Analysis of High-Risk Operating Models in Web3 Projects

In the Web3 space, some projects adopt operational models that appear compliant but actually carry high risks. These models attempt to reduce regulatory traceability by obscuring responsibility boundaries, but may in fact become blind spots of regulatory focus. This article will analyze three typical high-risk operational structures and provide real case studies to help readers identify these potential structural traps.

Risks of the "Outsourcing" Model

Many Web3 projects tend to outsource core functions such as contract development, front-end maintenance, and marketing promotion to third parties, hoping to weaken their own operational attributes. However, regulators are concerned with the actual decision-makers and beneficiaries, rather than the superficial contract signers.

If regulators find that so-called third-party service providers have interests tied to the project team, directive control, or personnel overlap, even with independent contracts, they may be regarded as an extension of the project entity's operating unit. In this case, all relevant actions may be attributed to the project entity.

In 2022, the U.S. Securities and Exchange Commission (SEC) pointed out during its lawsuit against Dragonchain that although the project established multiple legal entities and outsourced some operational work, the SEC's investigation found that all key decisions were still controlled by Dragonchain's parent company, thus the outsourcing structure did not achieve liability separation.

The Hong Kong Securities and Futures Commission has also made it clear when handling compliance investigations of certain virtual asset service providers that if the core operational and technical decisions are still controlled by the same actual controller, even if the business is executed by a "service provider," it will not be considered as independent operation. This kind of "formal separation" arrangement may instead be regarded as negative evidence of intentionally evading regulatory obligations.

The Risks of the "Multiple Registrations + Distributed Nodes" Model

Some Web3 projects choose to register shell companies in countries with more relaxed regulations while claiming global node deployment, attempting to create the impression of decentralization with "no single control center." However, in reality, most of these structures still exhibit highly centralized control, with decision-making power concentrated in the hands of a few core members, funding flow dominated by a single entity or individual, and key code update permissions held within one address.

Regulators are strengthening the identification of this "structural decentralization with centralized control" arrangement. In the face of legal disputes or cross-border investigations, regulators prioritize tracing the "actual controller's location" and the "key activity's location" to establish jurisdiction. The technical deployment of distributed nodes cannot obscure the substance of the operations.

A legal case in 2024 indicates that as long as US users purchase cryptocurrency tokens through a certain platform, and the trading system infrastructure is located in the United States, US laws are applicable, even if the platform claims not to have any US entities. This shows that regulators do not recognize the claim of "statelessness"; as long as the users are connected to the engineering actions and the controlling entities, they may be subject to regulatory scrutiny.

The Monetary Authority of Singapore (MAS) and the Hong Kong Securities and Futures Commission are also strengthening relevant requirements, demanding the disclosure of "actual place of management" and "the actual residence of key management personnel", and emphasizing that an overseas registration structure cannot prevent local regulatory authority from tracing back to the controllers.

"On-chain publishing" does not equal "no operation"

Some technical teams believe that once a smart contract is deployed, the project becomes decoupled from it. They view code on the blockchain as "decentralized delivery," attempting to achieve a separation of legal responsibilities through technology. However, regulators do not accept this notion of "technology as a safeguard against liability."

On-chain is just a form, while off-chain is the behavior. Who initiated the marketing? Who organized the deployment? Who actually controls the circulation path? These factors are the core of regulatory judgment regarding responsibility attribution. Regulation will not determine a project to be decentralized merely because there is no administrator for the code and the contract can be called arbitrarily. If the project party is still promoting the token, setting trading incentives, maintaining official communities, collaborating with opinion leaders for distribution, or accepting early financing, their operational identity cannot be erased.

In 2024, in a collective lawsuit by investors against a certain platform, despite the platform claiming that "on-chain contracts are public," the complaint explicitly pointed out that "marketing activities and opinion leader promotions are the core drivers of trading." This indicates that regulators are not only focusing on the code but are also emphasizing scrutiny on who is operating off-chain.

In February 2025, the SEC reiterated that even "entertainment-type" tokens cannot be labeled as "exempt"; as long as there is an expectation of wealth appreciation or marketing intervention, they must still be judged according to relevant tests. Global regulation is moving towards consensus, reinforcing a "behavior-oriented" judgment logic, and listing off-chain promotion and distribution paths as key review items.

Conclusion

In recent years, regulatory logic has become increasingly clear, focusing not just on what structure a project has built, but on how it operates and who benefits from it. What Web3 projects truly need is not a complex stacking of structures, but a clear definition of responsibilities and control boundaries. Rather than attempting to obscure risks through "structural games", it is better to establish a compliant framework that possesses resilience and interpretability from the outset.