Author: 1912212.eth, Foresight News

On March 20, the blockchain data platform Etherscan showed that the stablecoin digital bank Infini team sent a lawsuit notice to a hacker address (0xfc…6e49) via on-chain message, along with detailed court litigation documents. The case involves asset theft amounting to as much as 49.51 million USDC, attracting widespread attention in the industry.

The plaintiff in the lawsuit is Chou Christian-Long, CEO of BP SG Investment Holding Limited, a wholly-owned subsidiary of Infini Labs. One of the defendants is engineer Chen Shanxuan (Chinese name 陈善轩), who resides in Foshan, Guangdong, China, while the identities of the other two to four defendants have yet to be confirmed.

Infini was hacked at the end of February this year, and just a month later, have they officially identified the suspects? What is the truth of the matter?

Unauthorized Retention of Admin Privileges and Massive Fund Theft

According to the lawsuit documents, Infini is a digital bank that combines cryptocurrency with traditional financial services, with core businesses including providing payment solutions, high-yield accounts, and cryptocurrency card services through the stablecoin USDC. Plaintiff Chou Christian-Long stated in the documents that Infini collaborated with BP Singapore to develop a smart contract for the secure storage and transfer of company and client funds. The contract was primarily written by the first defendant, Chen Shanxuan, who designed a multi-signature mechanism to ensure that any fund transfers required approval from multiple authorized personnel, thereby enhancing fund security.

However, a dramatic turn of events occurred after the smart contract went live on the mainnet. The lawsuit claims that Chen privately retained super admin privileges during the contract deployment process and falsely told other team members that he had removed or transferred those privileges.

On February 24, the plaintiff discovered that approximately 49.51 million USDC had been transferred out of the fund pool without authorization, flowing to multiple unknown wallet addresses and without multi-signature verification. Preliminary investigations revealed that these funds were subsequently exchanged for DAI and quickly used to purchase 17,696 Ethereum (ETH), ultimately dispersed to multiple addresses, some of which could be traced back to the privacy tool Tornado Cash.

Highly Regarded Engineer Earns Millions but Ruins Everything with 100x Contract Gambling

The lawsuit documents reveal that the first defendant, Chen Shanxuan, was employed by Infini's subsidiary BP Singapore, but his primary work location was in Foshan, Guangdong Province, China, working remotely. As the main developer of the smart contract, Chen held core permissions in the project. The documents indicate that although he had not been with the company long, he was granted the role of super admin for the fund management contract, which gave him absolute control over the contract. Industry insiders analyze that Infini's negligence in permission allocation may have been the trigger for this incident.

Additionally, the plaintiff mentioned in the affidavit that they recently learned of Chen Shanxuan's severe gambling habits, which may have led him to incur massive debts. The documents included several screenshots of message records in which Chen admitted to ruining everything in conversations with others and expressed feelings of despair about life, stating that sometimes he really wanted to end it all because living was too exhausting.

Based on this, the plaintiff speculates that gambling debts may be the primary motive behind Chen's theft of assets. According to Colin Wu, Chen was previously a model employee at an exchange, sharing knowledge with others. Despite earning millions, he continuously borrowed money from various people, engaged in 100x contracts, and accumulated more and more online loans, ultimately leading to a point of no return. However, more details about Chen's specific personal background, such as educational history and work experience, have not been provided in the lawsuit, and his true motives remain to be further investigated by the court.

Hong Kong Court to Hold Hearing on March 27

The subsequent developments of this case may involve multiple aspects. The plaintiff's primary goal is to freeze the stolen assets and recover losses. The Hong Kong court has accepted the case and plans to hold a hearing on March 27, 2025, at 9:30 AM, presided over by Judge Lok, during which the injunction will be reviewed. If Chen or other defendants fail to appear, the court may make a ruling in their absence.

The transparency of blockchain facilitates asset tracking, but if hackers launder funds through mixing services (such as Tornado Cash), the difficulty of recovery will significantly increase. Previously, Infini had warned the hacker via on-chain messages and stated that they had frozen part of the funds (approximately $43 million). However, if the remaining funds are transferred to unregulated addresses, the hope of recovery will become bleak.

Additionally, Chen's own situation is also under scrutiny, as he may face criminal charges under the legal systems of Hong Kong and Singapore. If his gambling debt issues are confirmed, the police may further investigate the source of his funds and whether they are related to other criminal activities. Some analysts have pointed out that if Chen has already been detained, the case may accelerate into the trial phase.

Multi-Signature Wallet Permission Settings Leave Hidden Risks

The theft incident at Infini is not an isolated case. In early 2025, the cryptocurrency industry experienced a series of security incidents, such as the $1.4 billion hack at Bybit exchange on February 21, highlighting the security vulnerabilities that still exist in the rapidly developing industry. Since its launch in 2024, Infini has attracted a large number of users due to its innovative stablecoin payment services and high-yield products; however, this incident has exposed weaknesses in its internal management and technical review processes.

Blockchain security experts analyze that if the lawsuit's allegations are true, Chen Shanxuan's actions constitute a typical internal attack. Infini's failure to implement sufficient decentralized security measures, such as multi-signature wallets, time-lock mechanisms, or third-party audits before the smart contract went live, is a significant reason for the incident. An industry insider commented, "Entrusting such important permissions to a newly hired remote employee without strict oversight, Infini's management cannot escape responsibility."

The lawsuit against Chen serves as a wake-up call for the industry regarding security. As blockchain technology increasingly integrates into the financial system, how to set up permission management, auditing, and cross-verification, avoid allowing contract players to hold important permissions, and focus efforts on a zero-trust architecture are all critical issues that founders must face.

As the lawsuit progresses, more details of the case may come to light, potentially revealing the complete truth behind Chen's theft.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。