Infini Suffer Over $49M in USDC Loss Following Private Key Breach

On February 24th, 2025, A significant security breach targeted Infini, a decentralized finance (DeFi) stablecoin banking platform, due to a private key leak to the theft of approximately $49.5 million in USDC.

Hackers Exploit Details

The exploit involved an attacker exploiting retained administrative privileges from the address – 0xc49b5e5b9da66b9126c1a62e9761e6b2147de3e1. This individual, previously involved in developing Infini’s contract, had surreptitiously maintained administrative access even after the project’s completion. This oversight proved catastrophic.

The attack unfolded over a period exceeding 100 days. The attacker initially funded their address through Tornado Cash, a privacy-enhancing tool, before executing a small ETH transaction to cover gas fees. This seemingly innocuous activity preceded the decisive exploit, during which the attacker drained the platform’s funds.

Notably, the stolen 49.5 million USDC was swiftly converted into an equivalent amount of DAI and subsequently exchanged for 17,696 ETH. These funds were transferred to a new wallet address, 0xfcc8…6e49.

The theft occurred in two distinct phases, totaling 50,000,000 USDC. The first phase involved the theft of 11,455,666 USDC, followed by a second, significantly more significant theft of 38,060,996 USDC.

These transactions originated from Morpho MEVCapital’s usual USDC vault, highlighting the systemic risk posed by such vulnerabilities within the DeFi architecture. The Infini founder confirmed that the leakage of a private key was the root cause of the breach.

Infini Founder Christian Li Addresses Breach

In the aftermath of the attack, Infini founder Christian Li issued a statement acknowledging responsibility for overseeing administrative authority transfer. They emphasized that their personal private key remained secure and asserted that the platform possesses sufficient liquidity to compensate affected users fully.

“A friend jokingly suggested my journey had been too easy. While I anticipated challenges, I never expected to encounter them so directly following my involvement with Bybit. My private key remains secure; there’s no widespread security breach. My error lies in the oversight during the authorization transfer – a responsibility I fully accept,” Christian stated on X.

In an attempt to calm Infini users, Christian noted that the firm is thoroughly investigating the matter. Withdrawals function normally. Moreover, he asserted that he promised to provide full compensation in the improbable event of further problems. The statement also highlighted ongoing efforts to trace the stolen funds and rebuild user trust.