Cryptohack Roundup: $49M Infini Exploit

Every week, Information Security Media Group rounds up cybersecurity incidents in digital assets. This week, the $49M Infini exploit, ByBit updates, hacked Uranium funds, seized, OKX settlement, DeepSeek crypto scam. Also, the SEC dismissed Coinbase, Robinhood, Uniswap and Gemini probes as well as its crypto dealer rule. It launched a new crypto fraud unit.

See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation

Hackers stole $49 million from Hong Kong-based stablecoin neobank Infini, said security firm Cyvers. They routed the stolen funds through Tornado Cash and converted into ether. Cyvers said the breach stemmed from compromised administrative privileges, enabling the attacker to manipulate the contract settings and siphon funds. Infini acknowledged the security breach, with founder “Christian” stating the attacker had retained admin access rather than exploiting a private key leak. He said that Infini’s liquidity remained intact and that affected users would be compensated.

The FBI fingered North Korea for the theft of $1.5 billion in virtual assets from the cryptocurrency exchange ByBit. Tracked as TraderTraitor, the North Korean cyber operation has rapidly converted chunks of stolen funds into bitcoin and other digital assets, dispersing them across thousands of blockchain addresses. The FBI said that these assets are expected to be further laundered and ultimately converted to fiat currency.

The news comes on the heels of Bybit CEO Ben Zhou expanding the exchange’s bounty program to recover the stolen funds. Called the Lazarus Bounty, the initiative enables users to connect wallets and track actors facilitating illicit transactions, with a 5% reward for freezing stolen funds.

Bybit lost over $1.5 billion in Ethereum-based tokens in what may be the largest single-day exploit in history. The exchange has garnered praise for its transparency in quickly disclosing details, securing a bridge loan to cover losses and launching a 10% bounty program. By Monday, Bybit had closed the ETH shortfall, restoring withdrawal stability (see: Bybit Restores $1.4 Billion in Stolen Ether).

So far, $43 million has been recovered with the help of Mantle, SEAL 911 and mETH teams. Zhou plans to expand the bounty program to other victims in the future.

Separately, Zhou said that attackers likely executed the hack during a routine funds rotation from a cold wallet to a warm wallet using the Safe wallet’s interface. The hackers manipulated the transaction, gaining control of the affected cold wallet and diverting its funds. Cybersecurity firms Sygnia and Verichains found that the attackers compromised a Safe developer machine, injecting malicious JavaScript into its AWS S3 bucket. This altered code, cached on multisig signers’ devices, masked the transaction’s true destination, effectively tricking signers into authorizing a fraudulent transfer. Bybit’s core infrastructure wasn’t breached, it said. In response, Safe said it has fully rebuilt and reconfigured its systems while rotating credentials.

U.S. authorities seized $31 million in cryptocurrency tied to the April 2021 hack of Uranium Finance, which resulted in a $50 million loss, said the Southern District of New York and Homeland Security Investigations. Automated market maker on the BNB Chain Uranium Finance was exploited during a protocol migration due to a smart contract bug. Attackers used the flaw to drain nearly all assets from the platform’s liquidity pool. The stolen funds were initially laundered through Tornado Cash. According to blockchain investigator ZachXBT, the attackers also used “Magic: The Gathering” trading cards to obscure their transactions further. Uranium Finance has since shut down.

OKX operator Aux Cayes FinTech Co. pleaded guilty in U.S. federal court to running an unlicensed money transmitting business, violating anti-money laundering laws. The company will pay over $500 million in fines, including $84 million in penalties and $421 million in forfeited fees earned from institutional clients. OKX knowingly allowed $5 billion in suspicious transactions between 2018 and early 2024, despite having a policy barring U.S. customers since 2017. Federal authorities criticized the exchange for advising users on bypassing compliance procedures. While OKX claims no customer harm occurred, it has pledged to strengthen regulatory compliance.

Threat actors are exploiting brand impersonation tactics to create fake websites mimicking Chinese AI chatbot DeepSeek to steal user data and cryptocurrency. Researchers at ZScaler said that fraudulent domains such as deepseekso.com and deepseeksky.com are tricking users into sharing personal information and downloading the Vidar information stealer. The attack begins with a fake registration process on the fraudulent site, followed by a bogus CAPTCHA page. A malicious JavaScript copies a PowerShell command to the clipboard, which, if executed, installs Vidar. This malware exfiltrates passwords, cryptocurrency wallet data and stored cookies. Vidar also hides its command-and-control infrastructure using Telegram and specifically targets crypto-related files.

The U.S. Securities and Exchange Commission agreed to dismiss its lawsuit against Coinbase, which accused the exchange of operating as an unregistered securities broker. The decision is still pending approval from the commission before it becomes official. Coinbase CEO Brian Armstrong called the move a “major win” for the crypto industry, impacting 50 million American crypto holders and setting a global precedent. The SEC sued Coinbase in June 2023, targeting its staking services and classifying several cryptocurrencies, including Solana, Cardano and Polygon as unregistered securities.

The U.S. Securities and Exchange Commission closed an investigation into Robinhood’s cryptocurrency trading operations without taking any enforcement action. The SEC’s enforcement division sent a letter to Robinhood confirming the inquiry was complete, marking a significant reversal after the agency issued a Wells Notice in May 2024, signaling potential legal action. Robinhood’s Compliance and Corporate Affairs Officer Dan Gallagher said the company had argued that any case against Robinhood Crypto would have failed and welcomed what he called a return to fairness at the SEC. Robinhood has consistently rejected the notion that most digital asset transactions fall under federal securities laws.

The U.S. Securities and Exchange Commission concluded an investigation into Uniswap Labs, the company behind the decentralized exchange Uniswap. The company had received a Wells Notice last April, with the SEC accusing it of operating as an unregistered securities broker and exchange and of issuing an unregistered security. Uniswap’s leadership contested the charges. Uniswap Labs called the decision a “huge win for DeFi” and praised the SEC’s new leadership for reconsidering its aggressive enforcement approach and instead focusing on consumer protection through more effective means.

The U.S. Securities and Exchange Commission closed an investigation into crypto exchange Gemini and will not pursue any enforcement action. Gemini co-founder Cameron Winklevoss shared on X, formerly Twitter, that the investigation lasted 699 days, with a Wells Notice issued 277 days ago. He said the decision marks a milestone toward ending what he called the “war on crypto.”

The U.S. Securities and Exchange Commission withdrew an appeal against a November 2024 court ruling that limited its ability to enforce securities laws on crypto and DeFi liquidity providers. The case was brought by the Crypto Freedom Alliance of Texas and the Blockchain Association, which challenged the SEC’s “dealer rule,” a regulation requiring liquidity providers with over $50 million in capital to comply with federal securities laws. Kristin Smith, CEO of the Blockchain Association, called the decision a “complete and total victory.”

The U.S. Securities and Exchange Commission launched a new unit, dubbed the Cyber and Emerging Technologies Unit, to protect investors from fraud in cryptocurrency and artificial intelligence. Led by SEC veteran Laura D’Allaird, the unit will investigate fraud involving AI, machine learning and blockchain technology, and replace the Crypto Assets and Cyber Unit established in 2022. Acting SEC Chair Mark Uyeda said the unit will play a key role in preventing bad actors from misusing new technologies, adding that it will align with efforts by Republican Commissioner Hester Peirce’s newly-formed Crypto Task Force that seeks to classify some tokens as “non-securities.”