A hacker drained over $49M in USDC from the Infini stablecoin bank. The exploit may be due to insider access to a smart contract, where the developer retained access after delivering to Infini.
Admin access to a smart contract allowed an exploiter to drain $49M from the Infini protocol, a stablecoin DeFi bank. Infini itself has not reacted to the exploit, or explained the nature of the hack. Infini is a crypto card issuer, taking stablecoin collateral to perform daily payments.
Infini advertised its payment services as a neobank, mixing crypto and traditional finance. The product drew in 500% more users in the past few weeks, as it started its card campaigns. The neobank also offers high-yield earnings products, leading to a rise in available liquidity for the exploiter.
It was precisely the yield products that created the conditions for the exploit, as funds were reportedly taken from the Morpho MEV Capital Usual USDC Vault. Morpho has not issued any warnings or reported lost funds.
The exploit was noted after a regular-looking whale transaction , where a new wallet withdrew all funds locked in the contract. The attacker’s wallet was known to Infini, as the project reportedly ordered the exploiter to create the smart contract. Unknown to the project, the attacker retained admin rights and could make the call to drain all liquidity.
The immediate action of the exploiter was to swap out of USDC to buy 17,696 ETH. The exploiter went through DAI, which was available through decentralized protocols. The funds moved through Uniswap, Sky Protocol, and 0x Protocol. Swapping out of USDC as fast as possible allowed the hacker to move funds into ETH, which cannot be frozen, only blacklisted from exchanges.
After that, the attacker split the proceeds into smaller sums and multiple addresses. The exploiter used a new wallet to send a small amount of ETH for gas and complete the transaction. The initial funding for the wallet came from Tornado Cash, veiling a part of the on-chain presence of the hacker.
After that, the ETH was moved through a series of transfers. At the time of writing, the funds were still not mixed.
Did DPRK hackers strike again?
The identity of the contract creator remains unknown, as Infini has not revealed who was ordered to build the smart contract.
The Infini hack follows the biggest exploit of 2025, where the Bybit exchange lost up to $1.5B in Ethereum (ETH). The Bybit hacker had a similar approach of splitting ETH before mixing. On-chain investigator ZachXBT has pointed out multiple examples that this approach is one of the signature moves of the Lazarus hacker group. For now, Infini has not linked any of the exploiter’s wallets to other known Lazarus addresses.
This time, no private keys were leaked, and Infini has not stopped withdrawals and deposits.
The founder of Infini, @christianeth, took full responsibility for the exploit, stating he was negligent in the authority transfer process from the developer to the project. The founder reassured users that the protocol remains liquid, and will issue full compensation in the worst-case scenario.
“My personal private key has not been leaked, so there is no need to worry too much. I was negligent when transferring the authority before. It is ultimately my responsibility. This has sounded the alarm…There is no problem with liquidity. Full compensation can be paid and the funds are being traced,” wrote @christianeth on X.
Other on-chain analysis shows a potential private key leak, which allowed the hacker access to the contract. PeckShield noted the engineer turned hacker has been identified . After the attack, one of the Infini co-founders, @0xsexybanana, deleted her X account. The current heist is a suspected insider attack, as the engineer was trusted enough to create a smart contract.
The recent exploits and hoarding of ETH raised the question of using the chain for money laundering and potentially hostile regime financing. At the same time, the exploits catalyzed a small ETH rally, where the asset rose above $2,800 for the first time in weeks. The ETH losses meant exchanges had to recoup their reserves, leading to additional demand.
Cryptopolitan Academy: FREE Web3 Resume Cheat Sheet - Download Now
