Web3 Lawyer: In-depth Analysis of the DEXX Hacker Incident - Responsibilities and Compliance Suggestions for Project Owners and KOLs

Background

On November 16, 2024, a major hacking incident suddenly broke out on the DEXX platform, and a large number of users reported that their assets in their accounts mysteriously disappeared. The news quickly spread on social media, causing widespread panic and anger. At first, many users thought it was just a system failure, but with the in-depth investigation of security audit companies CertiK and PeckShield, it was soon confirmed that the DEXX platform had a serious private key management vulnerability. Through this vulnerability, hackers easily obtained access to the platform's core wallet and transferred user assets to multiple anonymous addresses.

After the incident, the DEXX team issued an open letter, trying to pay a bounty in exchange for the hacker to return the assets. However, this letter not only failed to calm the anger of users, but also aroused more doubts. Some people believe that the DEXX team may have written and directed an "internal crime" drama. All signs show that there is a lot of water behind this incident, and the victimized users have also begun to spontaneously organize rights protection actions to try to recover their losses.

The responsibility of the project party: a makeshift team or force majeure?

As a lawyer, I think we should first clarify one thing - should the project party compensate users for their losses? If the DEXX project party did cause the theft of user assets due to its own management errors, especially the "low-level errors" in private key management, then legally, they should be liable for compensation to users. To put it bluntly here, if the security vulnerability of the project party is caused by carelessness or technical omissions, rather than force majeure, then the user's losses cannot be simply attributed to the reason of "hacker attack".

According to common user agreements, platforms are usually exempted from liability for force majeure events, but this incident is obviously not a natural disaster or uncontrollable external factors, but because the project party did not fulfill its due safety management obligations. In this case, the law generally considers it as "mismanagement" rather than force majeure. However, if users want to protect their rights in China through prosecution, it is actually very difficult . DEXX is an offshore registered company, and users need to pursue cross-border prosecution, and under the current legal environment in China, there are many restrictions on judicial protection of virtual currencies. Therefore, even if users have legitimate claims for compensation, the possibility of implementation is still very low.

What is more worth mentioning is that if this incident was not caused by a hacker attack, but a "leek-cutting" behavior directed by the project party, the situation would be completely different. If the evidence shows that the project party intends to cover up the illegal misappropriation of user assets through hacker attacks, then this may be considered a fraud in China. Some people may think that the project party is overseas and the domestic public security can do nothing about it. However, as long as the amount involved is large enough, the public security department has every motivation to initiate cross-border pursuit through international cooperation. There have been many successful arrests in similar cases in history. It is too naive to think that "people overseas can rest assured."

KOL 's responsibilities: a double test of law and character

In this incident, many KOLs in the cryptocurrency circle stood up for DEXX and actively promoted it on social media to earn commissions. Compared with other platforms, DEXX's rebate ratio is also relatively high, up to 50-60% of the handling fee, which raises another question- do KOLs who help to attract new users need to bear legal responsibility? This is also discussed by many people in the rights protection group. Recently, I saw that someone on the Internet has compiled a list of KOLs who promoted DEXX, even including some friends I personally know. KOLs responded in different ways. Some KOLs deleted the promotional posts, and some KOLs came out to apologize and promised to pay certain compensation, but these are just spontaneous personal actions.

Let me start with the conclusion. From a legal perspective, if these KOLs only help promote by collecting promotion fees, in actual practice, law enforcement agencies will most likely not prioritize holding these KOLs accountable . Because from the perspective of law enforcement cost-effectiveness, it is better to focus on the core project party rather than dispersing energy to hold multiple KOLs accountable.

However, the reputation and reputation of KOLs in the cryptocurrency circle are crucial . I suggest that these big Vs, if they want to maintain a good brand image in the circle, should still give appropriate explanations and statements to their fans within their acceptable range. Of course, this is beyond the scope of the law. But at least it reminds all KOLs that when promoting projects, they should not only look at the advertising fees, but also ignore the basic risk control of the project . Otherwise, when users find that they have been harmed by these promotional contents, even if KOLs are exempted from legal liability, they may not be able to escape the condemnation of the community and bear huge moral and social pressure.

Mankiw's Compliance Advice

The DEXX incident exposed not only technical loopholes, but also the lack of compliance awareness. If the project party could do a good job of risk assessment and prevention in advance, many problems could have been avoided. The DEXX incident made many friends sigh again that the world is indeed a huge makeshift team. How the subsequent development of the matter will be, may have to be left to time. But at least from the problems exposed at this stage, it is enough to give Web3 industry project parties and practitioners some useful experience.

1. Safety management: multi-layered protection from technology to system

First of all, for any crypto project, fund security is the core. The lesson of the DEXX incident is that no matter how good the technological innovation is, if the basic security is not in place, everything is a castle in the air . Here I would like to emphasize a few specific security management measures:

Multi-signature and hardware isolation for private key management : The project party should adopt a multi-signature mechanism (Multi-Sig) to ensure that even if one party's private key is leaked, it will not lead to the theft of funds. At the same time, the storage of private keys should be isolated in cold wallets to prevent online attacks. In particular, the private key of the core wallet should never be stored on a networked device. It is recommended to use a hardware wallet combined with offline backup to minimize the risk of being stolen by hackers.

Introduce third-party security audits and regular testing : Security audits cannot be a formality, but should be a necessary step before the project goes online. In the case of DEXX, there was a clear lack of audits and stress tests on the private key management system. The project party should regularly invite professional security companies to conduct code reviews and vulnerability tests, and fix problems in a timely manner. At the same time, establish an internal emergency response team so that it can respond quickly when emergencies occur, rather than being in a panic during a crisis.

Improve internal risk control processes : In addition to technical security, the project party should also establish a sound internal management system, including mechanisms such as authority control, operation log review, and abnormal behavior monitoring. For example, fund transfer operations should have a strict approval process and keep detailed operation records. Once an abnormality occurs, the source can be quickly traced and blocking measures can be taken to avoid further losses.

(II) Compliance operations: Actively embrace supervision and enhance market trust

In the context of increasingly stringent regulation of the current global crypto market, compliance operations by project owners are no longer optional, but a necessity for survival. Many Web3 projects choose offshore registration to avoid legal risks. However, it has been proven that once user asset losses or fraud occur, this "offshore umbrella" cannot truly protect project owners from legal liability.

For project parties planning long-term development, it is recommended to set up compliance entities in major markets to ensure that local operations are legal and compliant. This can not only enhance the credibility of the project, but also effectively reduce future legal risks. By proactively disclosing financial status, capital flows, user agreements and privacy policies, project parties can better win the trust of users.

On the basis of compliance, the project party can consider setting up a user asset protection fund. When the platform suffers fund theft or accidental loss, it can compensate users in the first place. This is not only a commitment of the project party to users, but also a manifestation of industry self-discipline. By establishing such a protection mechanism, the trust crisis after the incident can be reduced.

3. Self-regulation of KOL promotion

For those KOLs and influencers who promote projects on social media, the DEXX incident is a practical reminder that some advertising fees cannot be earned by simply posting a tweet. To avoid becoming the target of user criticism, KOLs must assume more responsibility in their promotional activities.

Due diligence is a basic obligation : Before accepting a promotion invitation from a project owner, KOLs should first conduct a basic project investigation to understand the project's background, technical strength, and security measures. If a project is found to have obvious problems with financial security or compliance, it should be rejected decisively, even if the advertising fee is high. After all, short-term gains are not enough to make up for long-term trust losses.

Establish risk warnings and disclaimers : In the promotional content, KOLs should proactively inform fans of the potential risks of investment, rather than just promoting the "high return, low risk" side. Especially when promoting decentralized financial products, it is recommended that KOLs add clear disclaimers to remind users to invest with caution. This is not only to protect yourself legally, but also to be morally responsible to fans. As opinion leaders, KOLs have a trusting relationship with their fans. If there is a problem with the promoted project, KOLs should take the initiative to express their views at the first time, rather than evading responsibility. Through this transparent communication method, the negative impact of the incident can be effectively mitigated.

Conclusion

The DEXX incident once again proves that decentralization cannot be used as a "talisman". If the project party cannot even figure out basic security management, it is playing with fire and getting burned. Hacker attacks are external factors, but inadequate internal security management is the real problem. If you treat user assets as a joke, you will only suffer in the end.

Besides, those KOLs who help attract new members don’t need to just stand up for the advertising fee. The cryptocurrency circle is a circle, and it is not easy to recover after a bad reputation. After all, fans’ money is not blown by the wind, and everyone has a scale in their hearts.