- Infini neobank hacked for $49.5M USDC, swapped for 17,696 ETH.
- The attacker exploited retained admin privileges in Infini’s smart contract.
- Infini’s founder has promised full compensation, citing negligence in authority transfer.
On February 24, 2025, Infini, a Hong Kong-based stablecoin neobank blending cryptocurrency and traditional finance, experienced a devastating security breach, resulting in the loss of approximately $49.5 million in USD Coin (USDC).
The exploit, first flagged by blockchain security firm CertiK at 3:18 AM UTC, has sent shockwaves through the decentralized finance (DeFi) community, underscoring persistent vulnerabilities in the crypto space, especially following the recent $1.4 billion Bybit hack on February 21, 2025.
The Infini attack
The attack targeted an Infini-related smart contract on the Ethereum blockchain, specifically the address 0x9A79f4105A4e1A050Ba0b42F25351D394fA7E1DC.
According to security analysts from CertiK, Cyvers, Blocksec, and PeckShield, a hacker gained unauthorized access by exploiting retained administrative privileges within the contract. The attacker, operating from the address 0xc49b5e5b9da66b9126c1a62e9761e6b2147de3e1, had initially developed the smart contract for Infini but retained control, unbeknownst to the project.
This insider access allowed the hacker to manipulate the contract’s settings, draining $49.5 million in USDC from what is believed to be the Morpho MEV Capital Usual USDC Vault.
Following the theft, the hacker swiftly converted the stolen USDC into Dai (DAI) and then purchased 17,696 Ethereum (ETH), valued at around $49 million at the time.
It seems that the stablecoin bank @0xinfini was hacked and 49.5M $USDC was stolen.
The hacker swapped 49.5M $USDC for 49.5M $DAI and bought 17,696 $ETH.
The 17,696 $ETH was transferred to a new wallet “0xfcc8…6e49”.https://t.co/AdAyB3q5LA pic.twitter.com/Rft6ZDtDWO
— Lookonchain (@lookonchain) February 24, 2025
The funds were then transferred to a new wallet, 0xfcc8…6e49, and split across multiple addresses, with initial funding traced to Tornado Cash, a privacy tool often used to obscure cryptocurrency transactions. However, at the time of reporting, the ETH remained unmixed, indicating ongoing efforts to trace the hacker’s movements.
Infini’s response
Infini, which launched in 2024 as a digital-only neobank offering stablecoin transactions, crypto card services, and high-yield accounts, has issued an official statement acknowledging the security breach stating that “all transfers, deposits, withdrawals, and payments remain in normal usage and working status.”
We’re aware of reports on a security compromise affecting Infini. We’re deeply sorry for the concern this causes – our team is working around the clock to investigate and secure all systems at the moment.
All transfers, deposits, withdrawals, and payments remain in normal usage…
— Infini (@0xinfini) February 24, 2025
Infini’s founder, Christian Li, took full responsibility for the exploit in a post on X, clarifying that the breach did not result from a private key leak but rather his negligence in transferring authority from the developer to the project. “My personal private key has not been leaked, so there is no need to worry too much. I was negligent when transferring the authority before. It is ultimately my responsibility. This has sounded the alarm… There is no problem with liquidity. Full compensation can be paid, and the funds are being traced,” he wrote.
Despite this reassurance, some on-chain analyses, including from PeckShield, suggest a potential private key compromise, adding complexity to the investigation.
Impact of the exploit
The exploit has raised serious questions about private key management, smart contract security, and the risks of insider threats in DeFi platforms.
Infini, which has experienced meteoric growth, boasting a 500% monthly increase in active users since its inception, particularly after launching its crypto card campaigns, now faces a critical test of its resilience. The neobank’s high-yield products, designed to attract liquidity, inadvertently provided the conditions for the exploit, amplifying the financial impact.
This incident follows closely on the heels of the Bybit exchange hack, which saw a staggering $1.4 billion drained through manipulated smart contract logic. The similarity in tactics, splitting and mixing ETH, has led on-chain investigator ZachXBT to speculate that the Lazarus hacker group, known for such methods, might be involved, though no direct link to Infini’s attacker has been confirmed.
Lazarus Group just connected the Bybit hack to the Phemex hack directly on-chain commingling funds from the intial theft address for both incidents.
Overlap address:
0x33d057af74779925c4b2e720a820387cb89f8f65Bybit hack txns on Feb 22, 2025:… pic.twitter.com/dh2oHUBCvW
— ZachXBT (@zachxbt) February 22, 2025
The rapid succession of these high-profile breaches has reignited calls for robust security protocols across centralized and decentralized crypto platforms.
Interestingly, the influx of stolen ETH into the market has paradoxically catalyzed a small rally, pushing Ethereum’s price above $2,800 for the first time in weeks as exchanges scrambled to replenish reserves.
However, the Infini incident has also sparked concerns about potential money laundering or hostile regime financing, given the use of Tornado Cash and the scale of the theft.
