- Infini neobank hacked for $49.5M USDC, swapped for 17,696 ETH.
- The attacker exploited retained admin privileges in Infini’s good contract.
- Infini’s founder has promised full compensation, citing negligence in authority switch.
On February 24, 2025, Infini, a Hong Kong-based stablecoin neobank mixing cryptocurrency and conventional finance, skilled a devastating safety breach, leading to the lack of roughly $49.5 million in USD Coin (USDC) as earlier reported.
The exploit, first flagged by blockchain security firm CertiK at 3:18 AM UTC, has despatched shockwaves by the decentralized finance (DeFi) group, underscoring persistent vulnerabilities in the crypto area, particularly following the current $1.4 billion Bybit hack on February 21, 2025.
The Infini assault
The assault focused an Infini-related smart contract on the Ethereum blockchain, particularly the tackle 0x9A79f4105A4e1A050Ba0b42F25351D394fA7E1DC.
According to safety analysts from CertiK, Cyvers, Blocksec, and PeckShield, a hacker gained unauthorized entry by exploiting retained administrative privileges inside the contract. The attacker, working from the tackle 0xc49b5e5b9da66b9126c1a62e9761e6b2147de3e1, had initially developed the good contract for Infini however retained management, unbeknownst to the venture.
This insider entry allowed the hacker to control the contract’s settings, draining $49.5 million in USDC from what’s believed to be the Morpho MEV Capital Usual USDC Vault.
Following the theft, the hacker swiftly transformed the stolen USDC into Dai (DAI) after which bought 17,696 Ethereum (ETH), valued at round $49 million at the time.
It appears that the stablecoin financial institution @0xinfini was hacked and 49.5M $USDC was stolen.
The hacker swapped 49.5M $USDC for 49.5M $DAI and acquired 17,696 $ETH.
The 17,696 $ETH was transferred to a brand new pockets “0xfcc8…6e49”.https://t.co/AdAyB3q5LA pic.twitter.com/Rft6ZDtDWO
— Lookonchain (@lookonchain) February 24, 2025
The funds have been then transferred to a brand new pockets, 0xfcc8…6e49, and break up throughout a number of addresses, with preliminary funding traced to Tornado Cash, a privateness software typically used to obscure cryptocurrency transactions. However, at the time of reporting, the ETH remained unmixed, indicating ongoing efforts to hint the hacker’s actions.
Infini’s response
Infini, which launched in 2024 as a digital-only neobank providing stablecoin transactions, crypto card companies, and high-yield accounts, has issued an official assertion acknowledging the safety breach stating that “all transfers, deposits, withdrawals, and payments remain in normal usage and working status.”
We’re conscious of stories on a safety compromise affecting Infini. We’re deeply sorry for the concern this causes – our group is working round the clock to research and safe all programs at the second.
All transfers, deposits, withdrawals, and funds stay in regular utilization…
— Infini (@0xinfini) February 24, 2025
Infini’s founder, Christian Li, took full duty for the exploit in a post on X, clarifying that the breach didn’t outcome from a personal key leak however slightly his negligence in transferring authority from the developer to the venture. “My personal private key has not been leaked, so there is no need to worry too much. I was negligent when transferring the authority before. It is ultimately my responsibility. This has sounded the alarm… There is no problem with liquidity. Full compensation can be paid, and the funds are being traced,” he wrote.
Despite this reassurance, some on-chain analyses, together with from PeckShield, recommend a possible personal key compromise, including complexity to the investigation.
Impact of the exploit
The exploit has raised critical questions about personal key administration, good contract safety, and the dangers of insider threats in DeFi platforms.
Infini, which has skilled meteoric progress, boasting a 500% month-to-month enhance in energetic customers since its inception, notably after launching its crypto card campaigns, now faces a essential take a look at of its resilience. The neobank’s high-yield merchandise, designed to draw liquidity, inadvertently offered the circumstances for the exploit, amplifying the monetary impression.
This incident follows carefully on the heels of the Bybit change hack, which noticed a staggering $1.4 billion drained by manipulated good contract logic. The similarity in techniques, splitting and mixing ETH, has led on-chain investigator ZachXBT to invest that the Lazarus hacker group, recognized for such strategies, could be concerned, although no direct hyperlink to Infini’s attacker has been confirmed.
Lazarus Group simply linked the Bybit hack to the Phemex hack immediately on-chain commingling funds from the intial theft tackle for each incidents.
Overlap tackle:
0x33d057af74779925c4b2e720a820387cb89f8f65Bybit hack txns on Feb 22, 2025:… pic.twitter.com/dh2oHUBCvW
— ZachXBT (@zachxbt) February 22, 2025
The speedy succession of those high-profile breaches has reignited requires sturdy safety protocols throughout centralized and decentralized crypto platforms.
Interestingly, the inflow of stolen ETH into the market has paradoxically catalyzed a small rally, pushing Ethereum’s worth above $2,800 for the first time in weeks as exchanges scrambled to replenish reserves.
However, the Infini incident has additionally sparked considerations about potential cash laundering or hostile regime financing, given the use of Tornado Cash and the scale of the theft.
