Infini crypto neobank loses $49M to insider breach

Infini, a crypto-focused neobank, has suffered a significant security breach, resulting in the loss of over $49 million in USDC. The attack was carried out by an exploiter who retained administrative access to a smart contract after initially developing it as an external contractor. The stolen funds were quickly converted to DAI and then swapped for Ethereum (ETH), making tracing and recovering difficult. Infini, a stablecoin DeFi bank and crypto card issuer, has yet to provide an official response or explanation for the hack.

According to Cyvers Alerts, the attacker exploited an internal system vulnerability by secretly retaining admin rights even after their contract work ended. This unauthorized access allowed them to drain liquidity from Infini’s Morpho MEV Capital Usual USDC Vault. The exploit was first noticed after an unusual whale transaction in which a new wallet withdrew all locked funds. Investigations revealed that Infini had unknowingly allowed the attacker to maintain admin privileges, enabling them to execute the heist undetected over several months.

Following the breach, the hacker swiftly swapped the stolen USDC for 17,696 ETH using decentralized platforms like Uniswap, Sky Protocol, and 0x Protocol. They used Tornado Cash for initial wallet funding to further obscure their tracks and then split the stolen assets across multiple addresses. Unlike other high-profile breaches, Infini has not halted deposits or withdrawals, suggesting that liquidity remains unaffected. However, on-chain analysts are actively monitoring the movement of funds to track potential laundering efforts.

Speculation has emerged linking the attack to the notorious North Korean-affiliated Lazarus hacker group, known for similar tactics. While no direct connection has been established, on-chain investigator ZachXBT has identified transaction patterns resembling past Lazarus exploits. The breach follows a $1.5 billion hack on the Bybit exchange just days earlier, further highlighting the growing security vulnerabilities within the crypto sector.

Infini’s founder, @christianeth, took responsibility for the breach, admitting negligence in the transfer of admin authority. He assured users that Infini remains liquid and pledged full compensation if necessary. "My private key has not been leaked, so there is no need to worry too much. I was negligent when transferring the authority before. It is ultimately my responsibility. This has sounded the alarm… There is no problem with liquidity. Full compensation can be paid, and the funds are being traced," he wrote on X. Meanwhile, co-founder @0xsexybanana deleted her X account following the incident, fueling speculation about insider involvement.