Crypto neo-bank Infini lost $49.5 million in a hack allegedly carried out by a former developer abusing administrative privileges.
The attacker, who had worked on Infini’s contract, leveraged their privileges after the project was completed to drain funds from the platform, according to blockchain analytics platform Cyvers.
In a report shared with Decrypt, smart contract audit firm QuillAudits confirmed that the exploit resulted from “compromised access and privilege escalation,” with the attacker exploiting a private key breach that granted them access to a compromised account.
“The hacker gained access to a private key associated with the account “0xc4…3e1,” the report notes. “This account had been granted a special role (0x8e0b) that allowed it to withdraw funds from the vault.”
The hacker reportedly initiated two transactions—$11.45 million in the first and $38.06 million in the second—leading to the total stolen amount of $49.5 million from the Morpho MEVCapital USDC Vault.
The funds were then quickly swapped from USD Coin (USDC) into Dai (DAI) and converted into 17,696 ETH. Then the funds were transferred to a secondary address.
Following the breach, Christian Li, Infini’s founder, took to Twitter to acknowledge the incident and offer reassurance. He said the team had been “negligent when transferring the authority before.”
“It is ultimately my responsibility this has sounded the alarm,” Li said. “There is no problem with liquidity… full compensation can be paid and the funds are being traced.”
Despite the breach, Infini continued to allow withdrawals. Li reassured users that “full compensation can be paid” in the worst-case scenario.
Li expressed hope for recovering the stolen funds and offered the hacker 20% of the stolen amount, assuring that no legal action would be taken if the funds were returned.
The lack of further obfuscation techniques means the stolen assets might still be traceable, QuillAudits report notes.
Cyvers provided an analysis stating that the hacker, retaining the admin rights, went undetected for over 100 days, later funneling the stolen funds through the Ethereum-based coin mixer Tornado Cash.
“This incident highlights the critical risks of retained administrative privileges in smart contracts,” Hakan Unal, Senior Blockchain Scientist at Cyvers Ai, told Decrypt. “In the meantime, this serves as a strong reminder for projects to thoroughly audit and revoke unnecessary permissions post-deployment.”
Infini shared its official statement hours after the hack—saying all transactions, including transfers, deposits, and withdrawals, remained unaffected.
“We’re deeply sorry for the concern this causes – our team is working around the clock to investigate and secure all systems at the moment,” Infini tweeted on Monday.
“It’s frustrating because these aren’t new problems,” QuillAudits research team told Decrypt. “We’ve seen this play out repeatedly, yet projects still underestimate how critical it is to lock down access.”
The team shared that until teams start treating access control as a “core security priority,” and not an afterthought, these hacks will keep happening.
“It’s not just about better tech; it’s about better habits,” the research team said.
The breach at Infini follows a major exploit at crypto exchange Bybit, which suffered a massive loss of $1.4 billion in Ethereum and related tokens last Friday, marking one of the biggest hacks in the industry’s history.
On-chain analysis revealed Lazarus Group, a North Korean state-sponsored hacking group, to be behind the attack.
Bybit’s response was similar to Infini’s in some ways, as the exchange opted to keep withdrawals open and vowed to cover the loss if the funds could not be recovered.
The hack comes amid growing concerns about security in the DeFi space, with over $2.2 billion in crypto stolen last year, and 50% of the stolen funds linked to North Korean hacking groups, as per blockchain analysis firm Chainlalysis’ report.
“The number of individual hacking incidents went up from 282 incidents in 2023 to 303 incidents in 2024,” the report said.
Edited by Stacy Elliott.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
