Christian Li, the founder of the stablecoin digital bank Infini, left the hacker another message in a blockchain transaction, reinstating the white-hat agreement and 20% bounty of the stolen funds. Li transferred 0.1 ETH to the hacker’s address, who was responsible for stealing $49.5 million from Infini’s wallets. In the message accompanying the transaction , Christian acknowledged the hacker’s skill in identifying vulnerabilities in the neobank’s protocol and proposed a white-hat agreement, offering the hacker 20% of the stolen assets as a bounty. Furthermore, he assured the hacker that no legal action would be taken if they comply and return the funds. Source: Etherscan This is the second message Infini sent the hacker in a blockchain transaction. On Feb. 24, the day when the hack occured, Infini warned the hacker, stating that they were monitoring the address in question and were prepared to take action and freeze the stolen funds if necessary. They also offered a 20% bounty for the return of the stolen assets, giving the hacker 48 hours to respond and stating that failure to do so would result in continued investigation with law enforcement. Important update: We’ve identified critical info regarding the exploit and we’re monitoring involved addresses. pic.twitter.com/xqZwRYg4CS — Infini (@0xinfini) February 24, 2025 You might also like: Feature Are the Tornado Cash developers guilty? The hacker stole $49.5 million from Infini’s wallets. Just days before the hack, Infini announced it had reached $50 million in total value locked. CertiK first identified suspicious activity on Feb. 24, noting unauthorized transfers from an Infini-related contract on Ethereum. The hacker gained special access to the account “0xc49b…” and withdrew 49.5 million USD Coin ( USDC ). The stolen funds were exchanged for Dai ( DAI ) and used to purchase 17,696 Ethereum ( ETH ). Lookonchain later reported that the Ethereum was moved to a new wallet, “0xfcc8…6e49.” Following the hack, Infini’s co-founder assured customers that they would be reimbursed. According to Cyvers , the exploit occurred because a developer who helped set up the smart contract retained admin rights. Three months later, the developer used these rights to drain the funds to a wallet funded through the crypto mixer Tornado Cash . As such, the breach appears to have been caused by a compromised private key as opposed to to a vulnerability in the wallet infrastructure, as was the case with Bybit’s hack . 🚨ALERT🚨Today, @0xinfini suffered a $49M $USDC exploit due to an attacker abusing retained administrative privileges. The attacker, operating from 0xc49b5e5b9da66b9126c1a62e9761e6b2147de3e1, had initially developed the contract as part of the Infini project. However, after… pic.twitter.com/olguOyNCJr — 🚨 Cyvers Alerts 🚨 (@CyversAlerts) February 24, 2025 You might also like: Infini neobank reportedly suffers a $49.5M hack
