Infini Neobank’s Interaction with Hacker

Christian Li, the founder of the stablecoin digital bank Infini, communicated with the hacker through a blockchain transaction, reaffirming a white-hat agreement and offering a 20% bounty on the stolen funds.

Li transferred 0.1 ETH to the hacker’s address after they stole $49.5 million from Infini’s wallets. In the transaction message, Li praised the hacker’s skills in identifying vulnerabilities and proposed the bounty, stating that no legal action would follow if the funds were returned.

Source: Etherscan

This marks the second message sent to the hacker; the first occurred on February 24, the day of the hack. In that initial message, Infini warned the hacker that they were monitoring the address and might freeze the stolen funds. They also provided a 48-hour window for the hacker to respond, warning that inaction would prompt investigations alongside law enforcement.

> Important update:
> We’ve identified critical info regarding the exploit and we’re monitoring involved addresses.
> — Infini (@0xinfini) February 24, 2025

The hacker’s theft included $49.5 million in USDC just days after Infini announced reaching $50 million in total value locked.

On February 24, CertiK identified suspicious activity, noting unauthorized transfers from an Infini contract on Ethereum. The hacker managed to access the account 0xc49b… and withdrawal of 49.5 million USD Coin (USDC) ensued. These stolen funds were later exchanged for Dai (DAI) and used to purchase 17,696 Ethereum (ETH), which was then moved to a new wallet, 0xfcc8…6e49. Following the hack, Infini’s co-founder reassured customers of their reimbursement.

According to Cyvers, the exploit was due to a developer retaining admin rights while setting up the smart contract, enabling them to drain the funds three months later to a wallet financed through the crypto mixer Tornado Cash. This breach appears to stem from a compromised private key rather than vulnerabilities in wallet infrastructure, unlike the recent hack at Bybit.

> 🚨ALERT🚨Today, @0xinfini suffered a $49M $USDC exploit due to an attacker abusing retained administrative privileges.
> — 🚨 Cyvers Alerts 🚨 (@CyversAlerts) February 24, 2025

You might also like: Infini neobank reportedly suffers a $49.5M hack