The main suspect in the $50 million USDC heist from the cryptocurrency payments company is a rogue developer who kept admin credentials after the project was completed.
Infini, a stablecoin payment company, lost $50 million due to an exploit that may have been carried out by a developer who had administrative rights after the project was completed.
According to security firm Cyvers, the offender is thought to have worked on the Infini project for contract development and covertly kept admin rights after the project was over.
The hacker utilized $2,700 from the cryptocurrency mixing provider Tornado Cash to finance the wallet used in the attack. Then, using a contract they drafted in November 2024, they transferred $49.52 million worth of USD Coin USDC $0.9998 from Infini.
The USDC was instantly replaced with the stablecoin Dai Dai $0.9999, which lacks a freeze mechanism. At the time of writing, the money had been transferred to a secondary address and converted to 17,696 ETH.
Christian Li, the founder, stated in an X post that, in the worst situation, full compensation would be paid, and the Infini team did not halt withdrawals. Li went on to say that since the heist, the platform has seen withdrawals totaling $500,000.
