A mixed currency platform has become a hotbed of money laundering? Deeply explore the "reverser" eXch in the Bybit hacking incident

Author: Scof, ChainCatcher

Edited by: TB, ChainCatcher

On the evening of February 21, the exchange Bybit encountered the largest theft incident in history, and many institutions and individuals extended a helping hand to help Bybit through the crisis. Although the crisis is temporarily under control, the next key task is to try to track and intercept hacker funds and recover stolen assets.

However, over the past two days, the eXch platform has cleaned up more than 29,000 ETH stolen by Lazarus hackers from Bybit. This platform immediately attracted widespread attention in the encryption circle, and many users said that despite being in the industry for many years, they had never heard of the eXch project before.

So, what kind of platform is eXch? What role did it play in this incident?

What is eXch?

eXch is a centralized currency mixer that does not require KYC. The basic function of the currency mixer is to mix the funds of different users, thereby disrupting the source and destination of transactions, making it difficult for external observers to track transaction paths.

Users can freely exchange tokens such as BTC, LTC, ETH, XMR on eXch. Select the type and quantity of tokens for the transaction, and set the receiving address and refund address, and the platform will complete the transaction at Bisq (median value based on market transaction data). And the exchange claims that its liquidity is not provided by a third party and is stored on its own nodes.

Although it seems very convenient, users who have actually used eXch said that the actual experience is very bad, the handling fee and price difference are very high, and when liquidity is exhausted, you need to wait for the staff to manually send the tokens, and sometimes send it to an error. address. Some community members also said that under the premise of such high handling fees and slippage (nearly 10%), only money laundering teams will use this platform.

There is currently no information about the eXch team on the Internet. Only an X account named @exchcx has been certified as its representative, but the account has not updated its content for more than a year.

eXch refuses to cooperate with Bybit to recover stolen funds

After the incident, Bybit CEO began to seek support from all walks of life, hoping to jointly intercept the stolen funds.

On February 22, on-chain detectives discovered that the stolen 5,000 ETHs were cleaned through eXch and converted to Bitcoin through Chainflip. In response to this discovery, Bybit asked eXch to block funds and track its movements. However, eXch made the request public and refused to cooperate. eXch mentioned in an email reply to Bybit that since its users were once banned by Bybit, they would not help.

There are two different voices in the community about this:

• Some believe that eXch, which allows money laundering, has acted as a money laundering tool in the largest hacker incident in history, seriously undermining the credibility of the entire industry. Regulators are likely to step in and all platforms should block funds transferred through eXch. If someone is still using the platform, the assets should be withdrawn as soon as possible to avoid being involved in legal risks.
• Others believe that the incident was not a typical hacker attack, but a security mistake caused by a social engineering vulnerability. Bybit should bear the losses caused by internal employees' failure to prevent phishing attacks when signing a multi-signature transaction, reflecting Bybit's own operational errors. eXch's refusal to cooperate may be related to Bybit's bad publicity for many years, so eXch has reason not to cooperate.

On February 23, eXch issued a statement on bitcointalk, saying that it would "will not launder money for Lazarus/DPRK" and said that the proceeds from the previous handling of the attacks on Bybit will be donated to various open source projects. They stressed that the move was to protect the concept of decentralization (not your keys, not your money.), noting that Trorchain has dealt with more black money than they do.

In response, many community members began to criticize eXch. Encryption KOL @tayvano_ expressed jokes about eXch's behavior of stomping on Trorchain, saying "because eXch will rely on Thorchain whenever liquidity is exhausted." Some users also suggest that all VASPs directly blacklist eXch, believing that their approach is to launder money.

And eXch's response always seems to be the same slogan: maintaining the ideal of decentralization.

Is it necessary to exist a currency mixer?

But this is not the first time a hacker uses eXch to launder coins.

In December 2024, in a theft incident reported by ZachXBT, the stolen funds eventually flowed to eXch for cleaning, converted into LTC and put into the market. The stolen assets were worth US$6.5 million at that time.

In September 2024, the economic data aggregator Truflation was hacked and lost about $5 million, and funds were stolen from the vault multi-signature and personal wallet. After a month, the Truflation attacker exchanged 1.37 million DAIs to 500 ETH and transferred to eXch.

In August 2024, an address involved in the phishing attack transferred 300 ETH to the eXch platform after stealing 55.4 million DAIs.

Since the hackers who attacked Bybit started washing coins yesterday afternoon, in nearly 30 hours, they have used a large number of addresses to use cross-chain exchange platforms such as Chainflip, THORChain, LiFi, DLN, and eXch. The currency mixing platform has 37,900 ETH (106 million). USD) is exchanged across chains to other assets such as BTC.

With this series of events happening, more and more users have begun to reflect on the existence of coin mixers and question their compliance.

The function of the coin mixer itself is to protect user privacy and enhance fund anonymity. Especially when blockchain transaction records are open and transparent, it provides users with certain privacy protection. However, this tool has also become a breeding ground for hackers, fraudsters and money laundering gangs. Illegal funds are often cleaned through coin mixers, which makes it more difficult to track and recover stolen assets.

We cannot deny the meaning of the existence of the currency mixer, but just like the metaphor of "Faust": if technological progress is free from the moral shackles, it will eventually become a devil's transaction. The only thing we are sure of at this stage is that how to find a balance between privacy and compliance requires more discussion and change to truly protect the interests of more users.