Six crypto neobanks raised $200M in 90 days. None have a CISO.

The money is moving. The security infrastructure is not keeping up.

Over the last 90 days, six blockchain-native neobanks collectively raised over $200 million. Stablecoin-powered banking platforms. Crypto debit cards linked to self-custodial wallets. Cross-border payment rails. These are not whitepaper experiments. They are live financial products with real user deposits and real regulatory exposure.

And almost none of them have a dedicated security leader.

A Different Kind of Attack Surface

A crypto neobank is not a DeFi protocol. It is not a centralized exchange. It sits at the intersection of both and inherits the risks of each. Smart contracts holding stablecoin balances on one side. KYC data stores, card issuer APIs, and customer PII on the other.

A smart contract audit covers a narrow slice of the first half. Nobody is looking at the whole picture. That gap has already cost the industry.

When a Developer Becomes the Exploit

In February 2025, a stablecoin-focused neobank based in Hong Kong lost $49.5 million in a single attack. Not a zero-day. Not a nation-state intrusion. A developer who had built part of the platform’s smart contracts quietly retained administrative privileges after their engagement ended.

For over 100 days, that access sat dormant. Then, in two transactions, $49.5M in USDC was drained, converted to ETH, and routed through Tornado Cash.

QuillAudits analyzed the exploit, with findings published in Decrypt. The root cause: compromised access and privilege escalation. A special contract role that allowed vault withdrawals. Nobody had revoked it. Nobody had checked.

The founder described it plainly: negligence during authority transfer. Not a code problem. A governance problem.

What Nobody Is Auditing

Five attack vectors sit permanently exposed in most crypto neobanks without dedicated security leadership: privileged access that survives offboarding, smart contract upgrade paths with no governance controls, custody infrastructure with no key rotation, third-party integrations with no security requirements, and social engineering campaigns targeting the humans with privileged access.

None of these have an on-chain footprint. No audit scope will ever cover them.

The Fix

A CISO is not a compliance checkbox. In a crypto neobank, the role owns access governance, incident response planning, third-party security reviews, and continuous threat modeling. It is the function that would have revoked Infini’s developer privileges the day they offboarded, not 100 days later.

For protocols at the $10M to $100M stage, a full-time hire is not always realistic. QuillAudits vCISO service delivers that security leadership embedded in day-to-day operations, without the full-time overhead.

The team that investigated Infini in real time is the same team building this practice.

Funding is not a security posture. A vCISO is.

Want the full breakdown of all five attack vectors, the Infini case forensics, and how the vCISO model compares to a full-time hire? We covered it in detail.

Read the full blog here

Six crypto neobanks raised $200M in 90 days. None have a CISO. was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.