- Infini neobank lost $49.5 million in a hack, with funds converted to ETH and moved to a new wallet, raising concerns over security practices.
- Infini founder reassures users that withdrawals remain unaffected, promising full compensation while an ongoing investigation into the breach continues.
Crypto-focused neobank Infini has reportedly been targeted in a security breach, resulting in a loss of $49.5 million. The hacker exploited defects in the platform, accessing a contract associated with Infini and finally converting the stolen funds into Ethereum (ETH). Given the speed at which the funds were laundered and moved to different wallets, the breach has sparked concerns within the crypto community.
The incident came to light early on February 24 when CertiK, a prominent blockchain security firm, flagged unusual activities on Infini’s network. At approximately 3:18 am UTC, CertiK observed unauthorized transfers from an Infini-related Ethereum contract. The attacker accessed the account “0xc49b…” and withdrew 49.5 million USDC, a stablecoin tied to the U.S. dollar.
Following the theft, the hacker swapped the entire sum for DAI, another Ethereum-based stablecoin, and purchased 17,696 ETH. On-chain tracking service Lookonchain reported that the ETH was later transferred to a new wallet address, “0xfcc8…6e49,” a move that remains closely monitored by crypto analysts.
It seems that the stablecoin bank @0xinfini was hacked and 49.5M $USDC was stolen.
The hacker swapped 49.5M $USDC for 49.5M $DAI and bought 17,696 $ETH.
The 17,696 $ETH was transferred to a new wallet "0xfcc8…6e49".https://t.co/AdAyB3q5LA pic.twitter.com/Rft6ZDtDWO
— Lookonchain (@lookonchain) February 24, 2025
The Role of Tornado Cash and the Leak of Private Key
PeckShieldAlert, another blockchain tracker, revealed further details, indicating that a community member had flagged suspicious transactions involving Tornado Cash, a privacy-enhancing tool frequently associated with money laundering.
According to the tracker, the leak of a private key tied to Infini’s system may have enabled the hacker to bypass security measures. PeckShieldAlert confirmed that the key in question, “0xc49b…e3e1,” had been compromised, allowing the attacker to alter the platform’s funds.
The breach’s details raised alarms over key management practices and vulnerabilities in smart contract security. The leaked private key appeared to be the hacker’s central point of entry, indicating a potential flaw in the internal controls surrounding Infini’s operations.
Investigation Underway and Compensation Promised
Following this incident, Infini has responded to the hack by assuring its users that their withdrawals remain unaffected. Despite the severity of the attack, the neobank emphasized that it has processed all withdrawal requests amounting to over $500,000.
Christian Li, the founder of Infini, reassured users, stating that the investigation into the breach is ongoing and that full compensation will be provided if necessary. He also confirmed that the hacker’s computer has been identified, and a police report has been filed.
之前有朋友开玩笑说我这一路也太顺风顺水了,我说已经时刻做好了迎接第一个劫的准备,没想到在bybit之后紧接出事的是自己。
我的个人私钥没有泄漏,不用过度担心,是之前转交权限的时候有疏忽,归根结底是我的责任,这次敲醒了警钟。… https://t.co/7pHxtwD2ZV
— Christian (Building @0xinfini) (@Christianeth) February 24, 2025
Additionally, Li acknowledged that the breach was caused by a personal error in transferring authority within the system. He expressed regret over the incident, confirming that his private key was not compromised and that the platform’s core operations would not be jeopardized moving forward.
The Infini hack is part of a growing trend of high-profile breaches impacting the crypto sector. Just days before this attack, as we reported in our post, Bybit, a prominent cryptocurrency exchange, experienced a $1.4 billion exploit caused by manipulated smart contract logic.