Once a go-to swapper for hackers and drainers, eXch was shut down by German police in April \u2014 but continued activity suggests the story isn\u2019t over.<\/p>\n
Without Know Your Customer (KYC) checks, eXch wasn\u2019t your typical crypto exchange. It acted more like an instant swapper, allowing bad actors and cybercriminals to fly under the radar for years.<\/p>\n
Among its clients was the Lazarus Group. The North Korean state-backed hacking unit thrust eXch into the spotlight back in February, when it used the platform to funnel some of the $1.4 billion it stole from Bybit. When Bybit traced its stolen funds to eXch, it requested assistance \u2014 but the platform refused.<\/p>\n
This led to a fierce discussion over privacy versus security, but ultimately, eXch announced it would close its doors on April 17<\/a>; on April 30, German authorities made it official<\/a>.<\/p>\n But according to security firm TRM Labs, the platform may have continued operating<\/a> in stealth mode after the takedown. Here\u2019s the rise, fall and afterlife of alleged crypto laundromat eXch.<\/p>\n Alongside its shutdown announcement, eXch posted a message claiming it would not facilitate criminal proceeds. The post was removed within hours, and operations quietly resumed \u2014 signs of an internal disagreement or perhaps even a calculated attempt to lower visibility, according to TRM.<\/p>\n CSAM-related fund flows traced to eXch. Source: TRM Labs<\/em><\/p>\n German authorities seized eXch\u2019s servers and confiscated 34 million euros ($38 million) in crypto<\/a>, along with more than eight terabytes of data, effectively dismantling its public-facing infrastructure.<\/p>\n Related: <\/strong><\/em>North Korean spy slips up, reveals ties in fake job interview<\/strong><\/em><\/a><\/p>\n \u201cJust like we saw with Garantex rebranding as Grinex<\/a>, eXch didn\u2019t fully die after the shutdown. It quietly kept servicing a handful of partners via API, which meant laundering activity continued even after the public takedown,\u201d said Jeremiah O\u2019Connor, co-founder and chief technology officer of security firm Trugard.<\/p>\n O\u2019Connor added that it\u2019s not unlikely for such platforms to serve loyal customers even after seizures.<\/p>\n EXch website visited on May 13. Source: <\/em>eXch<\/em><\/a><\/p>\n \u201cThe people behind eXch.ch took full advantage of operating across multiple countries. The domain was registered through a UK-based provider, listed Switzerland as an admin location, hosted infrastructure in France, and had servers seized in Germany,\u201d O\u2019Connor said.<\/p>\n It\u2019s still unclear if eXch will kill its API or come back under a new name. TRM said in the May 2 blog post that the platform\u2019s remaining back-end access continued to provide anonymization infrastructure for threat actors.<\/p>\n EXch\u2019s origins trace back to 2014, according to \u201cFantasy,\u201d lead investigator at crypto insurance firm Fairside Network. In an October 2024 investigation<\/a>, Fantasy identified the platform\u2019s first public appearance as a BitcoinTalk forum account promoting automatic swaps between Bitcoin (BTC<\/a>), Perfect Money and BTC-e vouchers \u2014 payment methods commonly associated with high-risk transactions. <\/p>\n Fantasy also traced the original Bitcoin wallet tied to eXch and found it was likely funded via BTC-e, the now-defunct crypto exchange shuttered<\/a> by US authorities in 2017 for its role in laundering criminal proceeds.<\/p>\n Fantasy\u2019s forensic research found that the modernized form of eXch emerged in 2022, when its Ethereum hot wallet was first funded. Not long after, it became a hub for prominent crypto drainers.<\/p>\n Monkey Drainer \u2014 the first known large-scale drainer-as-a-service operator \u2014 used eXch before its retirement<\/a>. Other draining service providers like Pink Drainer<\/a> and Inferno Drainer<\/a> also passed funds through the platform, along with several major exploiters.<\/p>\n EXch\u2019s modern wallets traced to accounts held at Binance and OKX. Source: <\/em>Fantasy\/MetaSleuth<\/em><\/a><\/p>\n EXch required no identity verification, allowing users to move funds with anonymity. That made it an attractive tool for cybercriminals looking to clean stolen assets.<\/p>\n \u201cEXch managed to stay active for years \u2014 despite facilitating obvious illicit activity \u2014 because there\u2019s still a big gap between what regulators \u2018can\u2019 do and how fast technology is moving,\u201d Amit Levin, former investigator at Binance, told Cointelegraph.<\/p>\n \u201cIn today\u2019s world, anyone can launch a smart contract or run a crypto service from anywhere, often without revealing who they are. And if there\u2019s no registration, no KYC and no one to hold accountable, enforcement becomes close to impossible.\u201d<\/p>\n The platform also drew confidence from threat actors by using a pooled liquidity system that blended user deposits and withdrawals, making it difficult for investigators and law enforcement to trace the flow of funds.<\/p>\n EXch denied laundering funds for North Korean crypto hackers<\/a>, and in its shutdown notice, it framed the project as an attempt by privacy enthusiasts to \u201crestore balance\u201d in the industry. It criticized Anti-Money Laundering enforcement and condemned companies offering address risk scoring APIs as \u201cparasites\u201d profiting off government fear.<\/p>\n \u201cService providers in the crypto space are, for the most part, not decentralized; that is, they retain control over or access to customers\u2019 assets, as demonstrated in the case of eXch,\u201d Gal Arad Cohen, partner at S. Horowitz & Co, told Cointelegraph.<\/p>\n \u201cA financial intermediary operating in the crypto sector faces risks similar to those of traditional financial service providers and should, therefore, be held to equivalent standards and regulatory requirements,\u201d she said.<\/p>\n The closure of eXch is a \u201chuge win\u201d for crypto, according to Alex Katz, CEO of security firm Kerberus. However, Katz warned that bad actors can migrate to alternative projects, like THORChain, which received a shoutout in eXch\u2019s unapologetic farewell manifesto.<\/p>\n In the Bybit hack, decentralized swap protocol THORChain was used as the main bridge to swap around 500,000 Ether<\/a> (ETH<\/a>) to Bitcoin.<\/p>\n EXch operators also used THORChain to allegedly obfuscate trails. Source: <\/em>Tanuki42<\/em><\/a><\/p>\n EXch stated that its partners would retain access to its API for a limited time, but future operations would depend on the \u201cnew management team.\u201d The old team recommended setting up new liquidity pools to maintain seamless functionality and said it would provide consultations.<\/p>\n It signed off with a defiant message: \u201cPrivacy is not a crime.\u201d<\/p>\n German authorities reported that $1.9 billion in crypto flowed into eXch since its inception. Its operators are suspected of commercial money laundering and running a criminal trading platform.<\/p>\neXch shuts front door, keeps back door unlocked<\/h2>\n
No KYC, pooled liquidity draws illicit funds to eXch<\/h2>\n
When eXch knew and did nothing<\/h2>\n