February 24, 2025 – The decentralized finance (DeFi) world was rocked today by yet another high-profile security breach, as stablecoin bank Infini suffered a staggering $49.5 million exploit. Blockchain security firm PeckShieldAlert reported suspicious transactions flagged by a community member, revealing that the stolen funds were funneled through Tornado Cash, a crypto mixing service—and swapped from USDC to DAI, then to approximately 17,700 ETH, before being transferred to a new wallet address (0xfcc8a…6e49). The breach, linked to a leaked private key (0xc49b…e3e1), underscores the escalating risks plaguing Web3 ecosystems, drawing unsettling parallels to the recent $1.5 billion Bybit hack.
Infini’s leadership swiftly responded to the crisis, with a statement attributed to the project’s founder assuring users, “Don’t worry, we will pay the full amount. The engineer involved has been identified. A police report has been filed. Infini will be fine.” While this promise of compensation offers some reassurance, the incident exposes deep-seated vulnerabilities in Web3 infrastructure—issues that have become all too familiar following the Bybit attack just days ago.
The Infini hack unfolded with chilling precision. PeckShieldAlert’s analysis revealed that the attacker, believed to be a former developer who retained administrative privileges, exploited a smart contract weakness. After quietly maintaining control for over 100 days, the hacker drained $49.5 million in USDC, converting it into DAI and then ETH via Tornado Cash to obscure the funds’ trail. This methodical approach mirrors tactics reportedly used by the Lazarus Group, the North Korean hacking collective suspected in Bybit’s record-breaking $1.5 billion Ethereum theft on February 21. In both cases, the exploitation of insider access or security oversights facilitated devastating losses, raising questions about the adequacy of safeguards in Web3 platforms.
Bybit, one of the world’s largest cryptocurrency exchanges, faced its own nightmare when hackers siphoned $1.5 billion worth of ETH from an offline cold wallet—a system designed for maximum security. CEO Ben Zhou confirmed the breach, attributing it to a sophisticated attack that deceived wallet signers through a “masked” user interface and URL. Despite assurances that Bybit remains solvent and has replenished reserves with $1.23 billion in loans and purchases, the incident triggered a “bank run” with over $5.3 billion in withdrawals, shaking user confidence. The connection between the two hacks is further hinted at by on-chain data: both attackers used Tornado Cash to launder funds, a tactic synonymous with Lazarus Group’s playbook.
These back-to-back breaches spotlight the precarious state of Web3 security. The nascent technology, built on decentralization and blockchain, promises a future of financial sovereignty and transparency. Yet, its rapid growth has outpaced the development of robust defenses, leaving billions in digital assets exposed. The Infini hack, following so closely on Bybit’s heels, amplifies concerns about insider threats, private key leaks, and the misuse of administrative controls—vulnerabilities that Web3’s decentralized ethos struggles to address.
The risks extend beyond individual platforms. Cryptocurrency heists, up 102% in 2024 with over $1.34 billion stolen, per Chainalysis, exploit the lucrative rewards and attribution challenges inherent in Web3. Tornado Cash, a go-to tool for obfuscating transactions, remains a thorn in the side of regulators and investigators. Recent scrutiny from the U.S. SEC has curtailed its utility for laundering, yet hackers persist, adapting to new methods. For users, the fallout is immediate: market volatility spiked after Bybit’s hack, with ETH dipping 7% before recovering to $2,765, while Infini’s exploit threatens further instability.
Web3’s promise hinges on trust, but trust is eroding. Bybit’s swift recovery—bolstered by emergency liquidity from Binance, Bitget, and others—demonstrates industry solidarity, yet it doesn’t erase the underlying flaws. Infini’s reliance on a single engineer’s oversight, like Bybit’s cold wallet lapse, points to a broader issue: human error remains the weakest link in a system designed to eliminate it. As crypto analyst Anndy Lian noted post-Bybit, “Withdrawals aren’t about distrust; they’re about precaution.” Users are left questioning whether their funds are truly safe, even on reputable platforms.
The path forward demands accountability and innovation. Bybit’s release of a suspicious wallet “blacklist” API and Infini’s police report signal proactive steps, but Web3 must evolve beyond reactive fixes. Enhanced audits, multi-signature wallets, and decentralized governance could mitigate risks, yet adoption lags. Until then, the specter of hacks looms large, threatening to undermine Web3’s transformative potential. For now, Infini and Bybit serve as stark reminders: in the race to redefine finance, security can’t afford to finish last.
