- Infini’s $49M theft exploited smart contract admin privileges, raising security alarms.
- Hackers used Tornado Cash to launder $49M in stolen USDC from Infini’s contract.
- Infini assures full user compensation after $49M theft via compromised smart contract.
A major security incident affected Hong Kong-based stablecoin neobank Infini through its payments platform on February 24, 2025. The hackers succeeded in stealing $49 million USDC through their exploit of the linked smart contract. The security firms Cyvers and Blocksec verified the attack and observed the funds being sent to a Tornado Cash account which helps hide cryptocurrency transactions. The funds the attacker stole were exchanged from USDC for Ethereum which totaled 17,696 ETH.
Spot On Chain generated on-chain data that led professionals to analyze irregular activities. A contract address (0x9A7) lost access privileges when the attacker (0xc49) created and modified the administrative permissions. Blocksec discovered that the hacker had changed the settings within the contract to withdraw the funds. In a statement on X, Christian Li, the founder of Infini stated that his company remains financially stable while promising compensation to victims.
Details of the Exploit and Industry Impact
According to Li, the attack exploited a vulnerability tied to administrative access rather than a private key leak. Through their controlling access, the attacker could take the funds out effectively. Following the theft, the hacker changed USDC to Ethereum before moving the funds to a different wallet (0xfcc8…6e49). Users faced an additional security breach at Bybit on February 21 when hackers stole $1.4 billion in Ethereum, prompting widespread concerns about crypto security practices.
According to recent reports, the cryptocurrency industry experienced 303 hacks in 2024, resulting in $2.2 billion in losses. Infini’s breach highlights ongoing challenges for neobanks integrating blockchain technology. Despite its rapid growth—boasting a 500% monthly user increase within six months of launch—the company now confronts a test of its resilience.
Infini’s Response and Next Steps
The Infini team reacted to the security breach through official communications while showing remorse for the service disruption. The company affirmed that its services stay active and transactions continue without interruption. According to Li, the incident will not impact the firm’s cash position and all affected users will receive complete reimbursement. The firm started its investigation to discover the initial breach source while establishing security measures against upcoming incidents.
Security professionals advise Infini to assess their smart contracts with complete audits while implementing additional protective measures. This incident proves why comprehensive security measures are necessary for the fast-growing digital asset industry. The broader cryptocurrency community pays close attention to Infini as it attempts to rebuild trust with its users. This major security breach allows the cryptocurrency industry to fix its vulnerabilities and establish robust standards.
