Infini Hacker Returns After Exploit, Buys Ether Dip Worth $13M

A wallet tied to Infini’s $50 million breach has re-emerged after nearly a year, showing activity as crypto markets wobbled and Ether was bought during a broad price dip. The exploiter’s address moved to accumulate Ether (CRYPTO: ETH) worth about $13.3 million as the asset traded around $2,109, then shifted the funds into Tornado Cash, a mixing protocol used to obscure transaction paths. Industry observers noted the pattern as a sign that the attacker remains engaged with the proceeds rather than exiting entirely into cash-like assets. The move comes months after the initial breach and subsequent legal actions, underscoring ongoing tensions between on‑chain theft, tracing efforts, and attempts to recover stolen funds.

The revelation comes as the market faced a broad downturn and a string of heavy liquidations. Data from Coinglass showed roughly $2.56 billion in leveraged positions wiped out during a single session, marking one of the largest forced liquidations on record. Ether slid to a multi-month low, briefly dipping to around $1,811—its lowest point since May 2025—before rebounding in the following sessions. The price action provides a unsettled backdrop for the attacker’s re-entry into the market, suggesting a strategy of leveraging recovered funds to pursue additional opportunities rather than an immediate exit into non-volatile assets.

Infini exploiter buys ETH dip after massive liquidations

The renewed on-chain activity has drawn renewed scrutiny from analysts monitoring the Infini case. Lookonchain captured a comment noting the attacker’s apparent skill at buying low and selling high, a paraphrase of the on-chain behavior that has characterized the flow of funds since the breach. The exchange of value aligns with a broader pattern where the attacker, after swapping stolen holdings into stablecoins, previously used market volatility to maximize returns on the remaining balance. The latest tranche—an ETH purchase in a period of heavy selling—illustrates the continuing dynamic between negative price pressure and opportunistic trading by the exploiter.

The Infini breach, disclosed earlier in 2025, involved the withdrawal of stablecoins from the project’s treasury and a disruption that led to tens of millions of dollars in losses. The stolen USDC (CRYPTO: USDC) was promptly swapped for Dai (CRYPTO: DAI), a step often seen in breach scenarios where attackers convert into assets perceived as less likely to be frozen. The latest transactions, observed on public blockchain data, indicate that the attacker still holds a substantial balance and remains active, using market conditions to optimize the remaining capital rather than fully unwinding the position.

The attacker’s path after the exploit has included legal action from Infini. In March, Infini filed a Hong Kong lawsuit against a developer and several unidentified individuals believed to have ties to wallets involved in the breach. An injunction was issued in conjunction with the case, illustrating a concerted legal effort to restrain further transfers and to pressure the attackers for restitution. The litigation underscores a broader trend of cross-border legal strategies in crypto hacks, where on-chain evidence is used to deter further misappropriation and to seek accountability from individuals and entities linked to the breach.

The case also reveals prior incentives offered by Infini. Early in the dispute, the protocol circulated a 20% bounty for the return of the stolen funds, arguing that it had gathered signals about the attackers’ identities and devices. While this approach has drawn mixed reception in the security community, it reflected a pragmatic attempt to recover assets without resorting to more aggressive measures. Commentators note that the on-chain trail remains complex, with multiple wallets and cross-chain moves complicating the path to recovery.

Alongside the legal push, the market backdrop continues to shape the risk environment for asset holders and developers. Ether’s weakness during the recent sell-off and its subsequent stabilization highlight how liquidity and macro sentiment can influence on-chain theft dynamics. The combination of a high-profile breach, ongoing legal proceedings, and a volatile price environment creates a difficult operating landscape for projects like Infini and for the broader ecosystem attempting to deter and resolve similar incidents.

Why it matters

The Infini case is a clarion call for the industry on several fronts. First, it illustrates how attack proceeds can remain active long after the initial breach, with stolen funds used to participate in ongoing trading activity rather than simply being moved to stable storage. This persistence complicates both asset tracing and potential recovery efforts. Second, the Hong Kong action demonstrates that cross-border litigation is increasingly a tool in crypto security, aiming to secure injunctions, identify defendants, and gather evidence that could inform civil remedies or facilitate asset recovery.

For users and developers, the episode underscores the importance of robust fund-flow controls and post-incident transparency. As exchanges and analytics providers document new on-chain moves, the industry benefits from improved visibility into attacker behavior, which can inform both security posture and policy discussions around prosecutorial reach and asset recovery mechanisms. In parallel, communities tracking on-chain activity must balance privacy considerations with the public interest in preventing and deterring theft, especially when attackers exploit high-volatility markets to maximize gains.

From a broader market perspective, the Infini developments come during a period of heightened liquidity risk and liquidity-driven price swings. The sensitivity of prices to large liquidations and the speed at which funds can be redistributed through mixing services highlight the ongoing tension between openness and resilience in the crypto economy. Regulators and industry participants alike are watching how enforcement actions, court interventions, and improved traceability capabilities will shape future breach responses and the recovery prospects for victims.

What to watch next

• Progress in Infini’s Hong Kong lawsuit: judicial rulings, expedited actions, and any further injunctions or writs related to the attackers’ wallets.
• On-chain developments: additional movements of the exploited funds, including any new transfers to or from mixing services and potential attempts to skirt tracing.
• Regulatory and enforcement updates: any statements or actions from authorities that could influence asset recovery or cross-border cooperation in similar cases.
• Updates from Arkham, Lookonchain, and other analytics firms on attacker behavior and new wallet activity tied to the event.
• Market implications: how ongoing investigations and legal actions interact with liquidity dynamics and risk sentiment in the wake of the recent large-scale liquidations.

Sources & verification

• Arkham data on the exploiter’s wallet activity linked to the Infini breach and its transfer route to Tornado Cash.
• Coinglass data detailing the 10th-largest liquidation event and the roughly $2.56 billion in leveraged position wipes.
• Historical reports on Infini’s $50 million hack, including the early swap from USDC to DAI and the subsequent legal actions.
• Infini’s Hong Kong lawsuit filing and the court injunction related to the attacker’s wallets.
• On-chain messages naming individuals connected to wallets involved in the breach and related court communications.

Infini exploit activity and legal action

The renewed on-chain activity around Infini’s breach illustrates how recovered proceeds continue to fuel trading activity, even as legal actions aim to hold attackers accountable. The ETH purchases executed during periods of downturn demonstrate that the attacker remains engaged with the funds, seeking upside in a choppy market rather than exiting entirely. The involvement of Tornado Cash as a mixer emphasizes the ongoing tension between privacy-focused tooling and the enforcement dimension of asset recovery. As Arkham’s traces and Lookonchain’s analyses show, such patterns can persist for months, complicating both tracing efforts and the prospect of fund recovery for the victim project.

Analysts caution that while the attacker’s continued activity may offer opportunities for investigators to piece together more of the provenance, it also poses ongoing risks to market integrity. The Infini case remains a touchstone for discussions about post-breach governance, the viability of bounty programs, and the role of regulatory frameworks in accelerating resolution. The absence of a definitive recovery creates a chilling effect for projects contemplating similar incidents, underscoring the need for robust incident response, transparent reporting, and effective collaboration with on-chain analytics providers.

Looking ahead, observers will be watching for any policy shifts that could affect cross-border litigation in crypto hacks, as well as the evolution of on-chain tracing technologies designed to unmask illicit fund flows even when mixers are deployed. The Infini case, while a single incident, captures a broader arc of risk in the crypto sector—where high-profile breaches test the interplay between market dynamics, legal instruments, and the evolving toolkit of investigators.

In sum, the Infini hack continues to cast a long shadow over the sector, serving as a live case study in asset tracing, legal recourse, and the resilience of decentralized finance ecosystems in the face of sophisticated exploitation.

Tickers mentioned: $ETH, $USDC, $DAI

Sentiment: Neutral

Price impact: Neutral. While Ether moved lower amid the market sell-off, the report indicates no immediate, identifiable price correction tied solely to the on-chain activity linked to the Infini exploit.

Market context: The incident unfolds amid a broader cycle of high volatility, record liquidations, and ongoing enforcement activity shaping liquidity, risk appetite, and asset-tracing capabilities across crypto markets.