Crypto neobank Infini exploited for $50M, rogue developer suspected

Hong Kong-based stablecoin neobank Infini was an exploit that drained roughly $50 million, with investigations pointing to a rogue developer behind the incident.

The exploit was first flagged by blockchain security firm CertiK on February 24 at 3:18 am UTC, which noticed unauthorised transfers from an Infini-linked contract on Ethereum.

The attacker granted themselves special access to an account and withdrew 49.5 million USD Coin (USDC).

What happened?

In its first post-mortem report, Cyvers, another blockchain-focused security firm, claimed the attacker was likely a developer who had previously worked on Infini’s smart contracts and had retained hidden administrative privileges even after the project’s completion.

Using these privileges, the developer first funded a wallet with 1 ETH from the crypto-mixing service Tornado Cash to cover gas fees.

With this wallet, they executed a custom contract—created back in November 2024—to gain unauthorised access to Infini’s system.

This allowed them to drain 49.5 million USDC from the platform.

Subsequently, the loot was swapped for DAI, a stablecoin that cannot be frozen by issuers, allowing the attacker to avoid any immediate intervention.

After this, the DAI was used to purchase 17,696 ETH, which was then transferred to a new wallet, according to data shared by on-chain tracker Lookonchain.

Per a now-deleted tweet, the culprit was identified by the Infini team and reported to the police, although an official statement from the company had yet to be published.

What’s next for Infini users?

Established in 2024, Infini is a neobank, a digital-only financial institution that serves users without any physical branches.

Infini operates entirely online, offering services like stablecoin payments, yield-generating accounts, and other crypto-friendly offerings.

The platform quickly gained traction, boasting a 500% monthly growth rate in active users, according to a press release from February 14.

However, the recent exploit has cast a shadow over its progress.

Right after reports of the incident started appearing across social media, founder Christian Li said the company would compensate all affected users irrespective of the outcome of the asset recovery efforts currently underway. 

In a later update, Li explained that 70% of the funds lost belonged to “big investors” who have all been personally contacted and made aware of the incident.

He vowed to cover their losses with his own funds through private settlements. 

As for the remaining stolen funds, Li assured users that they would be fully replenished into the Infini Vault by next Monday, ensuring that operations continue as usual.

He also confirmed that enough liquidity had been prepared to meet any withdrawal requests during this period, urging users to remain calm.

Li added that Infini would take the necessary time to upgrade and restart its services, prioritising the security of funds before resuming full operations.

As of publication time, withdrawals on Infini remained active.

Li further added that over $500,000 had been withdrawn from the platform since the exploit.

A bad week for crypto

The Infini hack is just the latest in a wave of major security breaches shaking up the crypto world.

Just days earlier, on February 21, Bybit fell victim to one of the biggest exchange hacks in the history of crypto, losing over $1.4 billion.

Believed to be orchestrated by the North Korean state-backed hacking group Lazarus, the attackers exploited smart contract logic to drain funds from the platform’s multi-signature cold wallet.