On November 16, 2024, the cryptocurrency trading platform DEXX was hacked. According to relevant news, the user assets stolen by hackers exceeded US$100 million, and many users suffered huge losses. Related rights protection groups are also being formed rapidly. As an emerging cryptocurrency trading platform operated by Chinese people, its rapid rise is due to the extensive promotion of many KOLs.
So what are the legal risks for the platform and KOLs regarding this security incident? What responsibilities do they need to bear for user losses?
Author: Lawyer Shao Shiwei
0 1. DEXX platform user funds stolen
As a Memecoin platform that supports multi-chain asset transactions, DEXX covers multiple on-chain assets such as SOL, ETH, TRX, BASE and BSC. According to the official website, it has functions such as on-chain mobile stop-profit and stop-loss, hot concept push, smart wallet tracking push, doubling of capital, one-click anti-pinch, and one-click buy and sell. Because the DEXX interface is similar to Binance, some KOLs also call it on-chain Binance.
In the early morning of November 16, DEXX reported that it was hacked, and many users reported that their wallet assets were transferred in an unknown way. Blockchain security audit company CertiK said that the main reason for the incident was improper management of the private key of the DEXX platform, which led to the leakage of the official private key. Yu Xian, the founder of SlowMist Technology, also mentioned in his tweet that "the people who were stolen were related to using DEXX to make earth dogs/speculate MEME. The private key belongs to the centralized custody of DEXX and must have been leaked."
Someone has found through investigation that DEXX has a vulnerability in the plain text transmission of private keys. This means that the user's private key is stored on the DEXX server. If the system is attacked, hackers can easily obtain the user's private key and steal assets.
0 2. The rise of DEXX platform is due to the promotion of KOLs
DEXX was established not long ago, and the rapid growth in the number of users of the platform has a lot to do with the extensive promotion by many Chinese KOLs on Twitter.
According to DEXX’s official website, the platform’s promotion rebate ratio is as high as 60% of the transaction fee.
(Rebate Ranking)
After this incident, many KOLs also began to delete promotional posts, and quickly drew a line with the platform and made their stance clear.
0 3. What are the possible legal responsibilities of the platform for this incident?
First of all, as a cryptocurrency trading platform operated by Chinese people and open to Chinese citizens, the DEXX platform, in view of the 924 Notice in 2021, stipulates that virtual currency-related businesses are illegal financial activities, and overseas virtual currency exchanges providing services to Chinese residents through the Internet are also illegal financial activities. Therefore, whether this incident is "embezzlement" or "accident", the platform has great criminal risks.
Secondly, after in-depth technical analysis by the BitJungle monitoring system, the DEXX trading platform has the following serious security issues:
Private key storage: Although the DEXX platform claims that it is not a custodial wallet, it records the user's private keys. Once the system is attacked, hackers can easily obtain the user's private keys and steal the user's assets.
Private key export and plain text transmission: The DEXX platform does not take any encryption measures when users export private keys, resulting in the private keys being exposed in plain text during transmission, which can be easily intercepted by hackers.
Before the facts are ascertained, we will not discuss whether the platform is "stealing from the inside" in this incident, but only in terms of the above security issues, the platform has violated the legal obligation of websites and platforms to protect user information security as stipulated in my country's "Cybersecurity Law". The platform's transmission of user passwords in plain text has led to information leakage, which also constitutes an infringement on users.
In addition, although plain text transmission itself may not be a criminal act, if it causes serious consequences, according to the Criminal Law, the person responsible for the platform may be suspected of committing criminal offenses such as illegally obtaining computer information system data and infringing on citizens' personal information.
0 4. Do KOLs have any relevant legal responsibilities?
According to the 924 Notice, “Offshore virtual currency exchanges providing services to residents in my country through the Internet are also illegal financial activities. ... Legal persons, non-legal organizations and natural persons who knowingly or should have known that they are engaged in virtual currency-related businesses and still provide them with marketing and promotion services ... shall be held accountable in accordance with the law.”
KOLs used their credibility and influence in the cryptocurrency circle to call the DEXX platform "Binance on the chain" on social media platforms such as Twitter, and vigorously promoted it to earn high commission income. Their behavior violated the above regulations.
Lawyer Shao once mentioned in the article " What are the legal risks of KOLs in the cryptocurrency circle promoting projects? " that KOLs promoting cryptocurrency trading platforms may be suspected of fraud, opening casinos, organizing and leading pyramid schemes, etc., and listed several cases in the article.
However, as far as the security incident of the DEXX platform is concerned, the most likely criminal charge is the crime of illegal use of information networks (non-trust crime), which is known as a "pocket crime". The most obvious feature of non-trust crimes that distinguishes them from other charges is the use of information networks, and the dissemination of information is only implemented through online networks. As Lawyer Shao mentioned in the article " A crime that cryptocurrency entrepreneurs need to pay special attention to - the crime of illegal use of information networks (II) ", many Web3 entrepreneurs may know the common sense legal provisions that they cannot open exchanges, issue coins, or mine in China , but they generally do not think there are legal risks in publishing and promoting cryptocurrency-related information . However, once the promoted project has problems, the publisher of the information will face legal risks.
0 5. Related suggestions
For the platform , if there is indeed a case of "theft by the platform", then the relevant responsibilities are self-evident. If it is indeed an accidental attack by hackers, given that the platform did store user private keys and transmit user-exported private keys in plain text, it failed to effectively protect user information security, resulting in damage to user assets. It is recommended that the platform continue to update the progress of the investigation, including a detailed analysis of technical vulnerabilities, and take the initiative to assume responsibility and clarify the compensation mechanism and specific measures for user losses.
For KOLs , they rely on their own influence to promote the platform, and fans also choose to believe in KOLs' promotional information based on their trust in KOLs. Therefore, no matter what kind of responsibility the platform bears in this incident, as a KOL, it is recommended to take the initiative to acknowledge the subsequent collateral impact of the incident, actively assist users in safeguarding their rights, and provide help to users within the legal scope, such as sorting out user loss data, assisting users in communicating solutions with the platform, etc. Of course, if conditions permit, it is recommended that KOLs do their best to compensate users. Because even if the KOL is not required to bear legal responsibility for the promotion behavior, the action of taking the initiative to compensate can also show that the KOL attaches importance to the rights of users and is responsible for its own promotion behavior. Moreover, objectively speaking, compensation behavior can also effectively reduce the possibility of related users taking further legal actions.
