Hong Kong Stablecoin Neobank Infini Loses $49.5 Million to Former Developer

A breach of trust rocks Hong Kong-based stablecoin neobank Infini as a former developer, allegedly retaining administrative access, is suspected

A former developer of Hong Kong-based stablecoin neobank Infini is suspected of stealing nearly $50 million in a brazen exploit, according to a report by Web3 security firm ExVul on Friday.

The stolen funds, initially present in USDC, were swiftly converted into DAI and subsequently into Ethereum (ETH) before being moved to an external wallet. This multi-step process is a common tactic used by attackers to obfuscate the trail of stolen funds. The incident underscores the persistent security vulnerabilities that plague the decentralized finance (DeFi) space.

Infini, which recently rebranded from X-Infinity, acknowledged the security compromise in a statement posted on X (formerly Twitter), expressing deep regret for the concern caused.

“We’re aware of reports on a security compromise affecting Infini. We’re deeply sorry for the concern this causes – our team is working around the clock to investigate and secure all systems at the moment,” the company said.

Despite the setback, Infini reiterated its commitment to its mission: “All transfers, deposits, withdrawals, and payments remain in normal usage and working status. Despite the challenge, Infini’s vision — to redefine the future of digital finance as a crypto neo bank — has never changed. Keep building!”

According to ExVul's analysis, the contract used in the exploit (0x9A79f4105A4e1A050Ba0b42F25351D394fA7E1DC) was created by the attacker (0xc49b5e5b9da66b9126c1a62e9761e6b2147de3e1) as part of the Infini project.

“After the project delivery, the attacker retained administrative privileges,” ExVul noted in an X post. “After over 100 days of dormancy, the attacker utilized the previously retained privileges from the contract’s development phase.”

The attacker first transferred a small amount of Ethereum for gas fees, then interacted with the contract to steal all of the funds, which were then converted to DAI, and later to ETH, before being transferred to an external wallet (0xfcC8Ad911976d752890f2140D9F4edd2c64a6e49).

Infini's founder, known only as Christian, addressed the situation directly in a translated X post, revealing that a significant portion of the stolen funds belonged to major investors.

“70% of the $50M stolen belonged to big investors I know. I have communicated with them one by one and I will personally bear the possible losses and settle privately,” Infini's founder said.

He reassured other users about the remaining funds: “The remaining funds will be reinvested in Infini Vault before next Monday, and everything will remain the same. The funds have been prepared and will respond to any withdrawal requests in the meantime, so please rest assured.”

Christian also acknowledged the need for temporary service adjustments, saying, “Sorry, it will take some time to upgrade and restart the business. Everything will be carried out under the premise of ensuring the absolute safety of funds. Shame on you, be grateful, and we will do better.”

Infini has promised to fully reimburse all affected users, a move that may help to mitigate some of the reputational damage caused by the exploit. However, the incident serves as a powerful reminder of the critical need for rigorous security protocols, including strict access control management and comprehensive code audits, particularly within the rapidly evolving and often-targeted DeFi ecosystem.