Original author: Scof, ChainCatcher
Original editor: TB, ChainCatcher
On the evening of February 21, the exchange Bybit suffered the largest theft in history. Many institutions and individuals lent a hand to help Bybit through this crisis. Although the crisis has been temporarily controlled, the next key task is to try to track and intercept the hacker funds and recover the stolen assets.
However, in the past two days, the eXch platform has laundered more than 29,000 ETH stolen from Bybit by the Lazarus hacker. The platform immediately attracted widespread attention in the crypto community, and many users said that despite their many years in the industry, they had never heard of the eXch project before.
So, what kind of platform is eXch? What role did it play in this incident?
What is eXch?
eXch is a centralized coin mixer that does not require KYC. The basic function of a coin mixer is to mix funds from different users, thereby disrupting the source and destination of transactions, making it difficult for external observers to track the transaction path.
Users can freely exchange BTC, LTC, ETH, XMR and other tokens on eXch. After selecting the type and quantity of the token to be traded, and setting the receiving address and refund address, the platform will complete the transaction at the Bisq price (based on the median value of market transaction data). The exchange claims that its liquidity is not provided by a third party, but is stored on its own nodes.
Although it seems very convenient, users who have actually used eXch said that the actual experience is very bad, with high fees and spreads, and when liquidity is exhausted, they need to wait for staff to manually send tokens, and sometimes they are sent to the wrong address. Some community members even said that under such high fees and slippage (nearly 10%), only money laundering teams would use this platform.
Recommended reading: ZachXBT: The eXch team, a centralized coin mixer used by Lazarus Group for money laundering, mistakenly sent 34 ETH to a hot wallet of an exchange
There is currently no information about the eXch team on the Internet. There is only an X account named @exchcx that is certified as its representative, but the account has not been updated for more than a year.
eXch refuses to cooperate with Bybit to recover stolen funds
After the incident, Bybit CEO began to seek support from all walks of life, hoping to jointly intercept the stolen funds.
On February 22, on-chain detectives discovered that the 5,000 stolen ETH was laundered through eXch and converted to Bitcoin through Chainflip. In response to this discovery, Bybit asked eXch to block the funds and track their movements. However, eXch made the request public and refused to cooperate. In its reply to Bybit’s email, eXch mentioned that since its users had been banned by Bybit, they would not provide any help.
In this regard, there are two different voices in the community:
Some people believe that eXch, which allows money laundering, has served as a money laundering tool in the largest hack in history, seriously damaging the credibility of the entire industry. Regulators are likely to intervene, and all platforms should block funds transferred through eXch. If anyone is still using the platform, they should withdraw their assets as soon as possible to avoid legal risks.
Others believe that this incident was not a typical hacker attack, but a security lapse caused by a social engineering vulnerability. Bybit should bear the losses caused by its internal employees failure to prevent phishing attacks when signing multi-signature transactions, which reflects Bybits own operational errors. And eXchs refusal to cooperate may be related to Bybits bad publicity for it over the years, so eXch has reason not to cooperate.
On February 23, eXch released a statement on bitcointalk, saying that it will not launder money for Lazarus/DPRK and that the proceeds from the previous attack on Bybit will be donated to various open source projects. They emphasized that this move is to protect the concept of decentralization (not your keys, not your money.), and pointed out that Trorchain has processed more black money than them.
In response, many community members began to criticize eXch. Crypto KOL @tayvano_ joked about eXchs behavior of dragging down Thorchain, saying because every time liquidity is exhausted, eXch will rely on Thorchain. Some users even suggested that all VASPs directly blacklist eXch, believing that their practices are money laundering.
And eXch’s response seems to always be the same slogan: maintaining the ideal of decentralization.
Is it necessary for a coin mixer to exist?
But this is not the first time hackers have used eXch to launder coins.
In December 2024, in a theft reported by ZachXBT, the stolen funds eventually flowed to eXch for laundering, converted into LTC and put on the market. At that time, the stolen assets were worth $6.5 million.
In September 2024, economic data aggregator Truflation was hacked and lost about $5 million. Funds were stolen from the treasury multi-signature and personal wallets. A month later, the Truflation attacker exchanged 1.37 million DAI for 500 ETH and transferred it to eXch.
In August 2024, an address involved in a phishing attack transferred 300 ETH to the eXch platform after stealing 55.4 million DAI.
As this series of events occurred, more and more users began to reflect on the significance of the existence of mixers and questioned their compliance.
The function of the mixer itself is to protect user privacy and enhance the anonymity of funds, especially when the blockchain transaction records are open and transparent, it provides users with a certain degree of privacy protection. However, this tool has also become a hotbed for hackers, fraudsters and money laundering gangs. Illegal funds are often washed through the mixer, making it more difficult to track and recover stolen assets.
We cannot deny the significance of the existence of mixers, but as the metaphor of Faust suggests: if technological progress is separated from the shackles of morality, it will eventually become a deal with the devil. At this stage, the only thing we are sure of is how to find a balance between privacy and compliance. More discussions and changes are needed to truly protect the interests of more users.
