Neobank Infini celebrates $50M TVL, then suffers $49.5M USDC exploit due to former insider
Infini, a stablecoin-focused neo-bank, suffered an exploit that resulted in a loss of approximately $49.5 million in USDC.
Blockchain security firm Cyvers detected the breach less than a day after the platform celebrated reaching a $50 million total value locked (TVL) milestone.
Blockchain analytics firm Lookonchain reported that the attacker swiftly converted the stolen USDC into DAI before using the funds to purchase 17,696 ETH.
The assets were transferred to a separate wallet, making recovery efforts more complex.
Circle’s slow response
Blockchain sleuth ZachXBT has slammed stablecoin issuer Circle’s slow response to the incident, pointing out that the “USDC wasn’t fully sold for 40 minutes.”
He wrote:
“Where was the Circle 24/7 incident response team? That’s right I forgot they do not exist bc Circle knowingly supports this type of activity.”
Notably, this is not the first time the blockchain investigator has criticized the USDC issuer’s slow response to malicious activities involving the stablecoin.
According to him:
“US companies in general are worse than many offshore competitors due to hiding behind ambiguous policies in the name of ‘regulations’”
How the attack unfolded
According to Cyvers, the exploit stemmed from administrative privileges retained by the attacker.
Cyvers reported that the attacker “0xc49b5” had initially worked on Infini’s contract but never relinquished full control. This oversight allowed them to manipulate the system long after deployment.
Over 100 days later, the attacker funded their address using Tornado Cash, an anonymity tool, to cover Ethereum gas fees. This preparation set the stage for the breach, enabling them to drain the platform’s funds completely.
Infini’s founder, Christian, admitted responsibility for the security lapse, noting that his private key was not compromised but that he had previously mishandled the transfer of authority. He emphasized that the platform remains financially stable and is actively working to track and recover the stolen funds.
Christian added that investigations are ongoing and reassured users that withdrawals remain operational. He also pledged full compensation in the event of financial losses.
He stated:
“My personal private key was not leaked, so there’s no need to worry excessively. It was due to negligence when transferring authority before; ultimately, it’s my responsibility. This incident has served as a wake-up call.
Thank you to everyone for speaking up and your support. There are no issues with liquidity, and we can fully compensate. We are currently tracing the funds.”
This attack follows a series of high-profile crypto hacks, including the recent $1.5 billion theft from Bybit. The Infini breach highlights the risks of granting long-term administrative privileges to developers, who could later exploit the very systems they helped build.
[Editor’s note: By comparison, stablecoin rival Tether has effectively and promptly frozen stolen USDT funds on multiple occasions while continuously under media fire for its supposed links to illicit activities.]
Mentioned in this article
