Is the mixed currency platform a hotbed for money laundering? In-depth investigation of the "countercurrent" eXch in the Bybit black incident

Author: Scof, ChainCatcher

Editor: TB, ChainCatcher

On the evening of February 21, the exchange Bybit experienced the largest theft in history, prompting many institutions and individuals to extend their help to Bybit to navigate this crisis. Although the crisis has been temporarily controlled, the next key task is to track and intercept the hacker's funds and recover the stolen assets.

However, in the past two days, the eXch platform has laundered over 29,000 ETH stolen by the Lazarus hackers from Bybit. This platform has immediately attracted widespread attention in the crypto community, with many users stating that despite being in the industry for years, they had never heard of the eXch project before.

So, what kind of platform is eXch? What role did it play in this incident?

What is eXch?

eXch is a centralized mixer that does not require KYC. The basic function of a mixer is to obscure the source and destination of transactions by mixing the funds of different users, making it difficult for external observers to trace the transaction paths.

Users can freely exchange tokens such as BTC, LTC, ETH, and XMR on eXch. After selecting the type and amount of tokens for the transaction and setting the receiving and refund addresses, the platform will complete the transaction at the Bisq (median value based on market trading data) price. Furthermore, the exchange claims that its liquidity is not provided by third parties but is stored on its own nodes.

Although it seems very convenient, users who have actually used eXch report that the experience is quite poor, with high fees and price spreads. Additionally, when liquidity is exhausted, users have to wait for staff to manually send tokens, and sometimes they are sent to the wrong address. Some community members have stated that under such high fees and slippage (nearly 10%), only money laundering teams would use this platform.

Recommended reading: “ZachXBT: Lazarus Group's Centralized Mixer eXch Mistakenly Sent 34 ETH to a Certain Exchange Hot Wallet”

Currently, there is no information about the eXch team online, except for a verified X account named @exchcx, which has not updated its content for over a year.

eXch Refuses to Cooperate with Bybit to Recover Stolen Funds

After the incident, Bybit's CEO began seeking support from all sectors to intercept the stolen funds.

On February 22, on-chain detectives discovered that 5,000 stolen ETH were laundered through eXch and converted to Bitcoin via Chainflip. In response to this discovery, Bybit requested eXch to block the funds and track their movements. However, eXch publicly disclosed this request and refused to cooperate. In their reply to Bybit's email, eXch mentioned that they would not provide any assistance due to their users having been banned by Bybit.

In response, the community has voiced two different opinions:

• Some believe that allowing eXch, which facilitates money laundering, to act as a laundering tool in the largest hacking incident in history severely damages the credibility of the entire industry. Regulatory agencies are likely to intervene, and all platforms should prevent funds transferred through eXch. If anyone is still using this platform, they should withdraw their assets as soon as possible to avoid legal risks.
• Others argue that this incident is not a typical hacking attack but rather a security lapse caused by social engineering vulnerabilities. Bybit should bear the losses incurred due to internal employees failing to guard against phishing attacks when signing multi-signature transactions, reflecting Bybit's operational errors. eXch's refusal to cooperate may be related to Bybit's negative publicity towards it over the years, thus giving eXch reason not to cooperate.

On February 23, eXch issued a statement on Bitcointalk, stating that "it will not launder for Lazarus/DPRK" and that the funds processed from Bybit's attack would be donated to various open-source projects. They emphasized that this move is to protect the principle of decentralization (not your keys, not your money) and pointed out that Trorchain has handled more dirty money than they have.

In response, many community members began to criticize eXch. Crypto KOL @tayvano_ mocked eXch's behavior of disparaging Trorchain, stating, "because whenever liquidity runs out, eXch relies on Thorchain." Some users even suggested that all VASPs directly blacklist eXch, believing that their actions amount to money laundering.

eXch's response seems to always be the same slogan: maintaining the ideal of decentralization.

Is There a Necessity for Mixers?

But this is not the first time hackers have used eXch for laundering.

In a theft incident reported by ZachXBT in December 2024, the stolen funds ultimately flowed to eXch for laundering, converted into LTC, and entered the market. At that time, the stolen assets were valued at 6.5 million USD.

In September 2024, the economic data aggregator Truflation suffered a hacking attack, losing approximately 5 million USD, with funds stolen from the treasury's multi-signature and personal wallets. A month later, the Truflation attackers exchanged 1.37 million DAI for 500 ETH and transferred it to eXch.

In August 2024, an address involved in a phishing attack transferred 300 ETH to the eXch platform after stealing 55.4 million DAI.

Since the hackers attacking Bybit began laundering funds yesterday afternoon, nearly 30 hours later, they have used numerous addresses to utilize cross-chain exchange platforms/mixers such as Chainflip, THORChain, LiFi, DLN, and eXch to convert 37,900 ETH (106 million USD) into BTC and other assets.

With the occurrence of this series of events, more and more users are beginning to reflect on the significance of mixers and question their compliance.

The function of mixers is to protect user privacy and enhance the anonymity of funds, especially in the context of publicly transparent blockchain transaction records, providing users with a certain level of privacy protection. However, these tools have also become a breeding ground for hackers, scammers, and money laundering gangs, with illegal funds often laundered through mixers, making it more difficult to trace and recover stolen assets.

We cannot deny the significance of mixers' existence, but as the metaphor in "Faust" suggests: if technological advancement is divorced from moral constraints, it will ultimately become a deal with the devil. At this stage, what we can be sure of is that finding a balance between privacy and compliance requires more discussion and reform to truly protect the interests of more users.