Infini, a Hong Kong-based cryptocurrency neobank offering prepaid cards and interest on stablecoin deposits, has fallen victim to a major exploit resulting in the loss of $49.5 million in user funds. The attack, which occurred on February 24, 2025, drained nearly all of the platform’s total value locked (TVL) just days after Infini celebrated reaching $50 million in TVL.
According to blockchain security firm Cyvers, the exploit was carried out by a former developer who had retained administrative access to Infini’s smart contract. Over three months after initially working on the contract, the attacker used these privileges to drain the funds to a wallet funded through cryptocurrency mixer Tornado Cash.
In response to the hack, Infini has taken the unusual step of directly addressing the attacker through a blockchain transaction. The company stated it had “gathered critical IP and device information” and offered a 20% bounty on the stolen assets if returned within 48 hours. Failing that, Infini warned it would pursue the investigation in collaboration with law enforcement.
The stolen funds, initially in USD Coin (USDC), were swiftly converted to Dai (DAI) and then used to purchase 17,696 Ethereum (ETH). The ETH was subsequently moved to a new wallet, complicating recovery efforts.
Infini’s founder, Christian Li, has taken full responsibility for the security lapse, acknowledging negligence in the authority transfer process from the developer to the project. Li assured users that the protocol remains liquid and pledged to cover the full loss from his personal funds if necessary.
This incident follows closely on the heels of a $1.5 billion hack of crypto exchange Bybit, raising concerns about the security of centralized crypto platforms. The similarity in the attackers’ methods of splitting and moving ETH has led some analysts to speculate about potential connections to the North Korean Lazarus hacking group, though this remains unconfirmed.
The Infini hack has also sparked criticism of stablecoin issuer Circle, with blockchain investigator ZachXBT highlighting the company’s slow response to the incident. According to ZachXBT, the stolen USDC wasn’t fully sold for 40 minutes after the hack, questioning the effectiveness of Circle’s incident response team.
As investigations continue, Infini has assured users that withdrawals remain operational. However, this incident serves as a stark reminder of the risks associated with centralized crypto platforms and the importance of robust security measures in the rapidly evolving digital asset space.
Disclaimer: The information provided on or accessed through TrueToCrypto.com (the “Website”) is for general informational purposes only and is obtained from independent sources that are believed to be reliable. However, TrueToCrypto.com, its owners, affiliates, officers, employees, and agents (collectively, “We,” “Us,” or “Our”) make no representations or warranties, express or implied, as to the accuracy, completeness, timeliness, reliability, or suitability of the information contained on or accessed through this Website. Further read Disclaimer.
