Sui public chain distributed storage Walrus is online! Filecoin's past rings the alarm bell for compliance

Authors: Liu Honglin, Mao Jiehao

Beyond Filecoin? New storage protocol Walrus released

On March 27, 2025, the mainnet of Walrus, a decentralized storage protocol of Sui public chain, was launched. Mysten Labs made another move after Sui network and DeepBook, this time aiming at the storage track of Web3. Built on Sui blockchain, Walrus is trying to optimize and improve existing storage solutions in terms of storage cost efficiency, programmability, data access and deletion. It not only wants to be the storage layer of Sui network, but also aims to become the leading protocol of Web3 decentralized storage.

According to the 2020 Cost of Data Breach Report released by IBM, there were approximately 99,730 data breaches worldwide that year, causing hundreds of billions of dollars in economic losses. In 2018, a Google data center in Belgium was struck by lightning, causing disk damage and data loss. The fragility of centralized storage is a headache, and distributed storage - encrypting, slicing, and distributing data to global nodes - sounds like a tailor-made answer for privacy and security.

By distributing data and storing it on multiple physical nodes (usually servers or devices around the world), combined with encryption and blockchain mechanisms to achieve high data availability and privacy security, there are many advantages compared to traditional storage methods:

As one of the most advanced projects in the decentralized storage protocol, Walrus has also become the most popular in the Rootdata storage track, bringing considerable attention to the long-dormant decentralized storage track. Many people recalled the craze that Filecoin set off back then.

In 2017, Filecoin was launched, and it caused a sensation in the crypto industry through a record-breaking $200 million ICO. The vision is to combine IPFS (Interplanetary File System) with blockchain incentives to build a global distributed storage market. After the mainnet was launched in 2020, Filecoin quickly attracted a large number of miners and developers, and the storage capacity exceeded 1EB (1 billion GB) within a year. The community has high hopes for it, and the price of FIL tokens once soared, driving a storage mining boom. At that time, even Chinese aunts went to buy mining machines, and the saying that Filecoin is the next Bitcoin was even more rampant.

However, Filecoin gradually lost popularity due to high storage costs, complex incentive mechanisms and intensified market competition. It was even suspected of being a scam in many regions and was once linked to pyramid schemes. This was mainly because some bad actors took advantage of its mining mechanism and expectations of token appreciation to exaggerate its publicity, misleading investors, which had a negative impact on its reputation and left a mess.

Despite this, distributed storage, as an important track of Web3 infrastructure and a key technology to fight against the monopoly of centralized cloud services, still attracts the attention of many entrepreneurs and investors. From protecting user privacy to enabling data sovereignty, the rise of emerging projects such as Walrus has further ignited market enthusiasm.

In this article, Mankiw will discuss how distributed storage protects user privacy through encryption and decentralization, the regulatory attitude of mainland China towards this technology, the commercial potential of distributed storage, and more importantly, the legal compliance points that Web3 entrepreneurs need to pay special attention to when developing distributed storage projects. Distributed storage has a promising future, but only by complying with laws and regulations can the project be made bigger and stronger.

• Why we need distributed storage: We all want privacy

Have you ever had such an experience? I just searched for teeth whitening casually one day, but then I received harassing calls from various dental institutions every day, and the sales service was so accurate that it was disturbing. When and where was your data leaked? This year's 315 Gala tore off the technical veil of data black industry and exposed the chaos of personal information being traded wantonly. When data becomes a core production factor, security and privacy should become an insurmountable bottom line. More and more people are beginning to realize that privacy, data privacy, is very important.

At this year's 315 Gala, we were shocked to see that many technology companies illegally processed more than 10 billion pieces of user information every day through various means, including sensitive data such as mobile phone numbers, consumption records, and social accounts. There were also systems that stole information from corporate public accounts and WeChat group members, forming a closed loop of "data theft-precision marketing-commercial realization".

Privacy is a topic that continues to be discussed. Ethereum founder Vitalik recently wrote in his personal blog, "Why I Support Privacy":

“Privacy does not mean alienation from each other, but solidarity. Privacy is not a separate entity, but a common footing.”

Why do we want privacy? Everyone has a different answer. He divides his answer into three parts:

• Privacy is freedom: Privacy gives us space to live our lives in the way that best suits our needs without having to constantly worry about how our actions will be viewed in various political and social games.

• Privacy is order: a series of mechanisms that support the basic operation of society rely on privacy to function properly.

• Privacy is progress: if we gain new ways to selectively share our information while protecting it from abuse, we can unlock massive value and accelerate technological and social progress.

Vitalik also expressed his overall argument for privacy in a sentence as follows: Privacy provides you with the freedom to live your life in a way that best suits your personal goals and needs, without having to constantly balance between the “private game” (your own needs) and the “public game” (how various other people react to and perceive your behavior through various mechanisms, including social media emergence, business incentives, politics, institutions, etc.).

Looking back, as early as 1993, the Cypherpunk Manifesto called for privacy and freedom - "Privacy is the power to selectively reveal yourself to the world... We are using cryptography, anonymous email forwarding systems, digital signatures, and electronic currencies to defend our privacy." Bitcoin did not come out of nowhere, but is the culmination of history's arduous exploration. Today, this road to privacy is going further and further.

We need distributed storage because we all desire privacy.

• Looking at the data: How broad is the business prospect?

The essence of blockchain technology is decentralization. The characteristics of distributed storage that cannot be tampered with and information encryption are in line with the development direction of "decentralization" in the Web3.0 era. It is an indispensable part of the future development and implementation of blockchain, and its business prospects are naturally very broad.

Let’s look at the data:

According to Grand View Research, the global data storage market will be worth US$62.83 billion in 2023, with a compound annual growth rate (CAGR) of 9.8% expected from 2024 to 2030. By 2030, the market size will exceed US$100 billion.

According to the latest research from MRA, the distributed storage market alone is expected to grow from approximately US$15 billion in 2025 to over US$50 billion in 2033, with a CAGR of approximately 16%, with the highest adoption rate in the commercial sector.

It can be seen that the distributed storage market has strong growth potential and broad business space. More and more blockchain project infrastructures are using distributed storage, and governments, enterprises, and individuals around the world are gradually adopting it. For example, Google Chrome supports built-in IPFS components, and Ethereum has achieved full access to the IPFS network. Domestic Internet giants such as Tencent, Baidu, and Alibaba have also begun to deploy related technologies. The increasing integration of distributed storage with other technologies such as artificial intelligence and machine learning will also release more opportunities.

Mainland China’s attitude towards distributed storage

Friends who often read Mankiw Law Firm's research and analysis must be familiar with the fact that there are three legal bottom lines that cannot be touched when starting a Web3 project in mainland China. In distributed storage projects, users earn tokens by maintaining and improving project infrastructure. Tokens can generate liquidity through exchanges or other means. It seems easy to touch the last two negative lists mentioned above.

The People's Bank of China and ten other departments also jointly issued the "Notice on Regulating Virtual Currency "Mining" Activities" in September 2021. The "Notice" pointed out that in order to achieve the goal of energy conservation and emission reduction, the country does not support virtual currency "mining" projects such as Bitcoin.

However, distributed storage projects such as Filecoin, the incentive layer of IPFS, are proof of work that is completely different from Bitcoin. They do not consume a lot of electricity resources, but can improve the utilization rate of idle resources. They only need to provide storage space and bandwidth. If the project does not involve too much Token discussion and is viewed purely from a technical perspective, the policy compliance risk is theoretically small. The "Notice" also pointed out that "mining" should be distinguished from blockchain and big data related industries, and the development of high-tech industries with low resource consumption and high added value should be guided. From the national and government levels, distributed storage technology itself is not only not restricted by policies, but has also been optimized to some extent.

In addition, although my country does not deny the property attributes of virtual currency, it is strictly prohibited to raise virtual currency tokens, which may easily touch the first category of negative list, and the judicial practice on the effectiveness of contracts related to currency-related hardware equipment is still inconsistent. The article will explain how entrepreneurial teams can avoid related risks in detail later.

We can also see that the implementation of the "Data Security Law of the People's Republic of China" in September 2021 marks that my country's development and application of data resources has officially entered the track of legalization. While providing legal protection for the data security of distributed storage, the "Data Security Law" also provides a new code of conduct for the data management of operating companies, leading the standardized reform in the IPFS field from a legal perspective.

In general, mainland China is open to distributed storage and clearly distinguishes its essential difference from high-energy-consuming virtual currency mining. Regulations such as the Data Security Law provide legal guarantees for the standardization of the industry. Policies are not obstacles, but sieves. Only compliant projects can take advantage of the favorable conditions. For Chinese Web3 entrepreneurs, distributed storage may be a policy-feasible track.

The entire project, including upstream and downstream, must comply with regulations:

Unlike other Web3 projects, distributed storage projects are closely integrated with hardware devices, forming an upstream and downstream industrial chain with clear division of labor. The project chain is very long, from technology development to hardware distribution to market promotion, and every link may be a pitfall. The following is Mankiw's "Guide to Avoiding Pitfalls":

Upstream: Project team, don’t just think about technology

The project team is the core, responsible for protocol design, business model design and operation coordination, but compliance must start from the first step. Compliance is focused on three aspects: company entity design, data security and cross-border compliance, and prevention of financial crimes.

1. Company entity: Going overseas is a way out

Some things are restricted in China, so entrepreneurial projects can seek development overseas. More and more project owners choose to set up companies and teams overseas, and turn to areas that are more friendly to cryptocurrencies, such as Hong Kong, Singapore, Dubai, etc., which are all good choices. Only some support teams are retained in China. For teams that want to develop distributed storage business, especially those with plans to issue tokens in the future, it is recommended to plan an overseas plan as soon as possible and arrange the main body of the project company overseas.

Attorney Mankiw advises:

• Choose the appropriate overseas jurisdiction to ensure that the company entity complies with local laws and regulations;

• Clarify the division of labor between overseas entities and domestic teams to prevent domestic regulatory risks;

• Explore compliant business models and differentiate between different domestic and international regulatory environments;

• Consult professional lawyers in advance to plan a compliance path for token issuance.

2. Data security: Privacy is not just a slogan

Although distributed storage projects are decentralized in nature, they still involve a certain degree of centralized management and coordination in actual operations. Moreover, most distributed storage projects involve a large number of overseas users and need to publish data overseas through blockchain, so they have to consider the issue of data outbound transfer. Therefore, data compliance and data security need to be given priority consideration.

• Personal Information Protection

The project should comply with the privacy policy, explain to users how personal information is collected, used, stored and transmitted, and ensure compliance with legal requirements such as the Personal Information Protection Law. It is also necessary to obtain user consent. Before collecting and processing personal information, the purpose, method and scope of information processing should be clearly informed to users, and the user's explicit consent should be obtained. In addition, the principle of data minimization should be followed, and only the minimum amount of personal information required to achieve a specific purpose should be collected and processed.

The project also needs to balance the differences in regulation in multiple jurisdictions. Companies going overseas must accurately grasp the compliance requirements of major markets. The Personal Information Protection Law requires that the export of personal information requires the user's consent and passes a security assessment, while the GDPR (EU) emphasizes user privacy rights (such as the "right to be forgotten") and transparency.

• Data Security

Establish a data security management system: In accordance with the requirements of the Cybersecurity Law and the Data Security Law, formulate and implement a comprehensive data security management system to ensure the security of data during storage, transmission and processing.

Data encryption: Use strong encryption technology to protect data in storage and transmission to prevent unauthorized access and data leakage.

Regular security assessment: Conduct data security risk assessment and vulnerability scanning regularly, patch security vulnerabilities in a timely manner, and improve system security.

• Data storage and cross-border transfers

Distributed storage projects cannot do without cross-border data flow, after all, nodes are spread all over the world. However, the Cybersecurity Law and the Data Security Law mention that "important data" involving national security and public interests should be stored within the country. It is not so easy to transfer data overseas at will.

For example, if your project involves user information, you must conduct a security assessment before transferring it abroad to prove that the data will not be abused. The EU's GDPR also requires users to have the "right to be forgotten", and non-compliance will start with a fine. Therefore, before the project is launched, a project feasibility assessment must be conducted according to the requirements, and a security assessment must be conducted before cross-border data transmission to ensure compliance with the regulations of relevant departments.

3. Preventing financial crimes: KYC is not just for show

Anti-money laundering and counter-terrorist financing are global red lines. Everyone knows KYC (know your customer), and projects should strictly implement it to prevent fraud, protect user interests, and improve platform compliance. Users are required to provide identity documents (such as ID cards, passports, etc.) and proof of address for identity verification. User information is regularly updated and reviewed to ensure data accuracy.

A project owner thought that they were "decentralized" and that all data was on the chain, so they didn't need to worry about KYC. As a result, a money laundering gang was mixed in among the users, and the project was directly blocked after the regulator checked. Compliance is not a technical issue, but a survival issue.

Downstream ①: Hardware distributors

In the field of distributed storage, hardware sales, as a key link, often become a hotbed for pyramid schemes and illegal fundraising due to profit-driven reasons. Looking back at the Filecoin boom, many illegal companies used the names of "IPFS" and "Filecoin" to promote the added value of data storage, deliberately concealing investment risks, causing losses to a large number of investors. Two typical cases are particularly thought-provoking.

In the 2021 Xuzhou Filecoin mining machine fraud case, some distributors of IPFSUnion used "high returns" and "quick returns" as gimmicks to attract investors to buy Filecoin mining machines, but actually illegally absorbed funds through a multi-level distribution model, with the amount involved reaching 400 million yuan. After the police intervened, they seized the relevant assets and arrested 31 people. Although IPFSUnion claimed that its employees only "assisted in the investigation", the incident has caused serious damage to the project's reputation.

The Shenzhen Spacetime Cloud case in 2023 was equally shocking. Spacetime Cloud used the filpool.io platform to promote the "joint mining" project under the guise of selling Filecoin mining machines, which was actually a pyramid scheme. The case involved a sum of 607 million yuan (about 83 million US dollars), 62 million yuan in digital currency, and more than 57,000 registered members, further damaging the reputation of the Filecoin ecosystem.

The public prosecution agency determined that the defendants Lai Mouhang and others required participants to pay mining machine fees or rental fees to obtain membership qualifications on the grounds of mining FIL coins, developed downlines according to levels, used the number of people developed as the basis for rebates, and lured others to participate by offering high returns. Their actions have violated the criminal law and they should be held criminally responsible for organizing and leading pyramid schemes.

To avoid such risks, Attorney Mankiw offers the following suggestions:

• Standardize sales tactics and prohibit exaggerating benefits or promising fixed returns;

• Clearly disclose investment risks and fully protect users' right to know; establish a distributor compliance training mechanism, regularly audit sales behavior, and strictly select partners;

• Cooperate with professional lawyers to strictly review distribution contracts and eliminate legal loopholes.

Downstream②: Promotion team

In the field of distributed storage, the publicity and promotion team, as a key force in marketing and user acquisition, has become a hidden danger to the development of the industry due to the risk of false propaganda. False propaganda will not only mislead users, but may also violate the law and damage the overall reputation of the project.

As early as 2021, IPFS-related promotions attracted regulatory attention due to excessive exaggeration of benefits. Some promoters used highly tempting slogans such as "one machine for multiple mining" and "quick return on investment", deliberately magnifying investment returns without mentioning potential risks. This one-sided and exaggerated propaganda seriously violated the provisions of the Advertising Law on the authenticity and legality of advertising content, and also infringed on consumers' right to know, touching the red line of the Consumer Rights Protection Law. In the end, these improper promotional behaviors damaged the reputation of the project and plunged the market order into chaos.

In the same year, the China Communications Industry Association issued a warning, pointing out that some Filecoin promoters used "distributed storage value-added" as a gimmick, blindly promoted high returns, but ignored risk notifications and violated regulations. The regulatory authorities quickly intervened and imposed fines and rectification orders on companies that engaged in false propaganda, demonstrating their determination to rectify market chaos.

Attorney Mankiw advises:

• Ensure that the content of the promotion is objective: The promotion team should truthfully disclose the performance of the equipment and objectively present the uncertainty of the benefits to avoid misleading users. For example, when introducing a mining machine, it is necessary to clearly inform its actual computing power, operating environment requirements and other information, and at the same time, reasonably estimate the range of benefits through historical data.

• Strengthen risk warnings: In all promotional advertisements, clearly mark risk warnings in a conspicuous manner, such as "Investment is risky and returns are not guaranteed." Ensure that users can immediately notice the risk warnings when receiving promotional information.

• Standardize promotional terms: strictly avoid using absolute terms, such as "guaranteed returns" and "guaranteed profits without losses". Promotional content should be neutral and objective, using rigorous language and data to reduce legal risks and trust crises caused by exaggerated publicity.

Attorney Mankiw's Summary

Distributed storage is the core infrastructure of Web3. It protects privacy through encryption and decentralization, meets users' demand for data sovereignty, and shows great commercial potential. This year's CCTV 315 Gala exposed the chaos of data black industry, highlighting the privacy crisis of centralized storage. Distributed storage has become a key technology to combat data abuse. From the craze and lessons of Filecoin to the rise of Walrus, ensuring the legal operation of the entire upstream and downstream chain is the cornerstone of becoming bigger and stronger.

Upstream project teams can set up corporate entities overseas and design business models that are adapted to different domestic and international regulatory environments. At the same time, they must ensure data security and cross-border compliance, implement KYC measures, and prevent financial crime risks.

Downstream hardware distributors need to be alert to the risks of pyramid schemes and illegal fund-raising. They should standardize sales tactics, disclose risks, and reduce legal loopholes through compliance training and contract review.

The publicity and promotion team should put an end to false propaganda, avoid regulatory penalties and market chaos, and damage the reputation of the project. It is recommended that the promotion content should be true and transparent, with clear risk warnings.

In fact, many people know that distributed storage is just a branch of the DePIN track. The DePIN track also includes innovative projects such as Render Network (a leading AI computing project) and Hivemapper (decentralized encrypted map). These projects are committed to breaking the centralized monopoly and building a global interconnected physical infrastructure network ecosystem. Most of the DePIN tracks are closely integrated with hardware devices, and they all need to pay attention to upstream and downstream risks.

"Privacy is the cornerstone of freedom, order and progress." The Internet is in the midst of a decentralized revolution, and distributed data storage is a key infrastructure for the digital transformation of society. Expanding from distributed storage to the DePIN track is full of business prospects and a bright future. In this entrepreneurial blue ocean, if a project wants to develop sustainably, it can only become bigger and stronger if it is legal and compliant.