The founder of Infini, a stablecoin digital bank, Christian Li, has extended a 20% bounty offer to a hacker following a $49.5 million heist. In a blockchain transaction, Li sent 0.1 ETH to the hacker’s wallet, acknowledging their skills in identifying vulnerabilities in Infini’s protocol.

The message reiterated the company’s offer: if the hacker returns the stolen funds, they can keep 20% as a bounty, with no legal repercussions. This marks Infini’s second direct message to the hacker. The first message, sent on February 24, the day of the attack, warned that the company was monitoring the compromised wallet and set a 48-hour deadline for a response, threatening further investigation and possible law enforcement action.

This attack occurred shortly after Infini announced reaching $50 million in total value locked (TVL). Unauthorized transactions linked to an Infini-affiliated contract on Ethereum were identified by blockchain security firm CertiK.

• The attacker exploited a privileged account labeled “0xc49b…” to withdraw 49.5 million USD Coin (USDC), which was then converted to Dai (DAI) and used to purchase 17,696 Ethereum (ETH). The Ethereum was reportedly transferred to a different wallet identified as “0xfcc8…6e49.”  
• According to cybersecurity firm Cyvers, the incident was attributed to an insider threat, as a developer setting up Infini’s smart contracts retained administrative rights and later used them to drain funds. The wallet used in the transfer had previously interacted with Tornado Cash, a cryptocurrency mixer known for obscuring transaction trails.
• This method of attack differentiates the Infini breach from other recent high-profile crypto heists, such as Bybit’s, which stemmed from weaknesses in wallet security rather than insider manipulation.

In the aftermath of the attack, Infini’s co-founder assured customers they would be reimbursed. Meanwhile, the company continues to negotiate with the hacker, hoping to recover some stolen funds through the bounty offer.

Source: NAIRAMETRICS