"This is a regular process we do in every due diligence when it comes to banks,we try to understand how their internal processes work,how they make sure they don't get sued or fined by the government,"he said.

"Xinja didn't even notice spoofed or virtual numbers. It was easy to create accounts."

Mr de la Torre said his team also identified"issues that were deeply wrong"with Xinja's technology architecture,particularly in the Android version of the app.

"This critical flaw would have allowed threat actors to easily create a sophisticated attack and to operate in textbook style,"he said."We are confident that an attacker would have been able to hack into client accounts and possibly transfer money."

Xinja claims it never granted Defensury access to its systems to conduct a review,adding the neobank had suffered no known technology breaches.

"Xinja's technology,as part of the process of holding an ADI[authorised deposit-taking institution] has undergone extensive independent'fit for purpose'assessments. Xinja ran weekly automated penetration testing and at regular intervals conducted third-party penetration testing,"a spokesman said.

Xinja announced in March it had reached a deal with Emirati-owned World Investments,with $160 million to be invested"immediately"and the balance transferred over a two-year period.

However,the money is yet to materialise andXinja's shares could now be worthless as the neobank became thefirst Australian institution to return all customer deposits on Tuesday.

The deal is under investigation by an anonymous group claiming to be linked to a US law firm,that is offering cash rewards of up to $1 million for insider information on Xinja,World Investments or First Penny Investments chief executive Michael Gale,a serial entrepreneur celebrated for brokering the deal.

A spokeswoman for the anonymous group said the team was employed by a private individual interested in suing one or multiple parties involved in the deal and that its appeal for information had already yielded enough evidence for a lawsuit in Australia and the US.

"Our client lost a significant amount of money in a past transaction that is linked to individuals involved in the Xinja deal,"the spokeswoman said in an email."Our client recognised a certain pattern in the Xinja deal and wants to put an end to the'scheme'."

This masthead does not suggest Mr Gale was one of those individuals.

Mr Gale said he had not been contacted by the anonymous group or Defensury and believed both were illegitimate outfits attempting to blackmail First Penny and Xinja.

"I believe that any licensed investigator or class action law firm is required to correctly identify itself as part of their licensing conditions,"he said."I am very certain that they have not collected any information or have any intention of filing a lawsuit. No party has suffered any loss at this point in time."

Mr Gale said it was unlikely that World Investments would hire a small company like Defensury to conduct due diligence."And surely in the security business you would never breach the confidentiality of your clients as that would be your last client. So I simply don’t credit that."

Xinja said the last formal interaction the company had with World Investments was in September when the"fund establishment agreement"was updated and re-signed by all parties.