Earning Millions Annually Yet Obsessed with Contracts: Did the "Insider" Stage a $50 Million Theft?
TechFlow Selected TechFlow Selected
Earning Millions Annually Yet Obsessed with Contracts: Did the "Insider" Stage a $50 Million Theft?
He was once an exchange technical engineer earning millions annually, but became addicted to 100x leverage contract gambling and ruined everything.
Navigating Web3 tides with focused insightsBy: 1912212.eth, Foresight News
On March 20, blockchain data platform Etherscan showed that the team behind stablecoin digital bank Infini had sent a legal notice via on-chain message to a hacker address (0xfc...6e49), attaching detailed court litigation documents. The case involves the theft of 49.51 million USDC, drawing widespread attention across the industry.
The plaintiff is Chou Christian-Long, CEO of BP SG Investment Holding Limited, a wholly-owned subsidiary of Infini Labs. One of the defendants is Chen Shanxuan (Chinese name: 陈善轩), an engineer based in Foshan, Guangdong, China, while the identities of the other two to four defendants remain unconfirmed.
Infini was hacked at the end of February—could suspects really be identified just one month later? What is the truth behind this?
Retained Admin Privileges and Massive Fund Theft
According to the lawsuit, Infini is a digital bank integrating cryptocurrency and traditional financial services, offering core products such as USDC-based payment solutions, high-yield accounts, and crypto cards. Plaintiff Chou Christian-Long stated in the filing that Infini collaborated with BP Singapore to develop a smart contract for securely storing and transferring company and customer funds. The contract was primarily written by first defendant Chen Shanxuan and implemented a multi-signature mechanism requiring approvals from multiple authorized personnel for any fund transfers, thereby enhancing security.
However, a dramatic twist occurred after the contract went live on the mainnet. The lawsuit alleges that during deployment, Chen secretly retained super-admin privileges and falsely informed other team members that these permissions had been removed or transferred.
On February 24, the plaintiff discovered approximately 49.51 million USDC were unauthorizedly withdrawn from the fund pool and sent to several unknown wallet addresses without multi-sig verification. Preliminary investigation revealed the stolen funds were subsequently converted into DAI, quickly used to purchase 17,696 ETH, and then dispersed across multiple addresses—some of which trace back to the privacy tool Tornado Cash.
A Well-Regarded Engineer Earning Millions Annually, Ruined by 100x Leverage Gambling
The lawsuit reveals that first defendant Chen Shanxuan was employed by BP Singapore, a subsidiary of Infini, but worked remotely from Foshan, Guangdong Province, China. As the lead developer of the smart contract, Chen held critical system privileges. Despite his short tenure, he was granted the role of super-administrator over the fund management contract—a position giving him absolute control. Industry insiders suggest that Infini’s negligence in permission allocation may have been the trigger for the incident.
In addition, the plaintiff’s sworn statement indicates that Chen Shanxuan has a severe gambling addiction, possibly leading to massive debts. Attached screenshots show messages where Chen admits to having “ruined everything,” expressing despair about life and saying he sometimes wishes it would all just end, that living is too exhausting.
The plaintiff speculates that gambling-related debt may have been Chen’s primary motive. According to Colin Wu, Chen was once seen as a model technical employee who shared knowledge openly within exchange circles. Despite earning millions annually, he kept borrowing money from various people, opened 100x leverage positions, and accumulated growing online loans—eventually spiraling out of control. However, Chen’s true motivations still await further judicial investigation.
Hong Kong Court to Hold Hearing on March 27
The case's development could unfold across multiple dimensions. The plaintiff’s immediate goal is to freeze the stolen assets and recover losses. The Hong Kong court has accepted the case and scheduled a hearing for 9:30 AM on March 27, 2025, presided over by Judge Lok, to review a proposed injunction. If Chen or other defendants fail to appear, the court may issue a ruling in absentia.
While blockchain transparency facilitates asset tracking, recovery becomes significantly harder if hackers launder funds through mixing services like Tornado Cash. Previously, Infini issued on-chain warnings to the hacker, stating that around $43 million in funds had already been frozen. However, if remaining assets are transferred to unregulated addresses, prospects for full recovery grow dim.
Chen’s personal situation also draws significant attention—he may face criminal charges under both Hong Kong and Singapore legal systems. If his gambling debts are confirmed, authorities may launch deeper investigations into his financial sources and potential links to other crimes. Some analysts suggest that if Chen has already been detained, the case could accelerate toward trial.
Summary
The Infini theft is not an isolated incident. Early in 2025, the cryptocurrency industry saw a string of security breaches—including Bybit’s $1.4 billion hack on February 21—highlighting persistent vulnerabilities amid rapid growth. Since its launch in 2024, Infini attracted many users with its innovative stablecoin payment services and high-yield offerings, yet this event exposed serious weaknesses in internal management and technical oversight.
Blockchain security experts analyze that if the allegations prove true, Chen Shanxuan’s actions represent a classic insider attack. Infini failed to implement adequate decentralized safeguards before launching the smart contract—such as multi-sig wallets, timelocks, or third-party audits—which contributed directly to the breach. An industry insider commented: "Entrusting such critical permissions to a newly hired remote employee without strict supervision—Infini’s management bears undeniable responsibility."
The Infini vs. Chen case serves as another stark wake-up call for the industry. As blockchain technology becomes increasingly embedded in finance, founders must confront crucial questions: How should permission controls be structured? How can audit and cross-verification processes be strengthened? How do we prevent rogue actors from gaining excessive control? And how much focus should go toward building zero-trust architectures?
As the litigation progresses, more details will likely emerge, potentially revealing the full truth behind Chen’s alleged theft.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
Foresight News
