Editor | Cat Brother Wu talks about blockchain
background
On February 24, the Web3 credit card and financial management project Infini was stolen, and funds worth $49.5 million flowed out of the Morpho MEVCapital Usual USDC Vault. Infini founder Christian said at the time: "70% of the stolen $50 million belonged to big friends I know. I have communicated with them one by one and I will bear the possible losses personally. The remaining funds will be reinvested in the Infini vault before next Monday, and everything will remain the same." He also said that he was willing to pay 20% of the stolen amount to the hacker as a ransom, and promised not to take legal action if the funds were returned.
At 20:00 on February 24, Infini Team sent an on-chain message to Infini Exploiter 2: 0xfc…6e49:
We would like to inform you that we have obtained key IP and device information about your attack on Infini. This is made possible by the strong support of top exchanges, security agencies, partners and our community. We are closely monitoring the relevant addresses and are ready to freeze the stolen funds at any time. In order to resolve this matter peacefully, we are willing to provide 20% of the stolen assets in return, provided that you choose to return the funds. Once the returned funds are received, we will stop further tracking or analysis, and you will not be held liable. We kindly ask you to take action within the next 48 hours so that a solution can be reached as soon as possible. If no response is received from you within the deadline, we will have no choice but to continue to cooperate with local law enforcement agencies to further investigate this incident. We sincerely hope that a solution that is most beneficial to all parties can be reached.
On February 26, the Infini Team sent another on-chain message to it:
More than 48 hours have passed since the attack, and we are offering you one last chance to return the stolen funds. If you choose to return the funds, we will immediately stop all tracking and analysis, and you will not face any consequences. Please send 14156 ETH (80% of the stolen funds) to our Cobo escrow wallet:
Wallet address: 0x7e857de437a4dda3a98cf3fd37d6b36c139594e8
On February 27, Christian said that a case regarding the Infini hacking incident had been officially filed in Hong Kong.
In terms of funds, the hacker address 0x3a...5Ed0 exchanged 49.52 million USDC for an equal amount of DAI through Sky (MakerDAO) on the 24th, and then exchanged DAI for about 17,700 ETH in multiple transactions through Uniswap and sent it to the new address 0xfcC8Ad911976d752890f2140D9F4edd2c64a6e49. Since then, the funds have not been further transferred (the defendant is suspected to have been controlled by law enforcement agencies as soon as possible), but due to the recent low ETH price, these ETH are currently worth only 35.15 million US dollars.
https://intel.arkm.com/explorer/address/0xfcC8Ad911976d752890f2140D9F4edd2c64a6e49
Litigation
At 18:00 on March 20, Infini Team sent an on-chain message to Infini Exploiter 2: 0xfc…6e49 and sent a warning to the relevant addresses, indicating that the $50 million lost by Infini in the previous attack is in the midst of an ongoing legal dispute and is controversial. Any subsequent holders of crypto assets that have been stored in the above wallets (if any) may not claim to be "good faith purchasers."
In addition, the court litigation documents were attached in the message by way of a link. The specific contents are as follows:
The plaintiff is Chou Christian-Long, CEO of BP SG Investment Holding Limited, a Hong Kong-registered company wholly owned by Infini Labs. The first defendant is Chen Shanxuan, who works remotely from Foshan, Guangdong. The second to fourth defendants’ true identities cannot be confirmed for the time being.
The plaintiff and BP Singapore jointly developed a smart contract for managing company and customer funds, which was written by the first defendant. The contract originally set up multi-signature permissions to strictly control any fund transfer.
When the contract was launched on the mainnet, the first defendant allegedly retained the highest authority of "super admin", but lied to other team members that he had "transferred" or "removed" this authority.
In late February 2025, the plaintiff discovered that crypto assets worth approximately USDC 49,516,662.977 were transferred to several unknown wallet addresses (wallets controlled by the second to fourth defendants) without multi-signature permission.
Fearing that the defendant or unidentified persons would further transfer or launder assets, the plaintiff applied to the court:
1. An injunction against the first defendant and related unknown persons to restrict them from transferring or disposing of the stolen assets;
2. Make the defendant or the person who actually controls the relevant wallet self-disclose his or her identity;
3. Issue various mandatory orders prohibiting the disposal of assets against the first defendant and other unknown wallet holders;
4. Require the other party to disclose transaction and asset information;
5. Allow plaintiffs to “serve extraterritorially” (i.e. serve legal documents to defendants outside the country) and use alternative methods of service.
In the body of one of the affidavits, the plaintiff stated: I recently learned that the first defendant had a serious gambling habit, which may have caused him to be in huge debt. I believe this prompted him to steal the assets involved in the case to alleviate his debts. The plaintiff also submitted screenshots of relevant message records to prove that the first defendant "may be in huge debt." (The plaintiff pointed out that the defendant subsequently became obsessed and opened contracts with 100 times leverage on a daily basis)
According to the affidavit, the first defendant also borrowed funds from various channels in a relatively short period of time, and was even suspected of contacting "underground banks" or so-called "loan sharks", which led to the pressure of high interest rates and debt collection calls. Exhibit "CCL-17" mentioned that he asked for help from others during the chat, saying that he was burdened with "interest from several companies" and kept asking if he could borrow more money to tide over the difficulties, or asked the other party to help introduce new sources of funds.
Shortly before the case occurred, the first defendant revealed in work groups or private communications with colleagues/friends that his financial situation was "very tight", and even expressed anxiety that "if he couldn't get more money, something would go wrong". These remarks almost coincided with the time when the company's crypto assets were subsequently transferred without authorization, which strengthened the plaintiff's judgment on the first defendant's "motive": he may have taken risks due to the pressure of huge debts.
According to the plaintiff's statement, the first defendant evaded or gave only general answers when asked about personal finances or gambling problems, and was vague about how much debt he had and whether he was still gambling. The affidavit stated that the first defendant had been pretending that "there was no big problem" from the end of October until the incident, but the content of his discussions with others on the chat software clearly contradicted this.
The plaintiff was worried that if the first defendant was eager to repay his gambling debts or continue to make a comeback, he might continue to quickly transfer the stolen digital assets to other wallets or even cash them out off-site, making it more difficult to track them. Therefore, he urgently applied to the court for a worldwide asset freezing order and required the first defendant and other unknown wallet holders to disclose and return the crypto assets involved.
Bane, a partner at Kronos Research, said that the team still has a lot of outrageous life-related materials that have not been presented in the court documents, but they are more or less not directly related to the case. We are still more focused on recovering the funds. When all the evidence points to a person who everyone in the team once trusted very much, everyone was surprised. But motives are motives, everything is based on facts, and I believe that the law will bring fair results. Before the official hammer falls, he is still a suspect.
Bane said that the team always thought that the super permissions had been transferred to multi-signature, but he used the openzeppelin permission library, which was always many-to-many, so the permissions of the initial dev wallet were never given up. When deploying, everyone generally uses eoa, and after deployment, the permissions are transferred to multi-signature. After the contract was created, the dev wallet controlled by him had super admin[0] permissions by default based on the initial settings of the openzeppelin permission library. He later transferred this super admin permission to multi-signature and lied in the chat history that he had waived eoa, but in fact the revoke transaction had never been issued. Later, he said that he thought permission management was one-to-one rather than many-to-many, which means that he lied that as long as the permissions were granted to multi-signature, the dev wallet permissions would be automatically waived. Based on the trust relationship, no one checked the contract status a second time, resulting in tragedy.
The defendant said after the incident: My problem was that I forgot to revoke the permission, which was a very low-level mistake.
The case has not yet been decided. The submitted litigation documents include a large number of chat records of the first defendant. Interested readers can download the original files:
Link:: https://howsewilliams-my.sharepoint.com/:f:/p/regulatory/EtrvPWcvev1An5eEDMRNoRgBc1Ih7x0l6dR-Cf-0E-rC8Q?e=1g9OPJ
Extract password: D1234@5##
