Infini Labs $50m heist a ‘textbook insider attack,’ says security expert

Infini Labs, a crypto-focused neobank, has filed a lawsuit against an engineer it accuses of embezzling nearly $50 million from the platform.

The stablecoin digital bank accuses Chen Shanxuan of retaining “super admin” authority as the crypto platform’s smart contract went live in mainnet. As a result, the engineer stole approximately $49.5 million in USDC ( USDC ) from the firm. 

Infini Labs filed its lawsuit in Hong Kong, via its subsidiary BP SG Investment Holding Limited. The allegation is that as a lead developer, Chen secretively retained ‘super admin’ access and used this privilege to embezzle millions of dollars in crypto from the firm.

Interestingly, the lawsuit paints the picture of Chen as a man in debt and a massive gambler.

The case follows the cryptocurrency credit card provider’s suffering from an exploit that saw $49.5 million drained from its coffers. The initial reaction to the loss was tha this was the work of hackers. 

However, the lawsuit puts Chen on the spot, with documents presented before the court asking that the accused person’s assets be frozen. Infini Labs has also asked the court to compel its former lead smart contracts engineer to disclose further transaction details.

In the crypto heist Infini suffered in February, funds had vanished without the multi-signature authorization. Chen used his full access to steal, the firm notes in the lawsuit.

The lawsuit against Chen comes days after Infini founder Christian Li, asked the “hacker” to take the firm up on a white hat agreement. Li’s on-chain message also highlighted a 20% bounty the company offered to the suspected attacker.

Li also reiterated that Infini Labs was not going to take any legal action if the hacker complied with the white hat offer and returned the funds as requested.

Exploit is a ‘textbook example of an insider attack’

Trugard CTO and co-founder Jeremiah O’Connor told crypto.news in a statement the exploit is a “textbook example of an insider attack” within the Web3 space. Specifically, when a single engineer holds “unchecked power” over a smart contract it creates a central point of failure.

“Instead of revoking their super admin privileges as promised, this engineer kept a secret backdoor, deceived their own team, and made off with $50 million,” O’Connor added. “If the allegations are true, their motive—covering gambling losses—makes the situation even more alarming. When financial desperation meets unrestricted control, the results are almost always catastrophic. This serves as yet another wake-up call about the dangers of centralized authority in DeFi.”

Security in DeFi must rely on more than just trust, he said. If Infini had in place decentralized safeguards like multi-signature wallets, on-chain transparency, or timelocks for admin changes, an exploit would have not been likely. As such, any project that allocates “absolute control” to one individual is “asking for trouble.”

In Web3, security isn’t about trust; it’s about verifiable, enforced protections before things go south,” O’Connor concluded.