Infini was stolen 50 million US dollars: Engineer owes usury loans in a 100-fold contract, which is suspected of being a major "insider"
Reprinted from panewslab
03/21/2025·2MEditor | Maodi Wu said blockchain
background
On February 24, the Web3 credit card and financial project Infini was stolen and $49.5 million worth of funds flowed out of Morpho MEVCapital Usual USDC Vault. Christian, founder of Infini, said at the time: "70% of the stolen $50 million belongs to the big friends I know. They have communicated one by one and I personally bear the possible losses. The remaining funds will be reinvested into Infini vault by next Monday, as usual. He also said that he is willing to pay 20% of the stolen amount to the hacker as a ransom, and promised that if the funds are returned, no legal action will be taken.
At 20:00 on February 24, Infini Team sent an on-chain message to Infini Exploiter 2: 0xfc…6e49:
We hereby inform you that we have obtained information on the critical IP and device you have attacked on Infini. This is thanks to the strong support of top exchanges, security agencies, partners and our community. We are closely monitoring the relevant addresses and are ready to freeze stolen funds at any time. To resolve this matter peacefully, we are willing to provide 20% of the stolen assets in return, provided you choose to return the funds. Once the returned funds are received, we will cease further tracking or analysis and you are not responsible. We implore you to take action within the next 48 hours to reach a solution as soon as possible. If you do not receive your response within the deadline, we will have no choice but to continue working with local law enforcement agencies to investigate the incident in depth. We sincerely hope to reach a solution that is most beneficial to all parties.
On February 26, Infini Team once again made an on-chain message:
More than 48 hours have passed since the attack occurred, we hereby provide a last chance to return the stolen funds. If you choose to return the funds, we will immediately stop all tracking and analysis and you will not face any consequences. Please send 14156 ETH (80% of the stolen funds) to our Cobo custodial wallet:
Wallet address: 0x7e857de437a4dda3a98cf3fd37d6b36c139594e8
On February 27, Christian said that the case was officially completed in Hong Kong for the Infini hacking incident.
In terms of funds, the hacker address 0x3a...5Ed0 exchanged 49.52 million USDC into equal amounts of DAI through Sky (MakerDAO) on the 24th, and then exchanged DAI into approximately 17,700 ETH through Uniswap, and sent it to the new address 0xfcC8Ad911976d752890f2140D9F4edd2c64a6e49. The funds have not been further transferred since then (the suspected defendant has been controlled by law enforcement authorities at the first time), but due to the recent low price of ETH, these ETHs are currently only worth US$35.15 million.
https://intel.arkm.com/explorer/address/0xfcC8Ad911976d752890f2140D9F4edd2c64a6e49
Litigation content
At 18:00 on March 20, Infini Team sent an on-chain message to Infini Exploiter 2: 0xfc…6e49 and sent a warning to the relevant address, indicating that the $50 million lost by Infini's attack was in an ongoing legal dispute and was controversial. Any subsequent holder of crypto assets that had been stored in the above wallet may not claim that it is a "good-faith buyer."
In addition, court litigation documents were attached through links to the message, the specific contents are as follows:
The plaintiff is Chou Christian-Long, CEO of BP SG Investment Holding Limited, a wholly owned by Infini Labs. The first defendant is Chen Shanxuan, who is based in Foshan, Guangdong, and the second to fourth defendants are temporarily unable to confirm their true identity.
The plaintiff, together with BP Singapore, developed a smart contract for managing the company and its clients’ funds, written by the first defendant. The contract originally sets multi-signature permissions to strictly control any funds transfer.
When the contract was launched on the mainnet, the first defendant allegedly retained the highest authority of "super admin", but lied to other team members that they had "transferred" or "removed" the authority.
In late February 2025, the plaintiff discovered that crypto assets worth approximately USDC worth approximately 49,516,662.977 were transferred to several unknown wallet addresses (wallets controlled by the second to fourth defendants) without a multi-signature permit.
The plaintiff applied to the court for fear of further transfer or washing away assets by the defendant or unidentified person:
1. Issuing a "injunction" to restrict the transfer or disposal of the stolen assets of the first defendant and the relevant unknown person;
2. Make the defendant or the person who actually controls the relevant wallet to self-disclose his identity;
3. Issue various mandatory orders to the first defendant and other unknown wallet holders that prohibit the disposal of assets;
4. Require the other party to disclose transaction and asset information;
5. Allow the plaintiff to "out-of-domain delivery" (i.e., serve legal documents to overseas defendants) and to serve alternatively.
In the text of one of the affidavits, the plaintiff said: I only recently learned that the first defendant had serious gambling habits and may have been burdened with huge debts. I believe this prompted him to steal assets involved in the case to ease his debts. The plaintiff also submitted screenshots of relevant news records to prove that the first defendant was "possibly trapped in huge debts." (The plaintiff said that the defendant went on the spot and opened a contract with 100 times leverage every day)
According to the statement in the affidavit, the first defendant still borrowed funds from different channels in a relatively short period of time, and was even suspected of being in contact with "underground money houses" or the so-called "loan shark", which led to the pressure of high interest and debt collection calls. Exhibit "CCL-17" mentioned that he asked others for help during the chat, saying that he was carrying "interest from several companies", and kept asking whether he could borrow money to overcome the difficulties, or ask the other party to help introduce the new source of funds.
Shortly before the case, the first defendant revealed that his financial situation was "very nervous" in his work group or in his private communication with colleagues/friends, and even expressed his anxiety that "if you can't get money again, something will happen." These remarks almost coincide with the subsequent unauthorized transfer of the company's crypto assets, thus strengthening the plaintiff's judgment on the "motive" of the first defendant: it may take risks due to huge debt pressure.
According to the plaintiff's statement, when asked about personal financial or gambling, the first defendant repeatedly avoided or only gave general answers, and was vague about how much he was in debt and whether he was still gambling. The affidavit states that the first defendant had been pretending to have "no big problems" from the end of October to before the incident, but what he talked to others in the chat software was obviously inconsistent with this.
The plaintiff is worried that if the first defendant is anxious to repay the gambling debt or continues to make a profit, he may continue to quickly transfer the stolen digital assets to other wallets and even make money off the market, making it more difficult to investigate. Therefore, he urgently applied to the court for an asset freezing order worldwide, and required the first defendant and other unknown wallet holders to disclose and return the crypto assets involved.
Kronos Research partner Bane said that the team also has a lot of outrageous life-related materials that have not been presented in court documents, but are more or less directly related to the case, so we are more focused on recovering the funds themselves. Everyone was surprised when all the evidence pointed to someone on a team that everyone once trusted very much. But motivation is motivation, everything is based on facts, and I believe that the law will bring fair results. He was still the suspect before the official hammer was officially put on the hammer.
Bane said that the team always felt that the super permissions had been transferred to Duo Sign, but he used the openzeppelin permission library to be many to many, so the permissions of the initial dev wallet have never been given up. When deploying, everyone usually uses eOA, and after deployment, the permissions are handed over to multiple signs. After the contract was created, the dev wallet he controlled had the super admin[0] permission based on the initial settings of the openzeppelin permission library. He later handed over the super admin permission to multi-signature and lied in the chat record that he had abstained from eoa, but in fact the revoke transaction had never been issued. Later, he said that he thought permission management was one-to-one rather than many to many, which means that he lied that as long as the permission was granted to the dev wallet permissions, he would automatically abstain from it after granting the permissions to multiple signs. Based on the trust relationship, no one checked the contract status twice, causing a tragedy.
After the incident, the defendant said: My problem, I forgot the revoke permission, a very, very low-level error.
The case has not yet been judged, and the submitted litigation documents are accompanied by a large number of chat records of the first defendant. Interested readers can download the original file:
Extract password: D1234@5##
