Crypto swapper eXch shows signs of life after post-Bybit shutdown

Once a go-to swapper for hackers and drainers, eXch was unopen down by German constabulary successful April — but continued enactment suggests the communicative isn’t over.

Without Know Your Customer (KYC) checks, eXch wasn’t your emblematic crypto exchange. It acted much similar an instant swapper, allowing atrocious actors and cybercriminals to alert nether the radar for years.

Among its clients was the Lazarus Group. The North Korean state-backed hacking portion thrust eXch into the spotlight backmost successful February, erstwhile it utilized the level to funnel immoderate of the $1.4 cardinal it stole from Bybit. When Bybit traced its stolen funds to eXch, it requested assistance — but the level refused.

This led to a fierce treatment implicit privateness versus security, but ultimately, eXch announced it would adjacent its doors connected April 17; connected April 30, German authorities made it official.

But according to information steadfast TRM Labs, the level whitethorn person continued operating successful stealth mode aft the takedown. Here’s the rise, autumn and afterlife of alleged crypto laundromat eXch.

eXch shuts beforehand door, keeps backmost doorway unlocked

Alongside its shutdown announcement, eXch posted a connection claiming it would not facilitate transgression proceeds. The station was removed wrong hours, and operations softly resumed — signs of an interior disagreement oregon possibly adjacent a calculated effort to little visibility, according to TRM.

CSAM-related money flows traced to eXch. Source: TRM Labs

German authorities seized eXch’s servers and confiscated 34 cardinal euros ($38 million) successful crypto, on with much than 8 terabytes of data, efficaciously dismantling its public-facing infrastructure.

Related: North Korean spy slips up, reveals ties successful fake occupation interview

“Just similar we saw with Garantex rebranding arsenic Grinex, eXch didn’t afloat dice aft the shutdown. It softly kept servicing a fistful of partners via API, which meant laundering enactment continued adjacent aft the nationalist takedown,” said Jeremiah O’Connor, co-founder and main exertion serviceman of information steadfast Trugard.

O’Connor added that it’s not improbable for specified platforms to service loyal customers adjacent aft seizures.

EXch website visited connected May 13. Source: eXch

“The radical down eXch.ch took afloat vantage of operating crossed aggregate countries. The domain was registered done a UK-based provider, listed Switzerland arsenic an admin location, hosted infrastructure successful France, and had servers seized successful Germany,” O’Connor said.

It’s inactive unclear if eXch volition termination its API oregon travel backmost nether a caller name. TRM said successful the May 2 blog station that the platform’s remaining back-end entree continued to supply anonymization infrastructure for menace actors.

No KYC, pooled liquidity draws illicit funds to eXch

EXch’s origins hint backmost to 2014, according to “Fantasy,” pb researcher astatine crypto security steadfast Fairside Network. In an October 2024 investigation, Fantasy identified the platform’s archetypal nationalist quality arsenic a BitcoinTalk forum relationship promoting automatic swaps betwixt Bitcoin (BTC), Perfect Money and BTC-e vouchers — outgo methods commonly associated with high-risk transactions.

Fantasy besides traced the archetypal Bitcoin wallet tied to eXch and recovered it was apt funded via BTC-e, the now-defunct crypto speech shuttered by US authorities successful 2017 for its relation successful laundering transgression proceeds.

Fantasy’s forensic probe recovered that the modernized signifier of eXch emerged successful 2022, erstwhile its Ethereum blistery wallet was archetypal funded. Not agelong after, it became a hub for salient crypto drainers.

Monkey Drainer — the archetypal known large-scale drainer-as-a-service relation — utilized eXch earlier its retirement. Other draining work providers similar Pink Drainer and Inferno Drainer besides passed funds done the platform, on with respective large exploiters.

EXch’s modern wallets traced to accounts held astatine Binance and OKX. Source: Fantasy/MetaSleuth

EXch required nary individuality verification, allowing users to determination funds with anonymity. That made it an charismatic instrumentality for cybercriminals looking to cleanable stolen assets.

“EXch managed to enactment progressive for years — contempt facilitating evident illicit enactment — due to the fact that there’s inactive a large spread betwixt what regulators ‘can’ bash and however accelerated exertion is moving,” Amit Levin, erstwhile researcher astatine Binance, told Cointelegraph.

“In today’s world, anyone tin motorboat a astute declaration oregon tally a crypto work from anywhere, often without revealing who they are. And if there’s nary registration, nary KYC and nary 1 to clasp accountable, enforcement becomes adjacent to impossible.”

The level besides drew assurance from menace actors by utilizing a pooled liquidity strategy that blended idiosyncratic deposits and withdrawals, making it hard for investigators and instrumentality enforcement to hint the travel of funds.

When eXch knew and did nothing

EXch denied laundering funds for North Korean crypto hackers, and successful its shutdown notice, it framed the task arsenic an effort by privateness enthusiasts to “restore balance” successful the industry. It criticized Anti-Money Laundering enforcement and condemned companies offering code hazard scoring APIs arsenic “parasites” profiting disconnected authorities fear.

“Service providers successful the crypto abstraction are, for the astir part, not decentralized; that is, they clasp power implicit oregon entree to customers’ assets, arsenic demonstrated successful the lawsuit of eXch,” Gal Arad Cohen, spouse astatine S. Horowitz & Co, told Cointelegraph.

“A fiscal intermediary operating successful the crypto assemblage faces risks akin to those of accepted fiscal work providers and should, therefore, beryllium held to equivalent standards and regulatory requirements,” she said.

The closure of eXch is simply a “huge win” for crypto, according to Alex Katz, CEO of information steadfast Kerberus. However, Katz warned that atrocious actors tin migrate to alternate projects, similar THORChain, which received a shoutout successful eXch’s unapologetic farewell manifesto.

In the Bybit hack, decentralized swap protocol THORChain was utilized arsenic the main span to swap astir 500,000 Ether (ETH) to Bitcoin.

EXch operators besides utilized THORChain to allegedly obfuscate trails. Source: Tanuki42

EXch stated that its partners would clasp entree to its API for a constricted time, but aboriginal operations would beryllium connected the “new absorption team.” The aged squad recommended mounting up caller liquidity pools to support seamless functionality and said it would supply consultations.

It signed disconnected with a defiant message: “Privacy is not a crime.”

German authorities reported that $1.9 cardinal successful crypto flowed into eXch since its inception. Its operators are suspected of commercialized wealth laundering and moving a transgression trading platform.

Magazine: ChatGPT a ‘schizophrenia-seeking missile,’ AI scientists prep for 50% deaths: AI Eye