Infini was stolen 50 million USD: suspected internal employee case, contract engineer got liquidated with a hundred times Cryptocurrency Trading.

When all the evidence points to someone in the team who was once trusted by everyone, everyone is surprised.

Written by: Cat Brother, Wu Says Blockchain

Background

On February 24, the Web3 credit card and wealth management project Infini was hacked, resulting in $49.5 million being drained from the Morpho MEVCapital Usual USDC Vault. Infini founder Christian stated at the time: "Of the $50 million stolen, 70% belongs to big friends I know personally. I have already communicated with them one by one and will personally bear the possible losses. The remaining funds will be reinvested into the Infini vault before next Monday, and everything will return to normal." He also expressed his willingness to pay 20% of the stolen amount as a ransom to the hacker, promising that no legal action would be taken if the funds were returned.

On February 24 at 20:00, the Infini Team sent an on-chain message to Infini Exploiter 2: 0xfc…6e49:

We hereby inform you that we have obtained critical IP and device information regarding your attack on Infini. This is thanks to the strong support of top exchanges, security agencies, partners, and our community. We are closely monitoring the relevant addresses and are prepared to freeze the stolen funds at any time. In order to peacefully resolve this matter, we are willing to offer 20% of the stolen assets as a reward, provided that you choose to return the funds. Once the returned funds are received, we will cease further tracking or analysis, and you will not be held liable. We urge you to take action within the next 48 hours to reach a resolution as soon as possible. If we do not receive your response within the deadline, we will have no choice but to continue cooperating with local law enforcement to investigate this incident in depth. We sincerely hope to reach a solution that is most beneficial for all parties.

On February 26, the Infini Team once again sent an on-chain message:

More than 48 hours have passed since the attack, and we are offering you one last chance to return the stolen funds. If you choose to return your funds, we will immediately stop all tracking and analysis without any consequences. Please send 14156 ETH (80% of the stolen funds) to our Cobo custodial wallet:

Wallet address: 0x7e857de437a4dda3a98cf3fd37d6b36c139594e8

On February 27, Christian said that the case for the Infini hack has been officially completed in Hong Kong.

In terms of funding, the hacker address 0x3a…5Ed0 exchanged 49.52 million USDC for an equivalent amount of DAI through Sky (MakerDAO) on the 24th, and then exchanged DAI for approximately 17,700 ETH in multiple transactions via Uniswap, sending it to the new address 0xfcC8Ad911976d752890f2140D9F4edd2c64a6e49. Since then, this fund has not undergone further transfers (suspected to have been controlled by law enforcement immediately), but due to the recent drop in ETH prices, these ETH are currently worth only 35.15 million dollars.

Content of the Lawsuit

On March 20th at 18:00, the Infini Team sent an on-chain message to Infini Exploiter 2: 0xfc…6e49, warning the relevant address that the previously attacked loss of 50 million USD by Infini is currently involved in ongoing legal disputes and is contentious. Any subsequent holders of cryptocurrency assets that were previously stored in the above wallet (if any) shall not claim to be good faith purchasers.

In addition, the court litigation documents were also attached to the message via a link, with the specific content as follows:

The plaintiff is Chou Christian-Long, CEO of BP SG Investment Holding Limited, a Hong Kong registered company wholly owned by Infini Labs. The first defendant is Chen Shanxuan, who works remotely in Foshan, Guangdong, and the true identities of the second to fourth defendants are currently unconfirmed.

The plaintiff, together with BP Singapore, developed a smart contract for managing company and client funds, which was primarily written by the first defendant. The contract originally set up multi-signature permissions to strictly control any fund transfers.

When the contract was launched on the mainnet, the first defendant allegedly retained super admin privileges but falsely claimed to other team members that the privileges had been transferred or removed.

In late February 2025, the plaintiff discovered that crypto assets worth approximately 49,516,662.977 USDC had been transferred to several unknown wallet addresses (wallets controlled by the second to fourth defendants) without multi-signature authorization.

Due to concerns that the defendant or unidentified individuals may further transfer or launder assets, the plaintiff applied to the court:

• Issue an injunction against the first defendant and related unidentified individuals to restrict the transfer or disposal of the stolen assets;
• Require the defendant or the person who actually controls the relevant wallet to self-disclose their identity;
• Issue various mandatory orders to the first defendant and other unknown wallet holders prohibiting the disposal of assets;
• Request the other party to disclose transaction and asset information;
• Allow the plaintiff to serve documents "outside the territory" (i.e., serve legal documents to foreign defendants) and alternative methods of service.

In the body of one of the affidavit, the plaintiff stated: "I have only recently learned that the first defendant has a serious gambling habit and may have incurred a huge debt as a result. I believe this prompted him to steal the assets involved in the case to ease his own debts. The plaintiff also submitted screenshots of the relevant news records to prove that the first defendant may be in debt. (The plaintiff alleged that the defendant subsequently went crazy and opened contracts with 100 times leverage on a daily basis)

According to the sworn statement, the first defendant borrowed funds from different channels within a relatively short period, and even allegedly contacted underground money lenders or so-called loan sharks, resulting in pressure from high interest rates and debt collection calls. Exhibit CCL-17 mentions that he sought help from others in a chat, stating that he was burdened with interest from several lenders and continuously asked if he could borrow more money to get through the difficulties, or requested the other party to help introduce new sources of funds.

Shortly before the incident occurred, the first defendant had revealed in work groups or in private conversations with colleagues/friends that his financial situation was very tight, even expressing anxiety that if he couldn't raise money again, something would go wrong. These statements almost coincided with the timing of the unauthorized transfer of the company's crypto assets, thereby reinforcing the plaintiff's judgment of the first defendant's motives: he may have taken risks due to the pressure of massive debt.

According to the plaintiff's statement, the first defendant repeatedly avoided or only gave vague answers when asked about personal finances or gambling issues, and was unclear about how much debt he actually had and whether he was still gambling. The affidavit stated that the first defendant pretended to have no major problems from the end of October until the incident occurred, but the content of his conversations with others on chat software was clearly contradictory to this.

The plaintiff is concerned that if the first defendant is eager to repay gambling debts or continue to recoup losses, they may rapidly transfer the stolen digital assets to other wallets or even cash them out off-exchange, making them harder to track. Therefore, they urgently applied to the court for a global asset freeze order and requested the first defendant and other unknown wallet holders to disclose and return the cryptocurrency assets involved in the case.

Bane, a partner at Kronos Research, stated that the team still has a lot of outrageous materials related to life that have not been presented in court documents, but they are more or less not directly related to the case. We are still more focused on recovering the funds themselves. When all evidence points to someone who was once very trusted in the team, everyone is surprised. But a motive is a motive, and everything is based on facts; we believe the law will bring about a just result. Until the gavel officially falls, he remains a suspect.

Bane stated that the team always felt that the super admin rights had been transferred to the multi-signature wallet, but he used OpenZeppelin's permission library, which has always been multi-to-multi. Therefore, the initial dev wallet's rights were never relinquished. During deployment, everyone generally used an EOA, and after deployment, the rights were transferred to the multi-signature wallet. The dev wallet he controlled, after the contract creation, based on the initial settings of OpenZeppelin's permission library, by default had super admin [0] rights. He later transferred this super admin right to the multi-signature wallet and falsely claimed in the chat records that he had already relinquished the EOA rights, but in reality, the revoke transaction was never issued. He later said he thought permission management was one-to-one instead of multi-to-multi, meaning he falsely claimed that once the rights were granted to the multi-signature wallet, the dev wallet's rights would automatically be relinquished. Based on trust, no one double-checked the contract status, leading to tragedy.

The defendant stated after the incident: My problem, I forgot to revoke the permissions, a very, very basic mistake.

The case has not yet been adjudicated, and the submitted litigation documents include a large amount of chat records from the first defendant. Interested readers can download the original file:

Link:

Extraction password: D1234@5##