Hong Kong-based fintech startup Infini extends white hat offer to $49.5M hacker

Infini has extended a white hat offer to the threat actor who got away with $49.5M in an exploit about 168 days ago. Now, the company claims it would halt all tracking efforts and legal action on the condition that the exploiter returns 80% of the stolen funds. 

20% of that amount would have netted the hacker a still considerable $9.9M. However, as of publication, the hacker has not accepted it. The offer is set to expire August 13, 2025, 20:00 GMT+8, which is why the news is now making rounds on the internet again.

Hacker has less than 50 hours before they face legal consequences

Infini founder Christian Li has received commendation for his professionalism and empathy since the incident, reassuring the community that the team is actively investigating and tracking the incident. He also maintained that user withdrawals remain unaffected, and full compensation will be issued in the worst-case scenario.

Christian also later revealed that the suspected hacker’s computer had been located and reported to the police.

In a blockchain message, Infini informed the hacker they are “closely monitoring the address involved and are prepared to take immediate action to freeze any stolen funds if necessary.”

“In an effort to resolve this matter amicably, we are willing to offer you 20% of the stolen assets should you choose to return the funds,” it urged.

In February, Infini gave the perpetrator 48 hours to “facilitate a swift resolution,” promising that a failure to respond would force it to continue its investigation in collaboration with law enforcement.

The offer went ignored and a second message was sent on March 4, 2025, reiterating the white-hat offer, acknowledging the skills it took to pull off the exploit and urging them to return the funds.

Infini issued its latest and presumably final ultimatum on August 11, 2025, giving the hacker until August 13, 2025, 20:00 GMT+8 to return the entire $49.5 million.

Should the hacker agree, Infini says they can keep any profits as a white-hat bounty and receive written assurance of no further legal action. However, failure to comply would trigger legal consequences, as it has already filed a lawsuit in Hong Kong against developer Chen Shanxuan and three unidentified individuals linked to the exploit.

How the original exploit happened

The exploit reportedly happened on February 24, costing Infini $49M in $USDC. Reports claim that the perpetrators abused administrative privileges they had secretly retained.

The attacker, operating from 0xc49b5e5b9da66b9126c1a62e9761e6b2147de3e1, initially developed the contract as part of the Infini project.

However, after delivering, they secretly kept the rights and about a hundred days later, funded their address via Tornado Cash, sent a small ETH transaction for gas, and exploited the contract—draining the $49.5 million in two batches, 11,455,666 USDC and 38,060,996 USDC.

The exploit followed the Bybit hack, which saw the second-largest cryptocurrency exchange by trading volume, lose its Ether cold wallet to a hacker who made off with nearly $1.5 billion in what was tagged crypto’s largest exploit.

The neobank’s founder, Christian Li, has vowed to cover the full loss from his personal funds and has taken responsibility for the incident.

Now that time is almost up, many eyes are on the situation, waiting to see if the hacker will take the offer or remain stubborn until the very end.