Plaintext private keys and mnemonic phrases on the clipboard, was it a fake rug or a real theft?

Written by: Tuo Luo Finance

The first "theft" of the bull market has arrived.

Recently in the crypto market, aside from Bitcoin, MEME has undoubtedly been the biggest winner. The hype around AI, Politifi, and Desci has been relentless, and driven by both trends and emotions, phenomenon-level MEMEs like GOAT, PUNT, and BAN have made the dream of hundredfold returns return, making "golden dogs" an essential daily activity for MEME enthusiasts.

The scale of the casino is beginning to show, and market tools surrounding MEME are increasing. Today's protagonist—DEXX—is one of the on-chain trading terminals that has been active in the MEME market recently.

In the early hours of November 16, DEXX was attacked, and multiple users' tokens were transferred, with losses amounting to as much as $20 million. Initially thought to be just an ordinary hacker attack, more information surfaced as the community continued to investigate, revealing outrageous settings such as plaintext private keys and mnemonic phrases on the clipboard, and the boss even seemed to have a history of rug pulls.

Is it a lack of prevention or a self-directed performance? Is it a fake rug or a real theft? DEXX has once again cast a shadow over the Chinese MEME community.

According to official information, DEXX is a full-chain trading platform focused on Memecoins, supporting multi-chain asset trading including SOL, ETH, TRX, BASE, and BSC, and providing features such as on-chain mobile stop-loss and take-profit, hot topic push notifications, and copy trading. In short, the core function of DEXX lies in on-chain aggregation, with user experience being key. In its early promotions, it often marketed itself as "on-chain Binance." According to insiders, the platform's daily trading volume exceeds $50 million, with daily profits exceeding $300,000. It can be seen that although it is not as well-known as mature platforms like Banana Gun and Unibot, it has already taken shape and holds a certain influence in the MEME circle.

However, on November 16, the newly famous DEXX dealt a heavy blow to the MEME market. In the early hours of that day, DEXX was attacked, and many users found their account tokens missing. MEMEs like Banana and LUCE were significantly affected, with LUCE dropping over 41%. Panic in the community was imminent, leading to widespread discussions on public platforms. At that time, rumors were rampant in the market, with the rights protection group quickly growing to 3,000 members, and over 9,000 transactions reported as stolen, with rumors suggesting the amount involved exceeded $500 million.

However, in subsequent investigations, the asset losses did not reach that level. According to Slow Mist's statistics, 821 users were reported stolen, with total losses approaching $20 million, including one user losing over $1 million, two users in the $500,000 to $1 million range, and 28 users in the $100,000 to $500,000 range. Currently, the hacker has not relented, and the transfer of assets continues to increase.

On the day of the incident, DEXX quickly responded, stating there was no rug pull and that they were fully investigating the issue. Its founder Roy (@honza204) also followed up with a response saying, "We will compensate, isolated some users, there is no rug, we are investigating, and cannot reply to everyone, please rest assured."

Despite repeated statements of no rug pull, the battle-hardened community was clearly skeptical. Subsequent preliminary investigations by Slow Mist and Bit Jungle further intensified the suspicion of a rug pull by the platform. Investigations revealed that DEXX had significant security issues, not only storing user private keys on official servers as a non-custodial platform but also failing to implement any encryption measures when users exported their private keys, resulting in plaintext exposure during transmission.

In addition to the plaintext transmission being a major taboo, the clipboard permissions were also highly unreasonable. DEXX was found to repeatedly request users' clipboard permissions, and if users had previously copied private keys or mnemonic phrases to the clipboard, that information could easily be unintentionally sent to the platform, increasing the risk of sensitive information leakage.

In terms of the attack method, there were no signs of intrusion on the DEXX front end; rather, the private keys were downloaded from a remote server to facilitate the theft. The hacker clearly had premeditated this, not only choosing a relatively vulnerable time in the early morning but also adopting a one-on-one bulk creation strategy for new wallets after the attack to transfer the stolen assets, maximizing anti-tracking efforts.

Promoting itself as a full-chain trading platform, yet in reality, it is more centralized than centralized, openly storing private keys in plaintext and allowing mnemonic phrases to be copied to the clipboard. Such obvious security risks were ignored by the platform until the so-called "hacker" struck; could this hacker not be the platform itself?

After the news broke, the market was in an uproar, with the community denouncing the platform, and theories of self-theft and running away with funds continued to ferment. The market spontaneously began tracking DEXX, and more details emerged.

Despite the registration information showing that DEXX's entity is quite decentralized, with companies registered in the United States, the Bahamas, Singapore, Tokyo, Hong Kong, and the Marshall Islands, the company's current location is in Hangzhou's West Lake District, named Hangzhou Orange Island Technology Co., Ltd.

Under the scrutiny of netizens, the founder's information was thoroughly disclosed. The known founder's real name is Lou Yulinfeng, a 30-year-old from Jinhua, Zhejiang, who is rumored to have previously engaged in online gambling. According to crypto intelligence sources, this so-called "big picture" boss reportedly only has a middle school education. Some netizens even disclosed his location on social media, claiming he is currently in Thailand. Furthermore, it was mentioned that this Lou had a prior history of soft rug pulls, with a project he participated in, Opendao, serving as a precedent. Coincidentally, the day before the theft incident, Roy posted "Having money is great," which further fueled various conspiracy theories.

The rug pull discourse is fermenting, and market anger is rising, dragging along KOLs who previously promoted the platform. In fact, DEXX's main promotional method is to collaborate with well-known KOLs through commission returns, leveraging their influence to gain traffic. This method is quite common in the crypto space, but it is worth noting that compared to other platforms, DEXX's commission return rate is exceptionally high, reaching as much as 50%-60% of transaction fees. In communications between official personnel and KOLs, it was mentioned that top KOLs could earn over $40,000 just through commissions.

Under the temptation of profit, many KOLs participated, especially Chinese KOLs, with over 25 well-known KOLs such as Youmin, Dayu, Hongshen, and Shapolang promoting DEXX. Some KOLs even engaged in bottomless promotion in private traffic, which is why many of the victims are users from the Chinese community. After the incident, the market launched a series of criticisms against these KOLs, accusing them of abusing their influence and failing to disclose information, thus cutting down on users. The responses from KOLs to these accusations varied.

Immediate disassociation was an inevitable action. Some KOLs directly deleted previous promotional content to erase market memory; more cautious KOLs, considering long-term profitability, would apologize and offer some compensation, but this group is small, only in single digits; while the vast majority of KOLs seem to plan to go into hiding and wait for the storm to pass.

Of course, accountability is secondary; the urgent task is to recover the stolen assets. Although Roy claimed he would fully compensate, whether he can produce enough funds remains to be seen. If it is self-directed, recovery can be pursued through legal means, but if it is indeed a hacker intrusion, rights protection becomes even more distant in an identity-uncertain on-chain exchange.

Citing lawyers Guo Zhihao and Shao Shiwei, DEXX, as a project operated by domestic institutions, is equivalent to engaging in virtual currency-related business activities domestically, which should be deemed illegal financial behavior, with the minimum principle being to shut it down and order it to cease operations. Specifically regarding this incident, if the platform was indeed hacked, it illegally collected user private keys, potentially violating the crime of infringing on citizens' personal information; if the platform staged the incident, it could likely be classified as a more serious fraud crime, with penalties depending on the amount involved, potentially leading to life imprisonment. KOLs who wish to remain hidden may also find it difficult to escape responsibility, as they are suspected of earning platform commissions through information networks, which could involve illegal use of information networks, carrying certain joint liability. Although the probability of this charge being filed is low, the threshold for conviction is extremely low, and if users persist in pursuing it, it may not be impossible for KOLs to face consequences.

Yesterday, DEXX posted a letter to the hacker on the X platform, stating that they have received strong support from security agencies, partners, and exchanges to locate the stolen tokens, and are continuously monitoring the hacker's address to freeze the stolen funds in a timely manner. They now demand that this incident be resolved within the next 24 hours, or they will continue to cooperate with local police, security agencies, and exchanges to investigate and take law enforcement actions to protect user assets, no matter how long it takes. The platform stated that they are marking the hacker's address and requesting assistance from the Solana Foundation, stating that once marked, the hacker will not be able to recharge to exchanges or convert to fiat currency by any means.

The founder also reiterated that he is not missing, stating, "Due to special reasons, we cannot synchronize our current situation. Please give us some more time to handle this satisfactorily. The team will synchronize some information and plans in the next few days; it is not a matter of being missing or not."

When it comes to theft, it is not uncommon in the crypto industry; DEXX is not the first, and it certainly will not be the last. Essentially, there is no such thing as an absolutely secure custodial or non-custodial wallet. Aside from enhancing transparency through open-source contracts on-chain, it can only rely on stronger backgrounds and more substantial funding; otherwise, relying solely on trust transfer and external audits does not eliminate the possibility of significant risks. Taking DEXX as an example, the platform was audited by CertiK, but the final response to this incident was that it occurred on the Solana chain, which was not covered by the audit.

Returning to the users themselves, the need to enhance security awareness is urgent. In addition to not trusting anyone's promotions, when it comes to funds, one should prioritize platforms with robust security mechanisms and sufficient endorsements. In terms of asset security management, assets should be diversified, and operations should ideally be conducted using completely independent devices. It is recommended to use decentralized authentication, avoiding convenience as the core, refraining from setting up password-free and biometric authentication, being cautious with plugins, and using hardware wallets for storing large assets. Users should remember that security is the priority in operations; otherwise, the first pot of gold earned in a bull market may just become someone else's.

On the other hand, if it is indeed a platform rug pull, even if the founder runs away, they may not be able to rest easy, as they are already exposed and may hold over a hundred million as a backstop, leaving them without a safe place to hide, no matter where they go.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。