Annual income of one million yet indulging in contracts: "Insider" orchestrates a $50 million theft?

Author: 1912212.eth, Foresight News

On March 20, the blockchain data platform Etherscan showed that the stablecoin digital bank Infini team sent a lawsuit notice to a hacker address (0xfc…6e49) via on-chain message, along with detailed court documents. The case involves the theft of assets amounting to as much as 49.51 million USDC, attracting widespread attention in the industry.

The plaintiff in the lawsuit is Chou Christian-Long, the CEO of BP SG Investment Holding Limited, a wholly-owned subsidiary of Infini Labs. One of the defendants is Chen Shanxuan, an engineer based in Foshan, Guangdong, China (Chinese name: 陈善轩), while the identities of the other two to four defendants remain unconfirmed.

Infini was hacked at the end of February this year, and just a month later, have the suspects been formally identified? What is the truth behind this incident?

Unauthorized Retention of Admin Privileges and Massive Fund Theft

According to the lawsuit documents, Infini is a digital bank that combines cryptocurrency with traditional financial services, with core businesses including providing payment solutions, high-yield accounts, and cryptocurrency card services through the stablecoin USDC. Plaintiff Chou Christian-Long stated in the documents that Infini collaborated with BP Singapore to develop a smart contract for the secure storage and transfer of company and client funds. The contract was primarily written by the first defendant, Chen Shanxuan, who designed a multi-signature mechanism to ensure that any fund transfers required approval from multiple authorized personnel, thereby enhancing fund security.

However, things took a dramatic turn after the smart contract went live on the mainnet. The lawsuit claims that Chen retained super admin privileges during the contract deployment process and falsely told other team members that these privileges had been removed or transferred.

On February 24, the plaintiff discovered that approximately 49.51 million USDC had been transferred out of the fund pool without authorization, flowing to multiple unknown wallet addresses and without multi-signature verification. Preliminary investigations revealed that these funds were subsequently exchanged for DAI and quickly used to purchase 17,696 Ethereum (ETH), which were ultimately dispersed to multiple addresses, with some of the funds traceable to the privacy tool Tornado Cash.

Highly Rated Engineer Earns Millions but Ruins Everything with 100x Contract Gambling

The lawsuit documents reveal that the first defendant, Chen Shanxuan, was employed by Infini's subsidiary BP Singapore, but primarily worked remotely from Foshan, Guangdong Province, China. As the main developer of the smart contract, Chen held core privileges in the project. The documents indicate that despite his short tenure with the company, he was granted the role of super admin for the fund management contract, which gave him absolute control over the contract. Industry insiders analyze that Infini's negligence in privilege allocation may have been the catalyst for this incident.

Additionally, the plaintiff mentioned in the affidavit that they recently learned of Chen Shanxuan's severe gambling habits, which may have led him to accumulate massive debts. The documents included several screenshots of message records, in which Chen admitted to ruining everything in conversations with others and expressed feelings of despair about life, stating that sometimes he just wanted to end it all because living was too exhausting.

The plaintiff speculates that gambling debts may be the primary motive behind Chen's theft of assets. According to Colin Wu, Chen was previously a model employee at an exchange, sharing knowledge with others. Despite earning millions, he continuously borrowed money from various people, engaged in 100x contracts, and accumulated more and more online loans, ultimately leading him down a path of no return. However, the lawsuit has not provided more details about Chen's specific personal background, such as his educational history and work experience, and his true motives remain to be further investigated by the court.

Hong Kong Court to Hold Hearing on March 27

The subsequent developments in this case may involve multiple aspects. The plaintiff's primary goal is to freeze the stolen assets and recover losses. The Hong Kong court has accepted the case and plans to hold a hearing at 9:30 AM on March 27, 2025, presided over by Judge Lok, during which the injunction will be reviewed. If Chen or other defendants fail to appear in court, the court may make a ruling in their absence.

The transparency of blockchain facilitates asset tracking, but if hackers launder funds through mixing services (such as Tornado Cash), the difficulty of recovery will significantly increase. Previously, Infini had warned the hacker via on-chain messages and stated that it had frozen part of the funds (approximately $43 million). However, if the remaining funds are transferred to unregulated addresses, the hope of recovery will become bleak.

Moreover, Chen's own situation is also under scrutiny, as he may face criminal charges under the legal systems of Hong Kong and Singapore. If his gambling debt issues are confirmed, the police may further investigate the source of his funds and whether they are involved in other criminal activities. Some analysts pointed out that if Chen has already been detained, the case may accelerate into the trial phase.

Multi-Signature Wallet Privilege Settings Leave Hidden Risks

The theft incident at Infini is not an isolated case. In early 2025, the cryptocurrency industry experienced a series of security incidents, such as the $1.4 billion hack at Bybit exchange on February 21, highlighting the security risks that still exist in the rapidly developing industry. Since its launch in 2024, Infini has attracted a large number of users due to its innovative stablecoin payment services and high-yield products; however, this incident has exposed weaknesses in its internal management and technical review processes.

Blockchain security experts analyze that if the lawsuit's allegations are true, Chen Shanxuan's actions constitute a typical internal attack. Infini's failure to implement adequate decentralization safeguards, such as multi-signature wallets, time-lock mechanisms, or third-party audits before the smart contract went live, is a significant reason for the incident. An industry insider commented, "Entrusting such important privileges to a newly hired remote employee without strict oversight, Infini's management cannot escape responsibility."

The lawsuit against Chen serves as a wake-up call for the industry regarding security. As blockchain technology increasingly integrates into the financial system, how to set up privilege management, auditing, and cross-verification, avoid allowing contract players to hold important privileges, and focus efforts on a zero-trust architecture are all critical issues that founders must face.

As the lawsuit progresses, more details of the case may come to light, potentially revealing the complete truth behind Chen's theft.