Bloodbath in the Chinese Crypto Community: DEXX User Funds Theft Fully Revealed

Event Overview

On the morning of November 16, 2024, a major security incident occurred at the on-chain trading terminal DEXX, resulting in the theft of user assets worth up to $400 million. Multiple meme coins suffered selling pressure and experienced significant price declines as a result. The attackers used one-to-one transfers to evade tracking, and the recipient addresses have not yet been consolidated.

This attack affected multiple chains, not only impacting DEXX platform users' assets, but also having a widespread impact on the entire meme community, further highlighting the contradiction between the functionality and security of decentralized platforms, and revealing serious problems in user asset management.

DEXX is a cross-chain trading platform focused on Memecoins, supporting the trading of assets on SOL, ETH, TRX, BASE, BSC and other chains, and providing on-chain mobile take-profit and stop-loss, hot spot push, and copy trading functions. Compared to mature cross-chain trading platforms like Banana Gun and UniBot, DEXX's differentiation is its smoothness, even earning the title of the "on-chain Binance", but this incident has exposed that in pursuit of functional innovation, DEXX neglected the rigorous construction of security mechanisms, and this emphasis on functionality over security has laid hidden dangers for the current user asset theft incident.

Security Vulnerability Analysis

According to the investigation by Slow Mist founder Yu Chen, the main reason for the DEXX incident is improper private key management. User private keys were stored in plain text on the official server, and the transmission process lacked sufficient encryption protection. This means that attackers may have intercepted user private keys during the transmission process, thereby gaining access to asset permissions. This private key management method clearly does not meet the industry's basic requirements for decentralized security, and has been criticized as "equivalent to custody", greatly increasing the risk of user asset theft.

In addition, the DEXX platform's App was found to repeatedly request user clipboard permissions. If users had previously copied private keys or seed phrases to the clipboard, this information was highly likely to have been inadvertently transmitted to the platform, increasing the risk of sensitive information leakage. For users, the leakage of such private data will undoubtedly pose a serious threat to asset security, and this neglect of user information protection is worrying.

Moreover, some users have reported that the platform had been transferring small amounts of tokens without authorization several months ago. Due to the small amounts, many users did not pay attention, until this large-scale theft incident made them aware of the potential problems. Additionally, a few days before the incident, some users had found that their accounts were restricted from withdrawing, and certain specific tokens could not be successfully withdrawn, and these phenomena may now be seen as signs of premeditated criminal acts.

DEXX's security audit was completed by CertiK, but the score was only 59.31, with 9 risks identified, and the major risk of "centralized management" was not resolved. This incident was precisely due to the improper management of the official private keys, leading to the leakage of private keys and ultimately resulting in the theft of user funds. Although CertiK's audit report warned of the existing risks, the project team failed to thoroughly resolve these issues, ultimately leading to this incident. The improper storage of user private keys and the lack of protective measures for private keys have become the core causes of this incident.

According to feedback from community users, in this attack, the hackers used a strategy of one-to-one batch creation of new wallets to transfer the stolen assets, clearly to maximize the difficulty of tracking. The hackers were not only very cautious in their financial operations, but also carefully chose the attack time - launching the attack in the early hours of 4-5 am when Chinese users were asleep. This indicates that the hackers had a very good understanding of the platform's user base and the biological clock of the target users, and they were most likely Chinese. However, DEXX's official only issued an English announcement after the incident, seemingly intending to guide users to believe that the hackers were foreign forces, and this ambiguous stance has further deepened users' doubts.

Official Response

On the morning of the incident, DEXX founder Roy stated on social media that they would compensate users for their losses, and isolated the assets of some users. However, Roy did not disclose the specific isolated accounts, and the community did not buy it. Many users suspect that DEXX is embezzling or even deliberately running away, with curses and abuse echoing through the community.

Public information shows that the services of dexx.ai are provided by the following entities:

• DEXX LTD, a company registered in Colorado, USA, operating under the DEXX brand, applicable to residents within the approved operating locations in the USA;
• DEXX Bahamas Limited, a company registered in the Bahamas, applicable to Mexican resident users, and institutional users registered after August 29, 2023;
• DEXX SG Ltd., a company registered in Singapore, applicable to registered Singapore resident users;
• DEXX Ltd., a company registered in the Marshall Islands, applicable to all other eligible users to access and use the DEXX services;
• 株式会社DEXX, a company registered in Tokyo, Japan, applicable to registered Japanese resident users;
• DEXX Ltd, a company registered in the Hong Kong Special Administrative Region, applicable to registered Hong Kong resident users.

Facing a loss of $400 million, the DEXX team's solvency is questionable. The latest news from the official says they have made some progress, and hope that users will leave their wallet addresses and @ the SOL official to put pressure and get more help.

Community Cursing, KOLs Quickly Distancing Themselves

Immediately after the theft, the community came together to start self-help, with a "Dexx Theft Customer Loss Statistics Table" circulating in various rights protection groups, and many on-chain analysts and security teams analyzing the hackers' modus operandi, preliminarily concluding that the involved amount was $460 million, and that they had batch-created receiving addresses to increase the difficulty of tracking using one-to-one transfers. Since then, the social media and Telegram groups have been filled with curses, and the mainstream public opinion currently believes that this incident is a case of embezzlement.

In addition, multiple meme coins experienced significant price declines due to large-scale sell-offs, with LUCE and PNUT seeing maximum declines of 41% and 34% respectively over the weekend. The stolen assets are like the Sword of Damocles hanging over the market, and especially for MEME, these funds could be sold at any time, leading to further price crashes.

DEXX's rapid rise could not have been achieved without the strong promotion of KOLs. To acquire users, DEXX offered commissions as high as 50%-60% of the trading fees, attracting many KOLs to stand up and endorse the platform. An insider revealed that the top KOLs were earning monthly commissions as high as $40,000, and driven by these interests, many KOLs would even use aggressive language in their private domain communities to urge people to use DEXX: "Use it even if it's difficult, use it even if it's good, create conditions to use it if you don't have them." To some extent, this viral marketing actually foreshadowed the subsequent tragedy.

However, as soon as the incident broke out, these KOLs immediately distanced themselves, even deleting all their previous promotional content. According to user statistics, about 30 or more KOLs participated in DEXX's promotion, but only less than 5 directly faced the mistake without deleting their tweets, the rest either played dead or were begging for sympathy and depression.

This incident once again proves that as long as there is the lure of high returns, platforms and promoters are easily blinded and neglect the risks, and in the end it is the ordinary users who suffer. Now that regulation is not in place, KOLs and platforms should take more responsibility. They can't just think about promoting products and making money, they also need to ensure the safety of users' wallets and the stability of platform operations.

Security Recommendations

The DEXX theft incident has sounded the alarm for on-chain operations and asset management. In the MEME field in particular, users often ignore platform security in pursuit of short-term high returns. To avoid "going back to the liberation era", here are some security recommendations:

1. Treat recommendations with caution: Thoroughly research the security mechanisms of products, and prioritize tools that do not store private keys on servers. Be wary of high-yield promises and avoid falling into marketing traps.
2. Choose an experienced platform: Use tools and BOTs with a long operating history, a strong team, and no record of security incidents. Verify the platform's past performance and user feedback to reduce risks.
3. Prevent phishing attacks: In Telegram groups, do not click on unfamiliar links or respond to private messages. Many phishing attacks are carried out through social media, so maintaining vigilance and questioning the source of information is key to protecting your assets.
4. Self-custody of assets: After large transactions, promptly transfer your assets to a self-custody wallet. This effectively avoids the security risks posed by third-party platforms and is the best choice for safeguarding your funds.

Furthermore, when selecting a trading platform, focus on its security audit results and private key management methods. All projects involving financial management require strict security measures to ensure that users' digital assets are not lost due to platform mismanagement.

In conclusion

The recent DEXX incident has once again revealed the high-risk nature of on-chain transactions and raised profound questions about decentralized custody. Users must be aware of the importance of "Not Your Keys, Not Your Money" and carefully choose trading platforms and asset management methods to better protect their digital assets. As the security investigation progresses, it is hoped that the root cause can be quickly identified, and appropriate compensation can be provided to the victims.

While the crypto world is full of opportunities, it also carries enormous risks. Every trader needs to be more vigilant and not ignore potential dangers for the sake of short-term gains. Platforms and KOLs should also assume corresponding responsibilities while pursuing their interests, as user trust is the most valuable asset. Without proper security guarantees, the so-called prosperity is nothing more than a bubble. It is hoped that in the future crypto world, platforms, KOLs, and users can work together to build a safer and more transparent environment, truly realizing the ideal of decentralization.