Editor | Cat Brother Wu Talks Blockchain
Background
On February 24, the Web3 credit card and financial project Infini was hacked, resulting in the theft of $49.5 million from the Morpho MEVCapital Usual USDC Vault. Infini's founder, Christian, stated at the time: "Of the $50 million stolen, 70% belongs to friends I know personally. I have already communicated with them one by one and will personally bear the potential losses. The remaining funds will be reinvested into the Infini vault before next Monday, and everything will return to normal." He also expressed a willingness to pay the hacker 20% of the stolen amount as a ransom, promising that no legal action would be taken if the funds were returned.
On February 24 at 8 PM, the Infini Team sent an on-chain message to the Infini Exploiter 2: 0xfc…6e49:
We hereby inform you that we have obtained key IP and device information regarding your attack on Infini. This is thanks to the strong support of top exchanges, security agencies, partners, and our community. We are closely monitoring the relevant addresses and are prepared to freeze the stolen funds at any time. To resolve this matter peacefully, we are willing to offer 20% of the stolen assets as a reward, provided you choose to return the funds. Once we receive the returned funds, we will cease further tracking or analysis, and you will not bear any responsibility. We sincerely urge you to take action within the next 48 hours to reach a resolution as soon as possible. If we do not receive your response by the deadline, we will have no choice but to continue cooperating with local law enforcement to investigate this incident thoroughly. We genuinely hope to reach a solution that is most beneficial for all parties involved.
On February 26, the Infini Team sent another on-chain message:
More than 48 hours have passed since the attack, and we hereby provide one last opportunity for you to return the stolen funds. If you choose to return the funds, we will immediately stop all tracking and analysis, and you will face no consequences. Please send 14,156 ETH (80% of the stolen funds) to our Cobo custody wallet:
Wallet address: 0x7e857de437a4dda3a98cf3fd37d6b36c139594e8
On February 27, Christian stated that a formal case regarding the Infini hacking incident had been filed in Hong Kong.
In terms of funds, the hacker address 0x3a…5Ed0 exchanged 49.52 million USDC for an equivalent amount of DAI through Sky (MakerDAO) on the 24th, and then exchanged the DAI for approximately 17,700 ETH in multiple transactions via Uniswap, sending it to the new address 0xfcC8Ad911976d752890f2140D9F4edd2c64a6e49. Since then, this fund has not undergone further transfers (suspected to have been controlled by law enforcement immediately), but due to the recent decline in ETH prices, these ETH are currently worth only $35.15 million.
https://intel.arkm.com/explorer/address/0xfcC8Ad911976d752890f2140D9F4edd2c64a6e49
Litigation Content
On March 20 at 6 PM, the Infini Team sent an on-chain message to the Infini Exploiter 2: 0xfc…6e49, warning the relevant address that the $50 million loss from the previous attack on Infini is currently in ongoing legal disputes and is contentious. Any subsequent holders of the cryptocurrency assets that were previously stored in the above wallet (if any) cannot claim to be "good faith purchasers."
Additionally, the message included a link to the court litigation documents, which are as follows:
The plaintiff is Chou Christian-Long, CEO of BP SG Investment Holding Limited, a Hong Kong registered company wholly owned by Infini Labs. The first defendant is Chen Shanxuan, who works remotely in Foshan, Guangdong, and the second to fourth defendants are currently unidentified individuals.
The plaintiff, along with BP Singapore, developed a smart contract for managing company and client funds, led by the first defendant. The contract was originally set up with multi-signature permissions to strictly control any fund transfers.
When the contract went live on the mainnet, the first defendant allegedly retained "super admin" privileges but falsely claimed to other team members that he had "transferred" or "removed" that privilege.
In late February 2025, the plaintiff discovered that cryptocurrency assets worth approximately $49,516,662.977 USDC had been transferred out to several unknown wallet addresses (controlled by the second to fourth defendants) without multi-signature permission.
Fearing that the defendants or unidentified individuals would further transfer or launder the assets, the plaintiff applied to the court for:
- A "restraining order" against the first defendant and related unidentified individuals to restrict their transfer or disposal of the stolen assets;
- An order for the defendants or actual controllers of the relevant wallets to self-disclose their identities;
- Issuance of various mandatory orders prohibiting the first defendant and other unknown wallet holders from disposing of the assets;
- A request for the other party to disclose transaction and asset information;
- Permission for the plaintiff to "serve extraterritorially" (i.e., serve legal documents to overseas defendants) and alternative methods of service.
In one of the affidavits, the plaintiff stated: I recently learned that the first defendant has a serious gambling habit, which may have led him to incur massive debts. I believe this prompted him to steal the involved assets to alleviate his debts. The plaintiff also submitted screenshots of relevant message records to prove that the first defendant "may be in massive debt." (The plaintiff indicated that the defendant subsequently became obsessed, using 100x leverage in daily contracts.)
According to the affidavit, the first defendant also borrowed funds from different channels in a relatively short period, and even allegedly contacted "underground banks" or so-called "loan sharks," leading to pressure from high interest rates and debt collection calls. Exhibit "CCL-17" mentions that he sought help in a chat, stating that he was burdened with "interest from several lenders" and continuously inquired whether he could borrow more money to get through the difficulties or asked others to help introduce new funding sources.
Not long before the incident, the first defendant had revealed in work groups or private conversations with colleagues/friends that his financial situation was "very tight," even expressing anxiety that "if I can't get money again, something will happen." These statements almost coincided with the timing of the unauthorized transfer of the company's cryptocurrency assets, reinforcing the plaintiff's judgment of the first defendant's "motive": possibly taking risks due to the pressure of massive debt.
According to the plaintiff's statement, the first defendant repeatedly avoided or gave vague answers when asked about personal finances or gambling issues, being unclear about how much debt he had or whether he was still gambling. The affidavit states that the first defendant pretended that "there was no big problem" from the end of October until the incident, but the content he discussed in chat software with others was clearly contradictory to this.
The plaintiff is concerned that if the first defendant is eager to repay gambling debts or continue to recover losses, he may quickly transfer the stolen digital assets to other wallets or even cash them out, making it more difficult to trace. Therefore, the plaintiff urgently applied to the court for a worldwide asset freeze order and requested that the first defendant and other unknown wallet holders disclose and return the involved cryptocurrency assets.
Bane, a partner at Kronos Research, stated that the team also has a lot of outrageous lifestyle-related materials that have not been presented in court documents, but they are not directly related to the case, and they are still more focused on recovering the funds themselves. When all evidence points to someone who was once very trusted within the team, everyone is surprised. But motive is motive; everything is based on facts, and we believe the law will bring about a just result. Until a formal judgment is made, he remains a suspect.
Bane stated that the team always believed that super privileges had been transferred to multi-signature, but he used OpenZeppelin's permission library, which has always been many-to-many, so the initial dev wallet's permissions were never relinquished. Generally, everyone uses EOA for deployment, and after deployment, they transfer permissions to multi-signature. The dev wallet he controlled, based on the initial settings of OpenZeppelin's permission library, defaulted to having super admin[0] privileges. He later claimed to have transferred this super admin privilege to multi-signature and falsely stated in chat records that he had relinquished the EOA, but in reality, the revoke transaction was never issued. He later said he thought permission management was one-to-one rather than many-to-many, meaning he falsely claimed that as long as he granted permissions to multi-signature, the dev wallet's permissions would automatically be relinquished. Based on the trust relationship, no one double-checked the contract status, leading to tragedy.
After the incident, the defendant stated: My problem, I forgot to revoke permissions, a very, very low-level mistake.
The case has not yet been adjudicated, and the submitted litigation documents contain a large number of chat records from the first defendant. Interested readers can download the original file:
Link: https://howsewilliams-my.sharepoint.com/:f:/p/regulatory/EtrvPWcvev1An5eEDMRNoRgBc1Ih7x0l6dR-Cf-0E-rC8Q?e=1g9OPJ
Extraction password: D1234@5##
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
