Infini Labs, a leading player in the crypto neobank sector, has initiated legal proceedings against an engineer accused of embezzling nearly $50 million from the company.
The digital bank claims that Chen Shanxuan retained unauthorized “super admin” access during the launch of its smart contract on the mainnet, allegedly allowing him to misappropriate approximately $49.5 million in USDC from the platform.
This lawsuit, filed in Hong Kong through Infini’s subsidiary BP SG Investment Holding Limited, accuses Chen, a lead developer, of secretly maintaining ‘super admin’ access to exploit the system and embezzle substantial funds.
The legal documents suggest that Chen was significantly in debt and a compulsive gambler.
This case arises following an exploit that drained $49.5 million from Infini, initially believed to be the work of external hackers. The lawsuit shifts the focus onto Chen, as Infini Labs calls for the freezing of his assets and demands a full disclosure of transaction details.
During the incident in February, funds reportedly disappeared without multi-signature authorization, with the lawsuit asserting that Chen’s unrestricted access enabled the theft.
Notably, the lawsuit follows a public appeal by Infini founder Christian Li, who urged the alleged hacker to accept a white hat agreement, offering a 20% bounty in exchange for the return of the stolen funds. Li emphasized that legal action would be avoided if the illicit gains were restored as requested.
Insider Attack Highlighted
Jeremiah O’Connor, CTO and co-founder of Trugard, identified the exploit as a “textbook example of an insider attack” in the Web3 environment. He pointed out that allowing a single engineer to maintain “unchecked power” over a smart contract creates a vulnerability that can lead to catastrophic outcomes.
“By retaining their super admin privileges instead of revoking them as promised, this engineer created a secret backdoor, deceiving the team and absconding with $50 million,” O’Connor stated. “If these claims hold true, the motive—covering gambling losses—adds to the alarming nature of the situation. The intersection of financial desperation and unrestricted power often leads to dire consequences, underscoring the inherent risks associated with centralized control in DeFi.”
O’Connor emphasized that DeFi security must extend beyond mere trust, advocating for decentralized safeguards like multi-signature wallets, on-chain transparency, and time locks on admin changes to mitigate risks. He warned that any project granting absolute control to one individual is “inviting trouble.”
“In Web3, security hinges on verifiable, enforced protections rather than trust,” O’Connor concluded.
