An unidentified hacker siphoned over $49 million in USDC from the Infini stablecoin bank, exploiting retained admin access to a smart contract.

The attacker leveraged administrative control over a smart contract to withdraw all locked funds. Infini, a neobank that merges stablecoin collateral with traditional payment solutions, has not yet issued an official response explaining the vulnerability.

As per Binance, the company has seen a surge in users—reportedly 500% in recent weeks—due to its crypto-backed payment services and high-yield earnings products, which inadvertently expanded liquidity available to the exploiter.

While Infini’s founder, Christian claims there was no private key leak, blockchain security firm PeckShield has suggested otherwise, indicating that the attacker — an engineer who initially built the smart contract — has been identified. The attacker’s insider nature was further underscored when Infini co-founder @0xsexybanana abruptly deleted her X account following the incident.

Funds are drained from the Morpho MEV Capital Usual USDC Vault, though Morpho has not acknowledged any direct financial losses or issued warnings related to the breach. The exploit was detected when an unusually large transaction withdrew all funds from the smart contract in a single move.

It seems that the stablecoin bank @0xinfini was hacked and 49.5M $USDC was stolen.

The hacker swapped 49.5M $USDC for 49.5M $DAI and bought 17,696 $ETH.

The 17,696 $ETH was transferred to a new wallet "0xfcc8…6e49".https://t.co/AdAyB3q5LA pic.twitter.com/Rft6ZDtDWO
— Lookonchain (@lookonchain) February 24, 2025

Immediately following the heist, the attacker converted the stolen USDC into 17,696 ETH, using decentralised protocols like Uniswap, Sky Protocol, and 0x Protocol to facilitate the swap.

To hide the trail of the funds, the hacker initially converted USDC into DAI before acquiring ETH, which is more difficult to freeze. The attacker then fragmented the proceeds across various addresses and used Tornado Cash to obscure the origins of the wallets. This strategy is similar to the tactics used by the hackers of WazirX.

“A newly created wallet spent 49.5M $DAI to buy 17,696 $ETH at $2,798 in the past hour,” researchers said on X.

Security researcher ZachXBT noted that the attack technique aligns with the signature tactics of the North Korean Lazarus Group.

Infini founder Christian assured creditors that the withdrawals are normal and that, in the worst-case scenario, full compensation will be paid.

“Currently, all consumption and withdrawals of the product are normal. The only part affected is the financial management part (because the contract has been suspended and funds have not been transferred to prevent secondary risks). It will take some time to propose and implement a more appropriate plan,” Christian wrote.

In the News: RansomHub claims breach of BC Jindal Group, alleges theft of 140 GB of data