- Infini, a burgeoning neobank, has lost $49 million in USDC due to a security breach stemming from a smart contract developer’s admin access.
- The exploit, which targeted Infini’s high-yield stablecoin products, bears similarities to previous attacks attributed to the Lazarus Group, raising concerns about potential North Korean involvement.
The threat of online theft has returned with force. The recent target was Infini stablecoin bank after it was exploited for $49M in USDC. Delving into the intricacies, it is suspected that the exploit resulted from the smart contract developer retaining backdoor access, suggesting a possible insider threat.
Reportedly, the exploiter who pocketed $49M from Infini protocol, a stablecoin DeFi bank, had Admin Access. Still, the company has gone numb about the exploit, having that the DeFi bank has not reacted nor explained the details of the intrusion.
Infini bank has highly advertised itself as a neobank mixing crypto and traditional finance. Notably, the advertisement has yielded positive returns as the product attracted in 500% more users in the past few weeks leading to the exploit as it kicked off its card campaigns.
Additionally, the neobank also offers high-yield earnings products, leading to a rise in available liquidity for the exploiter to bag.
Digging further, the bank’s yielding products created what seemed like a perfect vulnerability spot, leading to the exploit, with funds being drained from the Morpho MEV Capital Usual USDC Vault. Notably, Morpho itself has not reported any losses or issued warnings.
From Whale Transaction to Exploit
At first, it looked like a typical whale transaction where a new wallet withdrew all funds in the contract. Infini had prior knowledge of the attacker’s wallet, having reportedly commissioned them to develop the smart contract. Unbeknownst to Infini, the developer retained admin privileges, enabling them to execute a perfect call that drained all liquidity.
ALERT
The attacker, operating from 0xc49b5e5b9da66b9126c1a62e9761e6b2147de3e1, had initially developed the contract as part of the Infini project. However, after… pic.twitter.com/olguOyNCJr
—
A series of events followed as the exploiter was racing against time to move the funds before they could be frozen, a standard security measure for USDC.
Immediately following the exploit, the attacker rapidly converted the stolen USDC into 17,696 ETH via decentralized exchanges like Uniswap, Sky Protocol, and 0x Protocol, using DAI as an intermediary. This swift action aimed to secure the funds in ETH, an asset that can’t be frozen, only blacklisted, making it a safe bet for the exploiter.
Following the exploit, the attacker then split the stolen funds into smaller amounts and distributed them across numerous addresses. To initiate the transaction, the exploiter funded a newly created wallet with a small amount of ETH for gas, using Tornado Cash to obscure the wallet’s origin.
The stolen ETH was then transferred through a series of transactions and had not yet been fully mixed at the time of this report.
Big Question: Is the DPRK Involved?
Speculation has arisen regarding the involvement of North Korean (DPRK) hackers, given similarities to previous attacks. Infini has not disclosed the identity of the smart contract’s creator, adding to the uncertainty.
The Infini hack follows a significant exploit at Bybit earlier in 2025, where up to $1.5 billion in ETH was lost. The Bybit attacker used a similar tactic of splitting funds before mixing, a method frequently associated with the Lazarus Group by on-chain investigator ZachXBT.
While this pattern raises suspicion, Infini has not yet linked the exploiter’s wallets to known Lazarus addresses.
