DEXX Web Wallet Private Key Leakage
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
DEXX offered a web wallet with enhanced security. "Our development team has years of on-chain experience, employing multi-layer encryption and ensuring private keys never touch the servers. Combined with top-tier auditing and security teams, DEXX keeps your assets safe." Despite all these promises, users found their assets suddenyl disappearing from their wallets starting on November 15th, 2024. Overall, around $21m+ in assets were taken. The team behind the wallet reached out to SlowMist and law enforcement for assistance in tracking down the stolen funds, and appear to have made progress in identifying a suspect. They have launched a compensation portal for users through their application.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15]
About DEXX Wallet
"DEXX is a multi-platform on-chain tool that lets users manage funds, perform multi-strategy trading, and track token market data. It’s designed to give on-chain users a faster, more convenient, and all-in-one trading experience."
"DEXX tackles the common issues found in Telegram bots and DEX platforms today, such as low security, complicated interfaces, and limited functionality. As a next-generation token trading tool, DEXX integrates these features and innovates on them, making it easier for beginners to seamlessly enter the on-chain world."
"With DEXX, it takes just three seconds to go from seeing market data to executing a trade. You can trade any token on chains like ETH, SOL, TRX, BAS, BSC, SUI, or TON anytime, anywhere.
User-Friendly Unlike other tools with complex interfaces, DEXX offers a simple and intuitive layout similar to traditional CEX platforms, making it easy for new users to navigate. Features like Mev protection, copy trading, liquidation, auto slippage, and quick mode switching ensure effortless trading — no need for complex setups, just one-click solutions.
Fast Trading Speed matters for on-chain traders. DEXX eliminates unnecessary steps, streamlining the entire trading process to be fast and smooth. With global node broadcasting and 3rd-party transaction acceleration services, trades can be completed in as soon as 3 seconds, even when mev protection is enabled.
Real-Time Data DEXX is equipped with global nodes to provide the most up-to-date trading info like liquidity, market cap, trading volume, holder count, and contract risk monitoring. This saves you time gathering data and helps you avoid honeypot scams. Additionally, DEXX sends real-time push for smart money moves, token fluctuations, your watchlist changes, and price notifications, keeping you informed at all times.
Fund Security Our development team has years of on-chain experience, employing multi-layer encryption and ensuring private keys never touch the servers. Combined with top-tier auditing and security teams, DEXX keeps your assets safe. Unlike many Telegram bots, DEXX uses its own trading system with 2FA authentication, reducing the risk of phishing or account bans, and keeping your funds secure."
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
"The funds of multiple users of the on-chain trading terminal DEXX have been stolen. According to statistics from the SlowMist Security Team, the total losses from this incident have reached $21 million."
| Date | Event | Description |
|---|---|---|
| November 14th, 2024 1:38:00 AM MST | Last Non-Hack Post | The last post from DEXX prior to the hack about the TGE token. |
| November 15th, 2024 2:31:00 PM MST | User Reports Theft | One user of the DEXX wallet named "113_hope" reports a large theft of funds. |
| November 15th, 2024 4:59:00 PM MST | MistTrack Tweet Posted | MistTrack invites users to report on their losses to them by sharing their wallet address. |
| November 18th, 2024 4:15:00 AM MST | MistTrack Tweet Posted | MistTrack shares a tweet with their total losses being reported at $21m USD. |
| November 19th, 2024 6:52:00 AM MST | Official Announcement Made | DEXX posts an official announcement acknowledging the attack and that they are working with SlowMist on fund recovery. They pledge to return whatever funds are recovered to the community. |
| November 23rd, 2024 7:24:00 AM MST | Message Posted To Hacker | A message is publicly posted to the hacker, requesting that they return the funds and offering a generous bounty and immunity from further pursuit if they comply. |
| December 6th, 2024 12:08:00 AM MST | Latest Update On Case | In the latest update, the DEXX team highlights improved security going forward and progress in tracking down the hacker. |
| December 14th, 2024 7:06:00 AM MST | Compensation Portal Live | A compensation portal is announced in the application and users are requested to upgrade to the latest version. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
"We’ve received 1100+ reports of stolen funds from the community. After removing duplicates, over 900 unique victims have been identified, with total losses estimated at $21 million (subject to price fluctuations)."
"Breakdown of Losses (so far): • > $1M: 1 victim • $500K–$1M: 2 victims • $100K–$500K: 33 victims • $10K–$100K: 292 victims • < $10K: 656 victims"
The total amount lost has been estimated at $21,000,000 USD.
Immediate Reactions
"DEXX has officially filed a case, and @SlowMist_Team has been actively assisting law enforcement in the subsequent investigation.
At the same time, DEXX is actively discussing a compensation plan. Regarding compensation, the platform hereby makes the following solemn statement: 1. If all assets are recovered, DEXX will immediately provide full compensation to ensure users’ interests are not affected. 2. If only a portion of the assets can be recovered, the platform will still fulfill its responsibility for compensation. The specific compensation plan will depend on the amount recovered.
DEXX is currently mobilizing all resources and efforts to recover the stolen assets and resolve the issue as quickly as possible. We sincerely appreciate our users’ understanding!"
Ultimate Outcome
"Mr./Ms. Hacker,"
"We have received strong support from security agencies, partners and exchanges to locate our stolen token. We are also monitoring your addresses to freeze the stolen funds in a timely manner. We ask that you resolve this incident within the next 24 hours. This will prevent us from taking any further action.
We ask that you communicate with us via email at team@dexx.ai or current evm address, and return the stolen funds. As a token of our appreciation, we will offer you a generous bug bounty and a generous token gift (We can negotiate the specific ratio).
Once you have returned the funds, we will immediately destroy all information we currently have about the hack. We will also stop all follow-up tracking and analysis. You will no longer be held responsible. However, if you do not comply, we will continue our investigation with the local police, security agencies and the exchanges to take enforcement action to protect user assets, however long that takes."
"Due to a hacker attack on the platform, please do not deposit any cryptocurrencies into the platform for trading until the issue is resolved to prevent further asset losses. Data interfaces such as K-line charts and smart money rankings are still functioning normally."
"We deeply apologize for the security breach that resulted in losses to user assets. Since the incident occurred, DEXX has been working closely with security teams and law enforcement agencies to investigate, trace the hackers, and track on-chain activities in an effort to minimize losses for affected users. Below is an update on the progress of the investigation and the subsequent response plan."
"• November 16: Between 4–5 AM, the hack was detected. Internal reviews were initiated, and a security firm was contacted. • November 17: Salus Security team commenced emergency analysis of the attack path and identified initial evidence of the server intrusion. DEXX relayed information to domestic law enforcement, requesting case registration. • November 18: The attack path analysis was completed, and preliminary evidence and estimated losses were submitted to domestic and international law enforcement. Multiple security teams helped identify hacker-controlled wallets. • November 19: Domestic law enforcement officially opened a case. SlowMist joined the investigation, assisting with evidence collection alongside the police. • November 20–23: • SlowMist compiled affected wallet addresses and examined key evidence. • Internal personnel checks were conducted, with no anomalies found. • Security enhancements and DEXX relaunch preparations began. • November 24–30: Partial identification of stolen assets and addresses was achieved. SlowMist provided an on-chain investigative report to inform the compensation plan. Evidence such as server IP addresses and user agents (UAs) tied to the hacker’s activities was submitted to law enforcement. • December 1–4: Law enforcement conducted further investigations of suspects. Simultaneously, the platform finalized the compensation plan and continued security optimizations. • December 6: Partial security upgrades were completed. High-risk user wallet functions are undergoing testing, with wallet module adjustments in progress."
Total Amount Recovered
"After upgrading to the latest version, you can find the Compensation on your profile page to confirm your affected tokens. If you have any questions about the data, please contact our customer service. We will record your query, manually verify and update the data."
The total amount recovered is unknown.
Ongoing Developments
"Comprehensive security fortifications have been implemented, including but not limited to web applications, source code, internal servers, encryption protocols, zero-trust architecture, bastion hosts, and weak password policies."
"Our collaborative investigation with security teams and law enforcement identified two critical IP addresses and user agents (UAs) linked to the hacker. In a recent inquiry, a suspect was found using a device with matching UAs and VPN-related IPs. A Monero mnemonic phrase was also discovered. Although technical forensics have identified a significant suspect, definitive evidence remains lacking. The investigation continues, and updates will be shared as they become available.
We acknowledge the significant impact this incident has had on our users and apologize for the delay in updates. The sensitivity of the investigation, involving cross-jurisdictional approval processes, and the need to avoid alerting suspects have required discretion. Rest assured, DEXX is fully committed to collaborating with law enforcement and security teams to track the hackers and enhance our security framework, ensuring the safety of user assets.
Thank you for your understanding and continued support."
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ @MistTrack_io Twitter (Accessed Jan 3, 2025)
- ↑ @MistTrack_io Twitter (Accessed Jan 3, 2025)
- ↑ 案件评估 - MistTrack 追踪服务信息登记表 — 慢雾 AML — 慢雾科技反洗钱(AML)系统,链上追踪及恶意地址库 (Accessed Jan 3, 2025)
- ↑ DEXX Degen Everyday — Following smart money wallet address and KOL degen call to earn (Accessed Jan 3, 2025)
- ↑ Welcome to DEXX | DEXX Tutorial Book (Accessed Jan 3, 2025)
- ↑ @DEXXai_EN Twitter (Accessed Jan 3, 2025)
- ↑ @DEXXai_EN Twitter (Accessed Jan 3, 2025)
- ↑ @DEXXai_EN Twitter (Accessed Jan 3, 2025)
- ↑ @DEXXai_EN Twitter (Accessed Jan 3, 2025)
- ↑ @DEXXai_EN Twitter (Accessed Jan 3, 2025)
- ↑ [https://www.ellipal.com/blogs/news/dexx-exposed-the-importance-of-true-decentralized-wallets DEXX Exposed: The Importance of True Decentralized Wallets – ELLIPAL] (Accessed Jan 3, 2025)
- ↑ https://www.binance.com/en/square/post/12-04-2024-dexx-hack-wallet-addresses-of-victims-and-attackers-revealed-17098864242418 (Accessed Jan 3, 2025)
- ↑ @zw6677737 Twitter (Accessed Jan 3, 2025)
- ↑ https://explorer.solana.com/tx/4735JMnscDzVHhJiTNybWtBvyxFDkUmenY7jC2NCvh64sEZwiDJATSHe7JTX3p4UHjJ6TuqJExkNbtRENJt2zqMi (Accessed Jan 3, 2025)
- ↑ Transaction History | MgVCkquxGysJty7s2U3GYDmRzzNy6MjGP64T9xkZvVw | Solana (Accessed Jan 3, 2025)