No mandatory privilege transfers. No time-based access expirations. No multi-signature requirements for critical functions.

What Happened

An anonymous developer who helped to develop the Infini smart contract appears to have retained control, and used this control to withdraw $49.5m USDC of investor funds from the smart contract.

Key Event Timeline - Infini Money Anonymous Developer Backdoor Vault Theft
Date Event Description
February 23rd, 2025 5:57:47 PM MST Initial TornadoCash Withdrawal The attacker withdraws one ETH from TornadoCash.
February 23rd, 2025 7:15:59 PM MST Both Theft Transactions The first theft transaction steals 11,455,666.712564 USDC from the smart contract. The second theft transaction (in the same block) steals 38,060,996.264534 USDC from the smart contract. In the same block, the 49516662.977098 USDC is swapped for 49,516,662.977 DAI.
February 23rd, 2025 8:40:59 PM MST Funds To Second Address Stolen funds start to be moved by the hacker to a second Ethereume wallet address.
February 23rd, 2025 8:44:00 PM MST LookOnChain Tweet Made LookOnChain first spotted the anomaly, “A newly created wallet spent 49.5M $DAI to buy 17,696 $ETH at $2,798 in the past hour.”
February 23rd, 2025 8:53:00 PM MST yieldsandmore Announcement yieldsandmore posts an announcement on Twitter/X where they believe that the Infini smart contract address was hacked into a tornado-sourced address.
February 23rd, 2025 9:48:00 PM MST Christian Post On Twitter/X Christian posts on Twitter about the recent security issue, reflecting on a previous comment made by a friend about how smooth his journey has been. He admits that after the incident with Bybit, the next issue came unexpectedly from his own situation. Christian clarifies that his private key was not compromised, but a mistake occurred during the delegation of permissions, ultimately making it his responsibility. He expresses gratitude for the support from friends, assures that liquidity is not a problem, and promises full compensation while investigating the funds. He apologizes for causing worry and acknowledges that rebuilding trust will be challenging, but they won't give up.
February 24th, 2025 3:36:00 AM MST Infini Releases Statement Infini releases a statement on Twitter/X addressing reports of a security breach. They express regret for the concern caused and assure users that their team is actively investigating and securing all systems. The company confirms that all transfers, deposits, withdrawals, and payments are functioning normally. Despite the issue, Infini reaffirms its commitment to its vision of becoming a crypto neo bank and encourages continued progress.
February 24th, 2025 7:22:00 AM MST Bounty Offered To Hacker The Infini team offers the hacker a 20% bounty in exchange for not pursuing further. They claim to have "critical IP and device information" regarding the exploit.
February 25th, 2025 7:58:00 AM MST Fund And Operation Update Infini shares an update with their community regarding the status of funds and operations. They confirm that Infini's funds are securely stored in the Cobo Custodian Wallet. All Infini Card functions, including transfers, deposits, withdrawals, and payments, remain fully operational. The team is focused on securing the Infini Earn feature, with an estimated 3-4 week timeline to resolve the issue, during which yield distribution will be paused. Infini is actively working with legal authorities and the @SlowMist_Team on the investigation, with progress being made. They thank the community for their patience and support, emphasizing that tough times don't last, but tough people do.

Technical Details

The Infini situation ended in a major exploit where the platform lost $49.5 million due to a rogue developer who maintained admin privileges after completing their work. The hacker, who had patiently waited for months, drained funds from Infini’s vault using privileged access, then laundered the stolen funds through Tornado Cash, converting them to ETH.

"Just blind trust in a faceless developer who built a backdoor, bided their time, and struck when the vault was fattest."

Total Amount Lost

11,455,666.712564 + 38,060,996.264534 = 49516662.977098 or 49517k USDC

The total amount lost has been estimated at $49,517,000 USD.

Immediate Reactions

"A friend once joked that I had been having too smooth sailing along the way. I said that I was always ready for the first disaster, but I didn’t expect that I would be the one to run into trouble right after bybit.

My personal private key has not been leaked, so there is no need to worry too much. I was negligent when transferring the authority before. It is ultimately my responsibility. This has sounded the alarm.

Thank you friends for your voice and support. There is no problem with liquidity. Full compensation can be paid and the funds are being traced.

I'm sorry to have worried everyone who trusted us. I know rebuilding trust will be a difficult process, but we won't give up."

Ultimate Outcome

Infini's founder, Christian, acknowledged his mistake in transferring authority to the developer and pledged to personally cover the losses, especially for significant investors. Despite his efforts, including offering 20% of the stolen amount for the return of funds, the situation ended in a loss for Infini. Many lessons have been highlighted including the importance of proper access control and security protocols. Industry analysts note a hard lesson about the risks of placing too much trust in developers.

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

The hacker continues to move and swap funds around, and appears to have no intention of engaging with the bounty offered.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - Infini - Rekt (Accessed Feb 28, 2025)
  2. Transfer Of 1 ETH From TornadoCash To Hacker (Accessed Mar 3, 2025)
  3. LookOnChain - "A newly created wallet spent 49.5M $DAI to buy 17,696 $ETH at $2,798 in the past hour." - Twitter/X (Accessed Mar 3, 2025)
  4. yieldsandmore - "Seems like $50m of @0xinfini Earn Funds just got hacked, into Torn-sourced addy 0x3ac96134fb0e42a52d33045aee50b89790f05ed0. Funds were taken from Morpho MEVCapital Usual USDC Vault." - Twitter/X (Accessed Mar 3, 2025)
  5. Infini Linktree (Accessed Mar 3, 2025)
  6. Infini Money Homepage (Accessed Mar 3, 2025)
  7. Christian - "A friend once joked that I had been having too smooth sailing along the way. I said that I was always ready for the first disaster, but I didn’t expect that I would be the one to run into trouble right after bybit." - Twitter/X Translation (Accessed Mar 3, 2025)
  8. Infini Money - "We're aware of reports on a security compromise affecting Infini. We're deeply sorry for the concern this causes - our team is working around the clock to investigate and secure all systems at the moment." - Twitter/X (Accessed Mar 3, 2025)
  9. Infini Money - "We’ve identified critical info regarding the exploit and we’re monitoring involved addresses." - Twitter/X (Accessed Mar 3, 2025)
  10. Infini Money - "All Infini Card functions—transfers, deposits, withdrawals, and payments—are fully operational." - Twitter/X (Accessed Mar 3, 2025)
  11. Transfer Of 11,455,666.712564 USDC From Infini To Hacker (Accessed Mar 3, 2025)
  12. Transfer Of 38,060,996.264534 USDC From Infini To Hacker (Accessed Mar 3, 2025)
  13. 0xInfini Twitter (Accessed Mar 3, 2025)
  14. Transfering ETH Funds To New Wallet By Hacker (Accessed Mar 3, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Infini_Money_Anonymous_Developer_Backdoor_Vault_Theft&oldid=6565"