Original author: 1912212.eth, Foresight News
On March 20, blockchain data platform Etherscan showed that the stablecoin digital bank Infini team sent a lawsuit notice to a hacker address (0x fc… 6 e 49) through an on-chain message, and attached detailed court litigation documents. This case involves the theft of assets as high as 49.51 million USDC, which has attracted widespread attention in the industry.
The plaintiff in the lawsuit is Chou Christian-Long, CEO of BP SG Investment Holding Limited, a wholly-owned subsidiary of Infini Labs. One of the defendants is Chen Shanxuan (Chinese name Chen Shanxuan), an engineer based in Foshan, Guangdong, China. The identities of the other two to four defendants have not yet been confirmed.
Infini was stolen at the end of February this year, but the suspect has been officially identified just one month later? What is the truth?
Secretly retaining administrator privileges and huge amounts of money stolen
According to the lawsuit, Infini is a digital bank that combines cryptocurrency and traditional financial services. Its core business includes providing payment solutions, high-yield accounts and cryptocurrency card services through the stablecoin USDC. Plaintiff Chou Christian-Long stated in the document that Infini worked with BP Singapore to develop a smart contract to manage the secure storage and transfer of company and customer funds. The contract was written by the first defendant Chen Shanxuan and designed a multi-signature mechanism to ensure that any fund transfer must be approved by multiple authorized personnel, thereby improving the security of funds.
However, things took a dramatic turn after the smart contract was launched on the mainnet. The lawsuit stated that Chen privately retained the super administrator privileges during the contract deployment process and lied to other team members that the privileges had been removed or transferred.
On February 24, the plaintiff discovered that approximately 49.51 million USDC were transferred out of the fund pool without authorization, and the funds flowed to multiple unknown wallet addresses without multi-signature verification. After preliminary investigation, these funds were subsequently exchanged for DAI and quickly purchased 17,696 Ethereum (ETH), which were eventually dispersed to multiple addresses, some of which could be traced back to the privacy tool Tornado Cash.
A highly praised engineer earns a million dollars a year, but he messes up everything by gambling on contracts
The lawsuit documents revealed that the first defendant, Chen Shanxuan, was employed by BP Singapore, a subsidiary of Infini, but his main workplace was in Foshan City, Guangdong Province, China, and he worked remotely. As the main developer of the smart contract, Chen had core authority in the project. The documents pointed out that although he had not been in the company for a long time, he was given the role of super administrator of the fund management contract, which gave him absolute control over the contract. Industry insiders analyzed that Infinis negligence in the allocation of authority may be the fuse of this incident.
In addition, the plaintiff mentioned in the affidavit that he recently learned that Chen Shanxuan had a serious gambling habit and might have been in huge debt. The document included several screenshots of message records, in which Chen confessed in conversations with others that he had messed up everything and expressed despair about life, saying that sometimes he really wanted to end it all and that life was too tiring.
The plaintiff speculated that gambling debts may be the main motive for Chen to steal assets. According to Colin Wu, Chen was previously a model for technical staff of the exchange to share knowledge. Although he earned millions a year, he continued to borrow money from various people, opened 100 times contracts, and took more and more online loans, eventually going down a road of no return. However, regarding Chens specific personal background, such as education experience and work experience, no more details have been provided in the lawsuit, and his true motives are still subject to further investigation by the court.
The Hong Kong court will hold a hearing on March 27
The subsequent development of this case may involve multiple levels. The plaintiffs primary goal is to freeze the stolen assets and recover the losses. The Hong Kong court has accepted the case and has scheduled a hearing for Judge Lok to be held at 9:30 am on March 27, 2025, when the injunction will be reviewed. If Chen or other defendants do not appear in court, the court may make a ruling in absentia.
The transparency of blockchain facilitates asset tracking, but if hackers launder funds through currency mixing services (such as Tornado Cash), it will be much more difficult to recover them. Previously, Infini warned hackers through on-chain messages and said that part of the funds (about $43 million) had been frozen. However, if the remaining funds are transferred to an unregulated address, the hope of recovery will become slim.
In addition, Chens own situation has also attracted much attention. He may face criminal charges under the legal systems of Hong Kong and Singapore. If his gambling debt problem is true, the police may further investigate the source of his funds and whether he is involved in other criminal activities. Some analysts pointed out that if Chen has been detained, the case may be accelerated to the trial stage.
Multi-signature wallet permission settings leave hidden dangers
The theft of Infini is not an isolated case. In early 2025, the cryptocurrency industry suffered a series of security incidents, such as the $1.4 billion hack of the Bybit exchange on February 21, which highlighted the security risks that still exist in the industry during its rapid development. Since its launch in 2024, Infini has attracted a large number of users due to its innovative stablecoin payment services and high-yield products. However, this incident exposed the weaknesses of its internal management and technical audit.
Blockchain security experts analyzed that if the allegations in the lawsuit are true, Chen Shanxuans behavior is a typical internal attack. Infinis failure to implement sufficient decentralized safeguards before the smart contract went online, such as multi-signature wallets, time lock mechanisms, or third-party audits, was an important reason for the incident. An industry insider commented: Infinis management is to blame for handing such important authority to a new remote employee without strict supervision.
The Infini v. Chen case once again sounded the alarm for security in the industry. As blockchain technology is increasingly integrated into the financial system, how to set up permission management, audit and cross-validation, prevent crazy contract players from mastering important permissions, and allocate energy to zero-trust architecture are all important issues that founders have to face.
As the lawsuit progresses, more details of the case may come to light, and the full truth behind Chens theft may be revealed.
