On February 24, 2025, Infini, a Hong Kong-based stablecoin neobank, suffered a devastating security breach that resulted in the theft of approximately $49.5 million in cryptocurrency. The attack stands as a stark reminder that insider threats remain one of the most dangerous vectors in the digital asset space, particularly for platforms that rely heavily on smart contract infrastructure.
The Exploit Mechanics
The breach was carried out by a former developer who retained administrative access to Infini’s smart contract systems after departing the company. Rather than revoking the developer’s credentials upon their exit, Infini’s access management protocols failed to remove the elevated permissions. The attacker leveraged these retained admin privileges to execute unauthorized transfers directly from the platform’s smart contracts.
Once inside, the hacker systematically drained approximately $49.5 million in digital assets. The stolen funds were quickly converted into 17,696 Ethereum (ETH), valued at roughly $49 million at the time, with ETH trading around $2,513 according to market data from that date. The rapid conversion into a major cryptocurrency like ETH is a common laundering technique, as it allows the attacker to move funds through decentralized exchanges and mixing services with relative ease.
Affected Systems
Infini operates as a stablecoin-focused neobank, offering digital banking services without physical branches. Its infrastructure relies entirely on blockchain technology, smart contracts, and web-based systems to handle user funds. The exploit targeted the core smart contract layer — the backbone of Infini’s operations — which meant the attacker could bypass conventional security checkpoints that would typically flag large unauthorized transfers.
The attack exposes a critical weakness in the neobank model: when a platform’s entire financial infrastructure is governed by code, any compromise of administrative access to that code can have catastrophic consequences. Traditional banks employ multiple layers of human oversight, physical security, and regulatory compliance checks that can intercept suspicious activity. Neobanks, by contrast, often prioritize speed and convenience, sometimes at the expense of robust access controls.
The Mitigation Strategy
In the immediate aftermath of the breach, Infini adopted a dual-track response. First, the company publicly offered the hacker a deal: return the stolen funds within 48 hours and keep 20% as a “white hat” bounty, or face legal action and aggressive asset recovery efforts. This approach, while unconventional, has precedent in the crypto industry — several high-profile hacks have been partially resolved through similar negotiations.
Second, Infini began working with blockchain forensic firms to trace the movement of stolen ETH across the blockchain. Given that every Ethereum transaction is publicly recorded, there is an inherent transparency that makes it difficult for attackers to move large sums without detection. The effectiveness of this tracing depends on how quickly the attacker attempts to launder the funds through mixing services or cross-chain bridges.
Lessons Learned
The Infini hack underscores several critical security principles that every crypto platform — and its users — should internalize. First, access revocation must be immediate and comprehensive when any team member departs. This includes not just primary credentials but also secondary access points, API keys, and smart contract administrative roles. Second, smart contract platforms should implement multi-signature controls that require multiple authorized parties to approve significant transactions. A single developer should never have unilateral power to drain platform funds.
Third, the incident highlights the importance of regular access audits. Platforms should maintain real-time inventories of who has access to what systems and conduct periodic reviews to ensure that departed personnel have been fully removed. Automated deprovisioning workflows can help eliminate the human error factor that led to the Infini breach.
User Action Required
For users of neobank platforms and DeFi services, this incident serves as a reminder to evaluate the security infrastructure of any platform holding your funds. Look for platforms that publicly disclose their security practices, use multi-signature wallets, conduct regular third-party audits, and maintain transparent access control policies. In a market where Bitcoin was trading at $91,418 and the total crypto market cap exceeded $3 trillion on this date, the stakes for security have never been higher.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
17,696 ETH converted within hours of the exploit. the ex dev had the exit strategy planned before the last day of employment
access_audit_ thats the part that scares me. not a hack, not a bug. just a guy with credentials nobody bothered to revoke
former dev kept admin access after leaving? thats not a hack thats an HR failure. $49.5m gone because nobody rotated credentials
the crazy part is this is preventable for basically zero cost. automated offboarding for contract permissions should be table stakes
table stakes is right. AWS has automated this for IAM roles for years. a neobank handling $50M in crypto not having equivalent access controls is negligence
the HR failure take is spot on. every startup I worked at had at least one ghost admin account floating around
converted to 17,696 ETH immediately. attacker knew exactly what they were doing, this was planned well before departure
hong kong based stablecoin neobank, wonder if theres any regulatory path to recovery or if the ETH is already mixed and gone
insider threats are the one attack vector you literally cannot patch with code. culture and process have to change
you can patch code, rotate keys, upgrade contracts. you cannot patch a culture that treats developer offboarding as optional