On February 24, 2025, Hong Kong-based stablecoin neobank Infini suffered a major security breach, losing $49.5 million in USDC due to a vulnerability in its Ethereum smart contract. The attack occurred just three days after Bybit's $1.4 billion hack.
How the Attack Happened
Blockchain security firm CertiK first reported the incident at 3:18 UTC, revealing that hackers exploited a backdoor in Infini’s smart contract linked to the address 0x9A79f4…E1DC. According to security analysts at Cyvers, Blocksec, and PeckShield, the attacker may have been a former developer who retained administrative control, allowing them to manipulate contract settings.
With full control over the contract, the hacker withdrew $49.5 million from the Morpho MEV Capital Usual USDC Vault. They then converted the USDC into DAI before purchasing 17,696 ETH worth approximately $49 million.
Laundering Funds Through Tornado Cash
Data from Lookonchain shows that the stolen assets were transferred to a new wallet (0xfcc8…6e49) and further distributed across multiple addresses. The attacker initially funded the exploit through Tornado Cash, but most of the stolen ETH remains untouched, allowing analysts to track the movement of funds.
Infini’s Response
Infini, launched in 2024, specializes in stablecoins, crypto cards, and high-yield deposits. Despite the attack, the company assured users that all services remain operational, including transfers, deposits, and withdrawals.
Infini’s founder, Christian Li, took responsibility for the security lapse, explaining that the breach was not due to a compromised private key but rather a mistake in transferring contract control from the developer to the project.
"My personal key was not compromised, so there is no reason to worry. I made an error in transferring access rights. This is entirely my responsibility. Liquidity remains intact, all compensation is possible, and the stolen funds are being tracked."
However, PeckShield and other analysts suspect that a private key compromise might still be involved, which could complicate recovery efforts.
What’s Next
Before the hack, Infini was experiencing rapid growth, with monthly active users increasing by 500%, especially after launching its crypto card program. However, the attack has raised serious concerns about asset security and contract management.
The Infini breach follows a similar attack on Bybit, where hackers used smart contract exploits to siphon funds into ETH and launder them through Tornado Cash. Blockchain investigator ZachXBT has linked both incidents to North Korea’s Lazarus Group.
Security Measures in Crypto
Amid the wave of DeFi hacks, former Binance CEO Changpeng Zhao (CZ) updated his Keep Your Crypto #SAFU security guide. Here are its key takeaways:
Protecting Your Crypto
- No security method is 100% foolproof, but risk can be minimized.
- Self-custody options:
- Offline computer (Linux, no internet)
- Dedicated phone (iPhone/GrapheneOS, no Wi-Fi)
- Hardware wallet (secure backups are critical)
- Backup methods:
- Paper (risk of loss/theft)
- Metal (damage-resistant)
- Encrypted USB drives (safe if used correctly)
Exchange Security
- Store funds only on reputable exchanges
- Use a unique email (Gmail/ProtonMail)
- Enable 2FA (preferably hardware keys, not SMS)
- Whitelist withdrawal addresses
- Beware of phishing attempts
Read CZ’s full security guide here.
This post is for informational purposes only and is not an ad or investment advice. Please do your own research making any decisions.