InfoSecBulletin Cybersecurity for mankind
Days after the biggest crypto hack ever, another platform has experienced a major exploit. Infini Earn, a decentralized stablecoin bank, lost $49.5 million in USDC, making it one of the year’s biggest security breaches in DeFi.
Reportedly a compromised private key led to an attack that stole 11.4 million and 38 million USDC in two separate transactions.
YouTube geo-blocks at least 4 Bangladeshi TV channels in India
Microsoft Patches Four Critical Azure and Power Apps Vulns
Qilin Ransomware topped April 2025 with 45+ data leak disclosures
SonicWall Patches 3 Flaws in SMA 100 Devices
Top Ransomware Actively Attacking Financial Sector: 406 Incidents Disclosed
Critical (CVSS 10) Flaw in Cisco IOS XE WLCs Allows RRA
CVE-2025-29824
Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day
Hacker exploited Samsung MagicINFO 9 Server RCE flaw
CISA adds Langflow flaw to its KEV catalog
Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers
The attacker quickly exchanged the stolen USDC for DAI and then purchased 17,696 ETH. They transferred the funds to a new wallet labeled “0xfcc8…6e49.”
Blockchain analysis indicates that the perpetrator might be someone connected to the initial contract development for Infini.
Reports indicate that the attacker kept admin access to the contract after finishing their work. Over 100 days later, they used Tornado Cash, a crypto mixing service, to hide their identity before carrying out the exploit.
Morpho MEVCapital’s USDC vault was breached, draining funds in two transactions. The hack is thought to have occurred due to unauthorized access to the platform’s private key.
After the attack, Infini Earn’s founder, Christian Li, spoke about the incident on X.
Li accepted responsibility for the security lapse due to improper contract authority transfer, which allowed the exploit to occur.
“There is no problem with liquidity. Full compensation can be paid, and the funds are being traced. I know rebuilding trust will be a difficult process, but we won’t give up,” Li stated.
Li assured users that withdrawals are still available, but financial management operations have been suspended to minimize risks.
He stated that 70% of the stolen funds were from institutional investors and promised to cover the losses personally and resolve the matter privately.
Li announced plans to reinvest the remaining funds into Infini Vault by Monday to restore normal operations.
