Stablecoin Security at Risk as Infini Loses $49M in Smart Contract Attack

Infini, a Hong Kong-based stablecoin neobank, lost $49M in USDC to a smart contract exploit via Tornado Cash.

Zagham Abbas
February 24, 2025
12:41 pm

Zagham Abbas

Zagham is a renowned crypto journalist known for his insightful analysis and in-depth reporting on the cryptocurrency industry.

Hong Kong-based stablecoin neobank Infini suffered a smart contract exploit, leading to the loss of $49 million in USDC.
Stolen USDC was swiftly converted to ETH and funneled through privacy tool Tornado Cash.
The breach raises concerns over smart contract security, following Bybit’s $1.4B exploit just days earlier.

Hong Kong-based stablecoin platform and neobank Infini fell victim to a devastating exploit, and hackers stole approximately $49 million in USDC. Cybersecurity firms Cyvers and Blocksec have named Infini as the compromised party following an in-depth analysis of on-chain data.

According to blockchain security experts Cyvers, the attack happened through Infini’s smart contract system, which was compromised by administrative access. The intruder exploited a specified contract address (0x9A7) under an address (0xc49) for Infini’s project. The intruder, using such access, modified settings on the contract and made illegitimate fund transfers.

🚨ALERT🚨Today, @0xinfini suffered a $49M $USDC exploit due to an attacker abusing retained administrative privileges.

The attacker, operating from 0xc49b5e5b9da66b9126c1a62e9761e6b2147de3e1, had initially developed the contract as part of the Infini project. However, after… pic.twitter.com/olguOyNCJr
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) February 24, 2025

The $49 million stolen USDC filtered through Tornado Cash, an extensively recognized solution for maintaining privacy to cover up transaction flows. The stolen stablecoins were laundered by attackers in no time to others, making them traceless.

Despite continued investigations, security officials do not know better how exactly administrative access was made. They are investigating whether the breach happened through a compromised private key or manipulation of unauthorized contracts.

Infini Hack Sparks Stablecoin Security Concerns

Infini’s founder, Christian, appeared on X (formerly Twitter) to address the issue. In a tweet in a translated post, Christian clarified that the attack did not result from a leaked private key but an accident in which the intruder found himself maintaining administrative access to the contract. Christian reassured users that there “is no issue with liquidity” and that impacted users would have their fair.

之前有朋友开玩笑说我这一路也太顺风顺水了，我说已经时刻做好了迎接第一个劫的准备，没想到在bybit之后紧接出事的是自己。

我的个人私钥没有泄漏，不用过度担心，是之前转交权限的时候有疏忽，归根结底是我的责任，这次敲醒了警钟。… https://t.co/7pHxtwD2ZV
— Christian (Building @0xinfini) (@Christianeth) February 24, 2025

The Infini hack comes on the heels of a massive security breach just days earlier on February 21, when crypto exchange Bybit suffered an exploit resulting in a staggering $1.4 billion loss. This growing wave of attacks highlights the urgent need for enhanced security measures in the DeFi and stablecoin sectors.

As investigations continue, the Infini exploit is also a stark reminder of vulnerabilities left in smart contract-based financial systems. The crypto space is now watching how Infini behaves and whether or not it is capable of regaining trust among its users after such a massive security breach.