Infini Labs, a neobank centered on cryptocurrency, has initiated legal proceedings against an engineer accused of misappropriating nearly $50 million from the platform.
The digital bank, which operates with stablecoins, has accused Chen Shanxuan of maintaining “super admin” privileges once the crypto platform’s smart contract was launched on the mainnet. Consequently, the engineer is alleged to have stolen around $49.5 million worth of USDC from the organization.
Infini Labs lodged its lawsuit in Hong Kong through its subsidiary BP SG Investment Holding Limited. The claim asserts that Chen, as the lead developer, secretly kept his ‘super admin’ access and exploited this power to embezzle significant amounts of cryptocurrency from the company.
The lawsuit intriguingly portrays Chen as someone struggling with debt and known for his gambling habits.
This legal action follows an exploit that led to a loss of $49.5 million for the cryptocurrency credit card provider. Initially, the company suspected hackers were behind the incident.
However, the lawsuit shifts the focus onto Chen, with filings urging the court to freeze the assets of the accused. Infini Labs has also requested that the court order Chen to provide additional details regarding the transactions.
The funds taken in the February heist by Infini disappeared without the necessary multi-signature approval. The company asserts in its lawsuit that Chen utilized his unrestricted access to carry out the theft.
The action against Chen came shortly after the founder of Infini, Christian Li, encouraged the “hacker” to accept a white hat agreement. Li’s on-chain message also noted a 20% bounty offered to the suspected perpetrator.
Li further emphasized that Infini Labs would refrain from pursuing legal action if the hacker agreed to the white hat proposal and returned the stolen funds as requested.
An Exploit Illustrating an ‘Insider Attack’
Jeremiah O’Connor, co-founder and CTO of Trugard, described the incident as a “textbook example of an insider attack” within the Web3 realm. He pointed out that when a lone engineer possesses “unchecked authority” over a smart contract, it introduces a significant vulnerability.
“Rather than revoking their super admin privileges as promised, this engineer retained a hidden backdoor, misled their own team, and absconded with $50 million,” O’Connor remarked. “If the allegations are substantiated, their motive—covering gambling debts—renders the situation even more concerning. When financial desperation intersects with unchecked control, the outcomes tend to be disastrous. This is yet another reminder of the risks associated with centralized power in DeFi.”
According to him, security within DeFi cannot simply rely on trust. If Infini had implemented decentralized safety measures like multi-signature wallets, on-chain transparency, or time-locks for administrative changes, such an exploit would be far less likely. Thus, any project that grants “absolute control” to a single individual is “inviting chaos.”
In the Web3 environment, security is not merely about trust; it is about having measurable, enforced safeguards before issues arise,” O’Connor concluded.