Disaster struck the crypto world last Sunday when a massive $49.5 million in USDC was swiped from Infini’s stablecoin bank. The February 24th breach wasn’t your typical hack job – this was an inside job. A former developer, hired to build Infini’s smart contract, kept admin rights after completing the project. Sneaky move.
Admin rights left the back door wide open — a $49.5 million crypto lesson learned too late.
The attacker waited patiently, over 100 days, before making their move. When they struck, they converted the stolen USDC to 49.5 million DAI, then swapped it for 17,696 ETH. Classic crypto laundering. The funds ended up in a new wallet (0xfcc8…6e49) faster than you could say “security audit.” The gas fees spiked dramatically during the heist due to increased network activity.
Here’s how it went down: Two transactions – $11.45M and $38.06M – using a compromised account with special privileges. The hacker accessed the Morpho MEVCapital USDC Vault with a private key they never should have had. Talk about a security nightmare. The stolen assets were eventually funneled through Tornado Cash to further obscure their trail.
Infini founder Christian Li immediately owned up to the oversight. Gotta respect that level of accountability, rare in crypto these days. He assured users their funds were safe and promised full compensation. Withdrawals continued processing, even as they surged to 500,000 USD following the hack announcement.
The timing couldn’t be worse, coming just days after the massive $1.5 billion Bybit breach on February 21. Another day, another DeFi disaster. The pattern’s getting old.
Interestingly, ETH prices rallied above $2,800 briefly as exchanges scrambled to refill reserves. Typical crypto market – someone’s catastrophe is another’s profit opportunity.
Infini even offered the hacker a 20% bounty to return the funds. “Pretty please give back the millions you stole? We’ll let you keep some!” Not holding my breath on that one.
The incident highlights an essential lesson about retained admin access. Maybe next time, check who still has the keys before filling the vault with $49 million. Just a thought.
