- Infini neobank hacked for $49.5M USDC, swapped for 17,696 ETH.
- The attacker exploited retained admin privileges in Infini’s smart contract.
- Infini’s founder has promised full compensation, citing negligence in authority transfer.
On February 24, 2025, Infini, a Hong Kong-based stablecoin neobank blending cryptocurrency and traditional finance, experienced a devastating security breach, resulting in the loss of approximately $49.5 million in USD Coin (USDC) as earlier reported.
The exploit, first flagged by blockchain security firm CertiK at 3:18 AM UTC, has sent shockwaves through the decentralized finance (DeFi) community, underscoring persistent vulnerabilities in the crypto space, especially following the recent $1.4 billion Bybit hack on February 21, 2025.
The Infini attack
The attack targeted an Infini-related smart contract on the Ethereum blockchain, specifically the address 0x9A79f4105A4e1A050Ba0b42F25351D394fA7E1DC.
According to security analysts from CertiK, Cyvers, Blocksec, and PeckShield, a hacker gained unauthorized access by exploiting retained administrative privileges within the contract. The attacker, operating from the address 0xc49b5e5b9da66b9126c1a62e9761e6b2147de3e1, had initially developed the smart contract for Infini but retained control, unbeknownst to the project.
This insider access allowed the hacker to manipulate the contract’s settings, draining $49.5 million in USDC from what is believed to be the Morpho MEV Capital Usual USDC Vault.
Following the theft, the hacker swiftly converted the stolen USDC into Dai (DAI) and then purchased 17,696 Ethereum (ETH), valued at around $49 million at the time.
It seems that the stablecoin bank @0xinfini was hacked and 49.5M $USDC was stolen.
The hacker swapped 49.5M $USDC for 49.5M $DAI and bought 17,696 $ETH.
The 17,696 $ETH was transferred to a new wallet “0xfcc8…6e49”.https://t.co/AdAyB3q5LA pic.twitter.com/Rft6ZDtDWO
— Lookonchain (@lookonchain) February 24, 2025
The funds were then transferred to a new wallet, 0xfcc8…6e49, and split across multiple addresses, with initial funding traced to Tornado Cash, a privacy tool often used to obscure cryptocurrency transactions. However, at the time of reporting, the ETH remained unmixed, indicating ongoing efforts to trace the…