Infini Neobank Hack

In February 2025, Infini, a Hong Kong-based neobank, suffered a $49.5 million hack perpetrated by a former developer who retained unauthorized access to the platform’s system. The attacker exploited a special role (0x8e0b) in an unverified smart contract, deployed in 2024, which allowed them to drain funds from the contract’s vault. The stolen USDC was swapped to DAI to avoid blocklisting and converted to 17,696 ETH, then laundered through Tornado Cash. Infini offered the hacker a 20% bounty to return the funds within 48 hours, threatening legal action otherwise. The incident, caused by poor access management and an unverified contract with a backdoor, highlights the risks of insider threats, inadequate smart contract audits, and the need for multi-signature wallets, access revocation protocols, and robust security practices in neobanks.