Security Expert Labels $50m Infini Labs Theft as Classic Insider Attack

Crypto-focused neobank Infini Labs has initiated legal action against an engineer who allegedly embezzled nearly $50 million from the platform.

The stablecoin digital bank claims that Chen Shanxuan, a lead developer, retained "super admin" authority as the crypto platform's smart contract went live in mainnet. This allowed him to steal approximately $49.5 million in USDC (USDC) from the firm.

Infini Labs filed its lawsuit in Hong Kong through its subsidiary BP SG Investment Holding Limited. The company alleges that Chen, as a lead developer, covertly retained 'super admin' access and used this power to embezzle millions of dollars in crypto from the firm.

Notably, the lawsuit portrays Chen as a man in debt and a heavy gambler.

The case comes after the cryptocurrency credit card provider experienced an exploit that resulted in $49.5 million being drained from its accounts. Initially, it was believed that hackers were responsible for the loss.

However, the lawsuit points the finger at Chen, with documents presented to the court requesting that his assets be frozen. Infini Labs has also asked the court to compel its former lead smart contracts engineer to reveal further transaction details.

During the crypto heist Infini suffered in February, funds disappeared without the multi-signature authorization. Chen utilized his full access to steal, according to the lawsuit.

The lawsuit against Chen follows just days after Infini founder Christian Li, sent an on-chain message asking the "hacker" to consider a white hat agreement. Li's message also mentioned a 20% bounty the company offered to the suspected attacker.

Li also emphasized that Infini Labs would not pursue legal action if the hacker complied with the white hat offer and returned the funds as requested.

Exploit is a 'textbook example of an insider attack'

In a statement to crypto.news, Jeremiah O'Connor, CTO and co-founder of Trugard, described the exploit as a 'textbook example of an insider attack' within the Web3 space. Specifically, when a single engineer holds 'unchecked power' over a smart contract, it creates a central point of failure.

"Instead of revoking their super admin privileges as promised, this engineer kept a secret backdoor, deceived their own team, and took off with $50 million," O'Connor added. "If the allegations are true, their motive—covering gambling losses—makes the situation even more alarming. When financial desperation meets unrestricted control, the results are almost always disastrous. This serves as yet another wake-up call about the dangers of centralized authority in DeFi."

O'Connor explained that security in DeFi should not rely solely on trust. If Infini had implemented decentralized safeguards such as multi-signature wallets, on-chain transparency, or timelocks for admin changes, an exploit would have been unlikely. Therefore, any project that assigns 'absolute control' to one individual is 'asking for trouble.'

"In Web3, security isn't about trust; it's about verifiable, enforced protections before things go south," O'Connor concluded.