Crypto Neobank Infini hit by $49.5 million hack, offers 20% to hacker if returned

Crypto Neobank Infini, a prepaid payment card issuer, has been hit by a massive hack of almost $49.5 million.

According to reports, the hack was orchestrated by a former developer exploiting administrative privileges. In addition, the hacker was assigned to work on Infini’s contract a couple of months ago where the developer kept the admin rights over the smart contract, leading to the recent hack.

The security breach follows Sunday’s announcement by Infini that the firm hit $50 million in total value locked. The $49.5 million hack suggests that nearly all of the firm’s funds have been looted in the exploit.

During the attack, the hacker looted the funds via two transactions. First, they transacted $11.45 million and then $38.06 million, leading to a total of $49.5 million. 

Also, the amount was transacted from the Morpho MEVCapital USDC Vault where the USD coins were immediately swapped to Dai (DAI) and then converted to 17,696 ETH. Immediately the stolen funds were converted to ETH, and the hacker shifted it to a secondary address, according to reports. 

Smart contract audit firm, QuillAudits gave more details on the incident. The firm claimed that the hack took place due to the “compromised access and privilege escalation”. 

QuillAudits again explained that the hacker gained access to a private key of the account “0xc4…3e1”. Notably, this account was given a special role that allowed it to withdraw funds from the vault, providing the hacker with easy leverage to loot $49.5 million in the account.

Christian Li, founder of Infini, acknowledged the breach via his X (Twitter) account where he addressed the issue and confirmed that the company was careless during authority transfer.

While personally taking full responsibility for the cyber attack, Li assured that all stolen funds would be returned to the customers and that all stolen funds would be fully recovered. Amidst the hack, Neobank Infini continues to allow withdrawals.

The crypto company, in its official statement, expressed regret for the hack. Infini noted that all transactions including transfers, deposits, and withdrawals are unaffected by the hack. 

Similar Read: Bybit recovers from $1.4 billion worth of crypto losses to hackers. 

Infini’s security breach

In its effort to freeze the stolen funds, Infini had a conversation with the hacker in a blockchain transaction where they noted that they were closely monitoring the secondary address. Perhaps the hacker chose to return the stolen assets, the company has offered 20 per cent of the total funds.

Infini further added that if the hacker fails to respond within 48 hours to “facilitate a swift resolution”, it will move its investigation with law enforcement. 

QuillAudits had suggested that the stolen funds are still traceable which offered a glimpse of hope for the crypto company and its customers. 

The hack is the second in a week after the crypto exchange platform, Bybit was hacked on Friday resulting in the loss of $1.4 billion worth of cryptocurrency. Reports exposed that the theft was carried out by the North Korean state-sponsored Lazarus Group. 

The company has claimed that it has fully recovered the loss through loans, whale deposits, and Ethereum (ETH) purchases.

The incident follows several high-profile hacks and security incidents throughout 2024 and early 2025. According to a report by Chainalysis, cybercrime actors stole $2.2 billion from various cryptocurrency platforms in 2024. Also, $1.3 billion of the unlawful funds were stolen by North Korean hackers, this represents 61 per cent which is more than half of the total illicit funds.

Chainalysis, a blockchain analytics platform that has been analyzing cryptocurrency flows for several years, explained that 2024 is the fifth year in the past decade that hackers have stolen over $1bn from crypto firms.

Cyvers, a blockchain analytics platform, shared that the compromised security access is one of the major reasons behind the increasing hacks in the crypto world. It explained that a hacker has to retain the admin rights for over 100 days, which is often left unidentified by firms. 

QuillAudits likewise shared that such events repeating in crypto is frustrating and yet companies underestimate such crucial weaknesses. It added that until companies treat access control as a “core security priority,” such hacks and attacks will continue to manifest.