Stablecoin DeFi Bank Infini Suffers $49M Exploit After Attacker Retains Admin-Level Control

A hacker exploited the Infini stablecoin DeFi bank, draining over $49 million in USDC. 

The attack was enabled by retained admin access to a smart contract, which allowed unauthorized fund withdrawals. Infini has not yet issued an official response or disclosed details about the breach.

Exploiter drains liquidity through smart contract vulnerability

The attack stemmed from an exploiter maintaining admin privileges in a smart contract developed for Infini. Reports indicate that the attacker was initially tasked with creating the contract but secretly kept control, enabling them to withdraw all locked funds. The exploit targeted the Morpho MEV Capital Usual USDC Vault, where user deposits were stored.

The attacker initiated the heist by withdrawing funds from the contract into a new wallet. The immediate action was to swap USDC for 17,696 ETH, utilizing DAI as an intermediary asset. The transactions were executed through decentralized protocols, including Uniswap, Sky Protocol, and 0x Protocol. The rapid conversion of USDC into ETH ensured the stolen funds could not be frozen, limiting potential recovery efforts.

ALERTToday, @0xinfini suffered a $49M $USDC exploit due to an attacker abusing retained administrative privileges.

The attacker, operating from 0xc49b5e5b9da66b9126c1a62e9761e6b2147de3e1, had initially developed the contract as part of the Infini project. However, after… pic.twitter.com/olguOyNCJr

— Cyvers Alerts (@CyversAlerts) February 24, 2025

Connections to Lazarus group suspected

The method used in the Infini exploit has drawn comparisons to previous large-scale crypto heists. The approach of splitting ETH into multiple wallets before potential mixing is similar to tactics used by the Lazarus Group, a North Korean state-sponsored hacking organization. On-chain investigator ZachXBT noted similarities to the $1.5 billion Bybit exchange hack earlier this year. However, Infini has not directly linked the attacker’s wallets to known Lazarus addresses.

Unlike other breaches where private keys were compromised, this incident appears to be an insider attack. Infini co-founder @christianeth took responsibility for the incident, acknowledging that the failure to transfer contract authority properly enabled the exploit. Despite the loss, he reassured users that Infini remains liquid and committed to full compensation.

Insider involvement and market impact

The blockchain security firm PeckShield tracked down the attack’s engineer who provoked the system breach. Following the incident @0xsexybanana deleted her X account which led people to suspect possible inside cooperation.

The attack simultaneously caused severe impacts on both the exploitation process and the cryptocurrency market. The sudden acquisition of ETH triggered a brief market rise through which the asset exceeded $2,800 for its initial price increase in weeks. Recent hacking events together with this occurrence have prompted debate about whether Ethereum supports illegal money transfers.

The post Stablecoin DeFi Bank Infini Suffers $49M Exploit After Attacker Retains Admin-Level Control first appeared on Coinfea.