Infini Suffers $49.5 Million Exploit

Infini, a prepaid payments card issuer offering interest on dollar stablecoins, has suffered a major security breach, resulting in the theft of over $49 million in USDC.

On-chain analysts traced the attack to an exploiter who misused retained administrative privileges.

Following the breach, Infini warned the hacker that it had gathered “critical IP and device information.”

According to PeckShield, the Hong Kong-based neobank lost $49.5 million.

It was just on Sunday that Infini announced that it had hit $50 million in total value locked.

CertiK first flagged suspicious activity on 24 February, reporting unauthorised transfers from an Infini-associated Ethereum contract.

Lookonchain later confirmed that the attacker stole 49.5 million USDC, converted it into DAI, and used the funds to acquire 17,696 ETH, which was moved to a newly created wallet (0xfcc8…6e49).

Over 100 days later, the hacker funded their wallet via Tornado Cash, executed a small ETH transaction to cover gas fees, and exploited the system.

However, PeckShield offered an alternative theory, suggesting a private key leak caused the breach.

Infini founder Christian Li denied a key compromise but admitted to oversight in transferring control, taking full responsibility and calling the incident a wake-up call.

Co-founder Christine reassured users that Infini has the resources to compensate affected customers.

Hacker Identified as Ex-Developer

According to blockchain analytics firm Cyvers, the attacker—an ex-developer who had worked on Infini’s contract—exploited retained privileges after project completion to siphon funds from the platform.

Smart contract audit firm QuillAudits corroborated this, attributing the breach to “compromised access and privilege escalation.”

The attacker leveraged a private key breach to gain control of a compromised account.

The report noted:

“The hacker gained access to a private key associated with the account “0xc4…3e1. This account had been granted a special role (0x8e0b) that allowed it to withdraw funds from the vault.”

The exploit unfolded in two transactions: an initial transfer of $11.45 million, followed by a second, larger withdrawal of $38.06 million—totaling $49.5 million from the Morpho MEVCapital USDC Vault.

The stolen funds were swiftly converted from USDC to DAI and then into 17,696 ETH before being transferred to a secondary wallet.

Infini Offers Reward for Recovery

Infini told the hacker in a blockchain transaction:

“We are closely monitoring the address involved and are prepared to take immediate action to freeze any stolen funds if necessary. In an effort to resolve this matter amicably, we are willing to offer you 20% of the stolen assets should you choose to return the funds.”

Li also expressed the same.

Infini gave the attacker 48 hours to cooperate, warning that failure to respond would leave the company no choice but to escalate its investigation alongside law enforcement.

According to Cyvers, the breach stemmed from a developer who had retained administrative rights over Infini’s smart contract after its deployment.

More than three months later, the individual exploited these privileges, draining funds into a wallet linked to the cryptocurrency mixer Tornado Cash.

Despite the attack, Infini kept withdrawals open.

Li reassured users that, in the worst-case scenario, full compensation would be provided.

Hakan Unal, Senior Blockchain Scientist at Cyvers Ai, explained:

“This incident highlights the critical risks of retained administrative privileges in smart contracts. In the meantime, this serves as a strong reminder for projects to thoroughly audit and revoke unnecessary permissions post-deployment.”

Hours after the breach, Infini released a statement confirming that transactions—including transfers, deposits, and withdrawals—remained unaffected.

QuillAudits research team lamented:

“It’s frustrating because these aren’t new problems. We’ve seen this play out repeatedly, yet projects still underestimate how critical it is to lock down access.”

The team emphasized that until access control is treated as a fundamental security priority rather than an afterthought, such exploits will persist.

The research team stated:

“It’s not just about better tech; it’s about better habits.”