He earns one million yuan a year but is addicted to the contract: "Insider" directs and acts as a 50 million US dollar theft case?

Author: 1912212.eth, Foresight News

On March 20, blockchain data platform Etherscan showed that the Infini team of the stablecoin digital bank sent a lawsuit notice to a hacker address (0xfc…6e49) through on-chain messages, and attached detailed court litigation documents. This case involved asset theft of $49.51 million, which attracted widespread attention in the industry.

The plaintiff in the lawsuit is Chou Christian-Long, CEO of BP SG Investment Holding Limited, a wholly-owned subsidiary of Infini Labs. One of the defendants is Chen Shanxuan (Chinese name Chen Shanxuan), an engineer based in Foshan, Guangdong, China. The identities of the remaining two to four defendants have not been confirmed.

Infini was stolen at the end of February this year, and the suspect has been officially identified after just one month? What is the truth?

Privately retain administrator rights and huge amounts of money theft

According to the lawsuit, Infini is a digital bank that combines cryptocurrencies with traditional financial services, and its core businesses include providing payment solutions, high-yield accounts and cryptocurrency card services through the stablecoin USDC. Infini and BP Singapore have developed a smart contract to manage the secure storage and transfer of funds from companies and customers, plaintiff Chou Christian-Long said in the filing. The contract was written by the first defendant Chen Shanxuan and designed a multi-signature mechanism to ensure that any funds are transferred out of the funds need to be approved by multiple authorized personnel, thereby improving the security of the funds.

However, things took a dramatic turn after the smart contract was launched on the main network. The lawsuit alleges that Chen privately retained the super administrator privileges during the contract deployment process and lied to other members of the team that the permission had been removed or transferred.

On February 24, the plaintiff discovered that about 49.51 million USDC was transferred from the fund pool without authorization, and the funds flowed to multiple unknown wallet addresses, and had not been verified by multiple signatures. After preliminary investigation, the funds were then redeemed for DAI and quickly purchased 17,696 Ethereum (ETH), which was eventually dispersed to multiple addresses, with some of the funds traced to the privacy tool Tornado Cash.

A highly praised engineer earns millions a year, indulges in a hundred

times contract gambling to mess up everything

The lawsuit documents revealed that the first defendant Chen Shanxuan was employed by Infini's subsidiary BP Singapore, but its main work location is in Foshan, Guangdong, China, and adopts a remote working model. As the main developer of smart contracts, Chen has core permissions in the project. The document states that although he has not been in the company for a long time, he has been given a super administrator role in fund management contracts, which gives him absolute control over the contract. Industry insiders analyzed that Infini's negligence in authority allocation may be the fuse of this incident.

In addition, the plaintiff mentioned in the affidavit that it was recently learned that Chen Shanxuan had serious gambling habits and may have been burdened with huge debts as a result. The document is accompanied by screenshots of the message record. Chen admitted in a conversation with others that he messed up everything and expressed his despair about life, saying that sometimes he really wants to end it all and is too tiring to live.

Based on this, the plaintiff speculated that gambling debts may be Chen's main motivation for theft of assets. According to Colin Wu, Chen was previously a model for exchange technicians to share knowledge. Although I earn one million yuan a year, I still continue to borrow money from all kinds of people and open 100 times contracts. There are more and more online loans, and eventually I will be on the road of no return. However, regarding Chen's specific personal background, such as educational experience, work resume, etc., no further details have been provided in the lawsuit, and his real motivation remains to be investigated further by court.

Hong Kong court will preside over the hearing on March 27

The subsequent development of this case may involve multiple levels. The plaintiff’s primary goal is to freeze the stolen assets and recover losses. The Hong Kong court has accepted the case and plans to preside over the hearing by Judge Lok at 9:30 am on March 27, 2025, at which time the injunction will be reviewed. If Chen or other defendants fail to appear in court, the court may make a decision in absentia.

The transparency of blockchain provides convenience for asset tracking, but if hackers clean up funds through currency mixing services (such as Tornado Cash), the difficulty of recovering will increase significantly. Previously, Infini had warned hackers on the chain and said that some of the funds had been frozen (about $43 million). However, if the remaining funds are transferred to an unregulated address, hopes of recovery will become slim.

In addition, Chen's own situation has also attracted much attention, and he may face criminal charges under the legal systems of Hong Kong and Singapore. If the gambling debt problem is true, the police may further investigate the source of his funds and whether it involves other criminal activities. Some analysts pointed out that if Chen has been detained, the case may be accelerated to enter the trial stage.

Multiple sign wallet permission setting has hidden dangers

Infini's theft is not an isolated case. At the beginning of 2025, there were successive security accidents in the cryptocurrency industry, such as the $1.4 billion hacking incident on Bybit Exchange on February 21, highlighting the security risks that the industry still has in its rapid development. Since its launch in 2024, Infini has attracted a large number of users due to its innovative stablecoin payment services and high-yield products. However, this incident has exposed the weak links of its internal management and technical audits.

Blockchain security experts analyzed that if the litigation allegations are true, Chen Shanxuan's behavior is a typical internal attack. Infini failed to implement sufficient decentralized safeguards before the smart contract was launched, such as signing multiple wallets, time lock mechanisms or third-party audits, which are important reasons for the incident. "Infini's management is to blame for giving such important authority to a newly-employed remote employee without strict supervision," an industry insider commented.

The Infini v Chen case once again sounded the industry's safety alarm. At a time when blockchain technology is increasingly integrated into the financial system, how to set up permission management, audit and cross-verification, avoid contract crazy players to master important permissions, allocate their energy to zero trust architecture, etc. are important issues that founders have to face.

As the lawsuit advances, more details of the case may surface, and the complete truth behind Chen's theft may be revealed.