Digital neobank Infini faced a staggering $49.5 million exploit on February 24, marking one of 2025’s largest crypto heists. Blockchain security firm CertiK first detected unauthorised transfers from an Infini-linked Ethereum contract, tracing the theft to a former developer. Meanwhile, the attacker converted stolen USDC into DAI, then purchased 17,696 ETH, funnelling funds to a fresh wallet.
CertiK Uncovers Suspicious Activity
At 3:18 AM UTC, CertiK flagged abnormal transactions from Infini’s contract, revealing the exploiter granted themselves elevated access. Cyvers Alerts later identified the attacker as a past Infini developer who retained administrative rights post-project completion. Notably, the individual funded their wallet via the privacy tool Tornado Cash 100 days prior, executed a test ETH transfer, and then drained $49.5 million in USDC.
Ex-Developer Evades Detection
According to Cyvers, the rogue actor operating from address “0xc49b” stealthily maintained admin control despite handing over the contract. After laundering initial funds through Tornado Cash, they initiated a small ETH transaction for gas fees before syphoning millions. Lookonchain confirmed the stolen USDC was swapped to DAI, then converted to ETH worth $49 million, which migrated to wallet “0xfcc8”.
PeckShield Blames Private Key Leak
Contradicting CertiK’s findings, PeckShield attributed the breach to a compromised private key. However, Infini co-founder Christian Li denied his key was leaked, admitting instead to oversight in transferring administrative control. “This is a wake-up call,” Li stated, accepting full responsibility. Concurrently, co-founder Christine assured users of full reimbursement, asserting Infini’s financial capacity to cover losses despite ongoing recovery efforts.
Infini Vows Compensation
Launched in 2024, Infini bridges traditional banking and crypto, offering stablecoin transactions and yield accounts via its app. Despite the breach, the platform had reported a 500% monthly user growth spike days before the hack. Post-incident, co-founder Christine tweeted: “We will compensate you… Please believe me and @Christianeth.” Nevertheless, Infini has yet to publish an official recovery roadmap on its website or social channels.
Hacks Intensify Industry Security Concerns
The Infini breach follows Bybit’s historic $1.4 billion exploit on February 21, where Lazarus Group allegedly drained ETH reserves via manipulated smart contracts. Bybit CEO Ben Zhou confirmed collaboration with security firms, offering a $140 million bounty for asset recovery. These incidents highlight escalating vulnerabilities in crypto infrastructure, particularly around private key management and contract oversight.
Neobank’s Future Hangs on Security Overhaul
As Infini scrambles to restore trust, experts urge stricter audits of admin privileges and multi-signature protocols. Transitioning forward, the firm must transparently address how an ex-developer retained unchecked access. With the crypto sector reeling from back-to-back breaches, the incident underscores an urgent need for fortified security frameworks industry-wide.
