Plaintext private keys, clipboard mnemonic phrases, is it a fake Rug or a real theft?
Written by: Tuo Luo Finance
The first 'theft' of the bull market has arrived.
In recent times, aside from Bitcoin, MEME is undoubtedly the biggest winner in the crypto market. Continuous hype around AI, Politifi, and Desci has returned the phenomenon of GOAT, PUNT, BAN, and other exceptional MEMEs to the forefront, making 'hitting the gold dog' an essential daily activity for MEME enthusiasts.
The scale of the casino is beginning to emerge, and market tools surrounding MEME are also increasing. Today's protagonist, DEXX, is one of the on-chain trading terminals actively involved in the MEME market recently.
In the early morning of November 16, DEXX was attacked, and multiple users' tokens were transferred. As of now, the losses have reached as high as $20 million. Initially thought to be just a normal hacker attack, more information surfaced under the community's scrutiny, revealing outrageous settings such as plaintext private keys and clipboard mnemonic phrases, and the boss is suspected to have a history of rug pulls.
Is it a lack of preventive measures or a self-directed script? Is it a fake Rug or a real theft? DEXX has once again cast a shadow over the Chinese MEME circle.
According to official information, DEXX is an all-chain trading platform focused on Memecoins, supporting multi-chain asset trading including SOL, ETH, TRX, BASE, BSC, and offering functions like on-chain stop-loss and take-profit, hot topic notifications, and copy trading. In short, the core function of DEXX is on-chain aggregation, with user experience being key. In its early promotions, it often marketed itself as 'the Binance on-chain.' According to insiders, the platform's daily trading volume exceeds $50 million, with daily profits exceeding $300,000. It can be seen that, although not as well-known as mature platforms like Banana Gun or Unibot, the platform has already taken shape and has a certain influence in the MEME circle.
However, on November 16, the newly rising DEXX dealt a heavy blow to the MEME market. In the early morning, DEXX was attacked, and multiple users discovered that their account tokens had disappeared, with several MEMEs like Banana and LUCE experiencing significant declines, with LUCE dropping over 41%. Panic spread in the community, triggering widespread discussion on public platforms. At that time, rumors were rampant in the market, and the rights protection group quickly increased to 3,000 people, with over 9,000 transactions reported as stolen, and even rumors suggested that the amount involved exceeded $500 million.
However, in subsequent investigations, the asset losses did not reach that scale. According to Slow Mist's current statistics, 821 users were affected, with total losses approaching $20 million, including one user over $1 million, two users in the $500,000 to $1 million range, and 28 users in the $100,000 to $500,000 range. However, the hacker has not ceased operations, and the transfer of assets continues to increase.
On the day of the incident, DEXX quickly responded, stating there was no Rug and that the issue was being thoroughly investigated. Its founder Roy (@honza204) followed up by saying, 'We will compensate, isolated some users, there was no RUG, we are investigating, cannot reply one by one, please rest assured.'
Despite repeatedly stating there is no Rug, the seasoned community is clearly skeptical. Subsequent preliminary investigations by Slow Mist and Bit Jungle have further intensified the suspicion of a platform Rug. The investigations revealed that the DEXX platform has significant security issues, storing user private keys on official servers as a non-custodial platform, and failing to take any encryption measures when users export private keys, leading to plaintext exposure during transmission.
In addition to the major taboo of plaintext transmission, clipboard permissions are also extremely unreasonable. The DEXX platform has been found to repeatedly request users' clipboard permissions; if users had copied private keys or mnemonic phrases to the clipboard, that information could very well be inadvertently transmitted to the platform, increasing the risk of sensitive information leakage.
In terms of the attack method, there were no signs of intrusion on DEXX's frontend; instead, the private keys were downloaded from a remote server, achieving the theft. Moreover, the hacker clearly premeditated this, not only choosing the vulnerable time of early morning but also adopting a strategy of creating new wallets in bulk one-to-one after the attack to transfer stolen assets, maximizing anti-tracking.
It claims to be an all-chain trading platform, but in reality, it is even more centralized than centralized exchanges, with private keys stored in plaintext and mnemonic phrases copied to the clipboard. Such obvious security risks were ignored by the platform until the so-called 'hacker' attacked; could it be that this hacker is actually the platform itself?
After the news broke, the market was in an uproar, with constant community condemnation, theories of self-theft and fleeing with money continued to ferment, and the market spontaneously began to track DEXX, uncovering more details.
Although from the registration information, DEXX's entities are quite dispersed, with companies registered in the US, the Bahamas, Singapore, Tokyo, Hong Kong, and the Marshall Islands, currently, the company is located in Hangzhou's West Lake District, named Hangzhou Chengdao Technology Co., Ltd.
Under the scrutiny of netizens, the founder's information was completely disclosed. The known real name of the founder is Lou Yu Lin Feng, a 30-year-old from Jinhua, Zhejiang, who is rumored to have previously engaged in online gambling. According to revelations from crypto intelligence, this so-called 'pattern' boss allegedly only has a middle school education. Some netizens also disclosed his location on social media, claiming he is currently in Thailand. Moreover, some mentioned that this Lou boss has a history of soft rug pulls, as evidenced by his previous involvement in the project Opendao. Coincidentally, the day before the theft incident, Roy posted a message saying 'Having money is great,' which further fueled various conspiracy theories.
The Rug controversy is fermenting, and the market's anger is also heating up, even the KOLs who promoted the platform are getting stained. In fact, the main method of promotion for DEXX is to collaborate with well-known KOLs through commission rebates, using KOLs' influence to gain traffic. This method is quite common in the crypto world, but it is worth noting that compared to other platforms, DEXX's commission rate is exceptionally high, reaching as much as 50%-60% of the fees. During the connection between official personnel and KOLs, it was mentioned that top KOLs could earn over $40,000 just through commissions.
Under the temptation of profit, many KOL participants joined in, especially among Chinese KOLs. Over 25 well-known KOLs, including Youmin, Dayu, and Hongshen, promoted DEXX, with some even engaging in bottomless promotion in private traffic. This is also a reason why the majority of victims are Chinese users. After the incident, the market launched a series of criticisms against these KOLs, believing they abused their influence and were complicit in harvesting profits. The KOLs responded differently to these accusations.
Immediate disassociation is an inevitable action. Some KOLs directly deleted previous promotional posts to erase market memory; more cautious KOLs, considering the long-term profit direction, will apologize and offer some compensation, but this group is small, only in single digits; while the vast majority of KOLs seem to plan to go into hiding and wait for the storm to pass.
Of course, assigning blame is secondary; the urgent task is to recover the stolen assets. Although Roy claimed he would fully compensate, whether he can actually provide enough funds remains to be seen. If it turns out to be a self-directed script, the recovery of funds can resort to legal means, but if it is indeed a hacker intrusion, the rights protection becomes more distant on an exchange with unclear identity verification.
Citing the statements of lawyers Guo Zhihao and Shao Shiwei, DEXX, as a project operated by domestic institutions, is essentially engaging in virtual currency-related business in China, which should be deemed illegal financial activity, with the minimum principle being to ban and order it to cease operations. Specifically regarding this incident, if the platform was indeed hacked, then it has illegally collected user private keys, which is suspected of violating citizens' personal information laws; if the platform staged the event, it is very likely to be classified as a stricter fraud crime, with criminal penalties based on the amount involved, potentially leading to life imprisonment. KOLs who want to remain anonymous may also find it hard to escape responsibility, as KOLs are suspected of making money from the platform through information networks, which may involve illegal use of information networks, thus bearing certain joint liabilities. Although the probability of criminal charges is low, the threshold for conviction is extremely low; if users insist on clinging to them, it might lead KOLs to suffer consequences.
Yesterday, DEXX posted a letter to the hacker on platform X, stating that it has received strong support from security agencies, partners, and exchanges to locate the stolen tokens, and is continuously monitoring the hacker's address to timely freeze the stolen funds. It now demands that this incident be resolved within the next 24 hours, or it will continue to cooperate with local police, security agencies, and exchanges to investigate and take law enforcement actions to protect user assets, regardless of how long it takes. The platform stated it is marking the hacker's address and requesting assistance from the Solana Foundation. After being marked, the hacker will not be able to recharge to exchanges or convert to fiat currency by any means.
The founder also spoke out again to deny being out of contact, stating, 'Due to special reasons, we cannot synchronize updates at the moment. Please give us some time to handle this satisfactorily. Over the next few days, the team will synchronize some information and plans; it's not about being out of contact.'
Regarding theft, it is not uncommon in the crypto industry; DEXX is not the first case and will certainly not be the last. Essentially, there is no absolutely secure custody and non-custodial wallet. Aside from enhancing transparency through open-source contracts on the chain, it relies on stronger backgrounds and more robust funding; otherwise, relying solely on trust transfer and external audit methods does not eliminate the possibility of significant risks. Taking DEXX as an example, the platform has undergone an audit by CertiK, but the final response regarding this incident is that it occurred on the Solana chain, which is not covered by the audit.
Returning to the users themselves, the enhancement of security awareness is urgent. In addition to not trusting anyone's promotions, when it comes to fund usage, priority should be given to platforms with sound security mechanisms and sufficient endorsements. In terms of asset security management, assets should be placed in a decentralized manner, and it is recommended to use completely independent devices for operations. It is advisable to use decentralized authentication, avoid prioritizing convenience, refrain from setting up password-free access and live authentication, and be cautious with plugins. For large assets, hardware wallets should be used for storage. Users should remember that security is the priority in operations; otherwise, the hard-earned profits during a bull market may become someone else's.
On the other hand, if it is indeed a platform rug pull, even if the founder flees, he may not be able to rest easy. After all, as a person who has been exposed and may have held over 100 million in liabilities, there is no safe place for him to hide.
