Raw content extract from web search (WebFetch tool not available).
Infini Hack — February 24, 2025
A hacker stole $49.5 million from stablecoin neobank Infini. The attacker was a rogue former developer who exploited poor access management.
The project hired an anonymous developer to create and deploy its smart contracts in 2024, and the code was launched on-chain as an unverified smart contract, meaning that there wasn't corresponding source code released on GitHub.
When the developer created and deployed this contract, they included a special role (0x8e0b) that provided the right to drain all of the funds from the contract's vault. This role was granted to a particular blockchain address that was breached and under the rogue developer's control.
The attacker exploited their retained administrative rights, which went undetected for over 100 days.
The hacker reportedly initiated two transactions—$11.45 million in the first and $38.06 million in the second—leading to the total stolen amount of $49.5 million from the Morpho MEVCapital USDC Vault.
The USDC withdrawn from the vault was swapped to DAI to prevent blocklisting and later converted to approximately 17.7k ETH. The attacker also covered their tracks by sending the stolen assets through the Tornado Cash laundering service.
The neobank offered the hacker 20% of the stolen funds to return the money within 48 hours, threatening legal action otherwise. The neobank's founder, Christian Li, has pledged to cover the full loss from his personal funds and took responsibility for the incident.
If the privileged account had been managed by a multi-sig wallet, then the rogue developer would have needed access to multiple keys to carry out their attack.