A major security incident has occurred in the cryptocurrency sector, as the stablecoin digital bank Infini, headquartered in Hong Kong, was hacked, resulting in a loss of up to $49.5 million in USDC (USD stablecoin). The attack took place on February 23, with the attackers exploiting a lapse in the platform's permission transfer process to successfully steal a large sum of money, which was quickly exchanged for 495,000 DAI and then used to purchase approximately 17,696 Ether (ETH), which was transferred to a new wallet address (0xfcc8…6e49). This incident has sparked renewed concerns in the industry regarding the security of cryptocurrency platforms.
Attack Details: Permission Vulnerability as the Key Breakthrough
According to analyses by blockchain security firms PeckShield and Lookonchain, the attackers executed the theft by gaining access to an account (address 0xc49b…e3e1) that still held special permissions. Preliminary investigations suggest that this account may have played a significant role in the development of the Infini project, but its permissions were not revoked in a timely manner. After lying in wait for over 100 days, the attackers used the Tornado Cash mixing service to cover their tracks and ultimately cleared the funds from the target contract after making a small ETH transaction to pay for gas fees.
Yu Xian, founder of the blockchain security company SlowMist, stated that the attackers demonstrated a high level of technical understanding of smart contracts, describing them as "extremely skilled individuals." Currently, the flow of funds has been traced to wallets associated with Tornado Cash, but due to the anonymity of mixing services, recovery is extremely difficult.
Infini Responds Quickly, Promising Full Compensation
After the incident was revealed, Infini co-founder Christian (@Christianeth) quickly responded via social media, stating that the team is working diligently to trace the flow of funds. He emphasized that the user withdrawal function was unaffected, and since the attack occurred, the platform has processed withdrawal requests totaling up to $500,000, indicating that its liquidity has not been significantly impacted. Christian admitted, "I was negligent during the permission transfer, and this is my responsibility. This incident has sounded the alarm." He promised that even in the worst-case scenario, Infini would fully compensate users for their losses to maintain customer trust.
Another co-founder, Christine (@0xsexybanana), also stated on social media that they have located and controlled the involved engineer and have reported the case to the police. She assured users, "Infini will be fine, and we will update progress as soon as possible." Currently, Infini has not released a detailed incident report, but the team is collaborating with law enforcement and professional security firms to identify the attackers and recover the losses.
Industry Background: Frequent Cryptocurrency Security Crises
This incident is not an isolated case. Just days earlier, the cryptocurrency exchange Bybit suffered a larger attack, losing up to $1.4 billion in ETH, suspected to be the work of the North Korean hacker group Lazarus Group. This series of high-profile attacks has once again plunged the cryptocurrency industry into a trust crisis. Analysts point out that Ether, due to its high liquidity and wide acceptance, has become the preferred asset for hackers to transfer funds, further exacerbating market concerns about its security.
In recent months, similar incidents have occurred frequently. In January, the Phemex exchange lost $69.1 million due to a hot wallet vulnerability; during the same period, the BNB Chain became a hotspot for hacker attacks, accounting for 50% of recorded attacks that month. Although the total amount stolen in cryptocurrency thefts in 2024 has decreased by 44.6% compared to 2023, the dense attacks at the beginning of 2025 indicate that security threats have not diminished but have become increasingly complex.
Uncertain Future: Rebuilding Trust is a Long Road Ahead
Although the attack on Infini did not directly stem from a protocol vulnerability, but rather from internal management errors, it exposed the common weaknesses in private key management and permission control on cryptocurrency platforms. Christian stated in his announcement, "There is no problem with liquidity, and we are tracking the funds. I apologize for causing concern to those who trust us; rebuilding trust is difficult, but we will not give up."
Market observers note that whether Infini can fulfill its promise of full compensation will be key to whether it can weather this crisis. In contrast, Bybit launched a $140 million bounty program after the $1.4 billion attack in an attempt to recover some funds, but user confidence still significantly wavered. If Infini can handle the situation properly, it may become a positive case for the industry in responding to security crises.
Currently, the Infini team has not disclosed specific details of the compensation plan but has promised to announce more progress in the coming days. As the investigation deepens and fund tracking progresses, this incident will undoubtedly become a focal point in discussions about security in the cryptocurrency industry in 2025. Both inside and outside the industry are watching to see how Infini will rebuild its reputation in the crisis, while also reminding all cryptocurrency platforms: security is no small matter, and negligence comes at a cost.
Disclaimer: The above content does not constitute investment advice.
AiCoin Official Website: www.aicoin.com
Telegram: t.me/aicoincn
Twitter: x.com/AiCoinzh
Email: support@aicoin.com
Group Chat: Customer Service Yingying, Customer Service KK
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
