The Bybit $1.5 billion hack brought unwanted attention to one peculiar actor embroiled in DPRK money laundering shenanigans: eXch.
Although eXch may be an unknown name to most crypto users, that’s not the case for blockchain security researchers and firms. Since 2023, when tracing the obfuscated routes taken by crypto criminals post-heist, we’ve observed a sharp uptick in the use of eXch.
The DPRK threat group behind the Bybit attack, TraderTraitor, relied on eXch to successfully launder almost $100 million — funds that are now effectively untraceable.
So what makes this discreet, somewhat decrepit centralized exchange such a key gateway for crypto money laundering?
That’s exactly what we explore in our latest crypto money laundering report.
eXch — A Privacy Tool of European Origin(?)
What is eXch and How Does it Work?
EXch is an automated centralized exchange that is very primitive in its usage. It functions like OG exchanges (and has the look of one), allowing users to exchange one cryptocurrency for another, and has built a good reputation among users who wish to trade instantly.
eXch generates a one-time address for its users, and once the required funds are transferred to this address, the purchased cryptocurrency is credited to their account.
Currently, it supports the following cryptocurrencies: BTC, LTC, ETH, XMR, USDT, USDC, DAI, DASH, and BTCLN.
eXch is a rather unassuming exchange with relatively low liquidity and trade volume. They claim not to use any third-party liquidity providers and that all their reserves belong to them and are allocated on their nodes. It is reported that tokens are manually sent to depleted cryptocurrency reserves.
eXch openly provides a ‘proof of reserve’ of their swapable assets on their website’s front page, and it can sometimes be observed — like at press time — that some currency reserves can drop to 0 (e.g., XMR) or come close to it, as seen with their Ethereum reserve, which is barely 2.5 ETH. To what extent this proof of reserves reflects the truth, we cannot say.
The rustic nature of eXch extends beyond its basic functionality, aesthetics, and mechanics, reminiscent of the pioneering crypto exchanges from a decade ago, deeply influenced by the enduring ideals of Nakamoto’s Cypherpunk vision — privacy, liberty, and resistance to censorship. Back then, ensuring a crypto user’s right to privacy was paramount, and KYC processes were almost nonexistent.
In just a decade, the role of KYC in centralized exchanges has evolved drastically, to the point where no-KYC exchanges are now viewed as anomalies and treated with suspicion, accused of existing primarily to harbor criminal proceeds.
eXch is one such exchange. It first gained traction in 2014, offering a more limited selection of cryptocurrencies, and operated until 2016, when it shut down for undisclosed reasons.
However, it made a notable comeback in the summer of 2022, just as the crypto mixer Tornado Cash was sanctioned by OFAC for facilitating the laundering of hundreds of millions in illicit funds, including criminal proceeds belonging to North Korean state-sponsored crypto criminal threat groups.
Similar to its 2014 version, eXch’s creator remained true to the exchange’s original purpose and design, developing a platform that does not require KYC or SoF (Source of Funds), which have become standard procedures for high-profile CEXs since 2020 as part of anti-money laundering (AML) measures adopted by CEXes, driven by global regulatory pressure.
The absence of KYC and SoF is the very first basic layer of privacy offered by eXch. The website ‘KycNotMe,’ which evaluates non-KYC platforms, rates eXch a 9 out of 10 for safety and privacy. eXch provides access via the privacy-focused Tor browser through its own onion address, with users reporting a seamless experience on Tor.
The platform requires no registration, offers automated refunds without KYC, operates a non-custodial wallet, and, notably for privacy-conscious users, does not require JavaScript — which can be used as a surveillance tool.
On their website’s Q&A section, the exchange outlines strict policies to ensure users have the anonymous and private trading experience they seek. These include not collecting metadata, using no cookies or other tracking techniques, disabling IP address logging on reverse proxies, caching servers, and backend servers, and removing ROM/TO/refund addresses 15 days after use, or immediately when the user clicks the ‘delete data’ button — in eXch’s words.
eXch seems to fully embrace the principle of censorship resistance, asserting that they ‘do not discriminate or have any rejection criteria,’ when it comes to their users. As a result, every individual is eligible to use the platform, and they do not consider ‘prohibited jurisdictions.’ To protect both themselves and their customers, eXch has made it impossible to detect users’ locations, as they have ‘IP logging disabled.’
But what makes eXch truly a privacy tool is its mixing nature. Although eXch labels itself as an exchange, blockchain security actors tend to classify it as a mixer.
It has two pools of addresses: one is a mixed pool in which sent and received transactions on the platform are combined. In eXch’s own words, thanks to their P2P-like mixing approach, “there is no way to discover how many people are behind certain addresses, and traceability is extremely difficult.”
Meanwhile, in eXch’s aggregated pool, transactions sent by users are collected into a single known address, which is also used for outgoing payments. This setup makes eXch’s interaction with a user visible, significantly reducing privacy.
However, in exchange for this loss of privacy, eXch claims that its customers, who need to have their funds pass through entities with AML requirements, should be relatively safe from having their funds frozen. According to eXch, their interactions are assigned a low-risk score, and funds directly coming from or having passed through eXch at any point will not typically be flagged by most crypto exchanges, including Binance, Coinbase, Gate.io, HTX, Kraken, Gemini, OKX, KuCoin, and Poloniex.
Opposedly, their mixed pool will have “high risks of frozen funds at major exchanges due to high risk score given by chain analysis platforms.”
In a March 15th, 2025 press release, the founder of eXch clearly expressed this dual nature:
“When eXch was established, our objective was to provide a balanced solution that bridged the gap between mixers and government-regulated entities like compliant centralized exchanges (CEX). We anticipated that our approach would be appreciated, as we are neither a mixer nor a CEX that disregards user privacy.”
And as such, eXch has found its public. eXch particularly profited from the heavy regulatory pressure placed on CEXes concerning privacy coins, namely Monero and Zcash — that are notoriously difficult to trace with blockchain forensics and are tools of choice for criminals, even outside the crypto spectrum. Most of those CEXes ended up being forced to ban them between 2022 and 2024.
Although centralized entities are usually not the go-to place for privacy-minded Monero buyers, eXch built itself a relatively good reputation and has seen some Monero users flocking to it.
The eXch shroud of privacy extends beyond its users, as its creator and possible employees are unknown to this day.
Neverthelss tracks left here and there, leads to believe eXch may have european roots.
The European Roots of eXch?
On the website’s Q&A page, eXch affirms that they are a company registered in Belize, country on the north-eastern coast of Central America.
Although that’s where they have registered, it appears that’s not where eXch spurted form nor where they operate today.
In a 2024 report titled “Investigating Hackers’, Exploiters’ Favorite Instant Crypto Exchange” on eXch, crypto sleuth 0xFantasy reveals that while invedtigating eXch first track on forum BitcoinTalk back in 2014, they found enough proofs to allege that the eXch creator was a “A male, non-native English speaker, ex-smoker, interested in privacy, cybersecurity, Porsches, and 90’s era music and film, favorite game Lineage 2, and likely living in Austria (Innsbruck) or Germany.”
While digging a bit more into this, we discovered that the web hosting of the exch.cx website was in France, usually closer a server is to you, the lower the latency. That CentralNic Ltd, the company responsible for registering and managing the domain name was UK based. That the administrative and technical contact for the domain is associated with an address in Roches, Switzerland.
This information suggests a high possibility that eXch could be European-based, due to the website’s hosting in France and the administrative and technical contact in Switzerland, but it doesn’t definitively prove it, as domain registration and web hosting can be handled by entities in different countries.
Although here too, it could be a set of coincidence, on the contact page, language in which users could exchange with the team, outside of English list German first, than two other European languages, Spanish and Ukrainian.
“While communication in English is preferred, we speak the following languages too: German, Spanish, Russian, Ukrainian” — eXch
European roots or not, eXch by its privacy enhancing design has become a tool of choice for money launderer, including DPRK threat groups.
eXch: a Money Laundering Hotbed Used in the Bybit Hack
EXch, by its design, ticks all the boxes for money laundering for criminally-minded entities. It ensures anonymity, offers mixing and untraceability, and provides access to the nearly untraceable cryptocurrency Monero (XMR).
According to Arkham data, starting in Q2 of 2024, eXch saw some degree of growth that likely made it even more attractive to criminals needing higher pool liquidity to launder massive amounts of funds.
It is important to note that Arkham does not appear to account for Monero and Litecoin data and movement, which are also key liquid currencies within eXch. Therefore, this data should be viewed as an overall trend rather than precise data, primarily reflecting the movement of Bitcoin, Ethereum, DAI, USDT, and USDC.
Since the start of 2024, eXCh has been increasingly tracked in criminal incidents, including the $26 million Fixed Float heist in February 2024 and the $243 million Gemini phishing attack in August 2024.
And of course, the February 2025 Bybit hack.
The Use of eXch in the Bybit Hack
Numerous blockchain security firms and blockchain forensic specialist were able to trace back a part of the Bybit stolen fund back to eXch, in total over $94 million.
The day after the hack, eXCh was already implicated in Bybit’s fund laundering operations, with 5,000 stolen ETH laundered through it and later converted to Bitcoin via the coin swapper Chainflip.
According to the blockchain security firm Elliptic, tens of millions of dollars in cryptocurrency flowed through eXch, which created a noticeable spike in daily Bitcoin trading volume following the Bybit hack.
Using the Wayback Machine, we analyzed the Proof of Reserves and 24-hour volume activity displayed on the eXch interface to study fund movements on the platform between February 21st and February 24th. February 15th was chosen as a random “normal activity day” for comparison.
What stands out immediately is the unusually high volume for Bitcoin, Ethereum, and to a lesser extent, Monero (XMR) and the unfrozen stablecoin DAI. It’s important to note that eXch wasn’t exclusively used by TraiderTraitor during these days, making it difficult to pinpoint exactly how they may have moved their funds. Additionally, all traces of these funds vanished during the mixing process. However, it’s not out of the question that TraiderTraitor exchanged their ETH for more than Bitcoin, as XMR and DAI are often used in money laundering activities due to their privacy features.
The reason they stopped at around $94 million may have been due to the extremely low BTC reserves left on February 24th, especially if eXch did not replenish them in time. Regardless, they swapped most of the remaining stolen funds — almost $1.2 billion — through ThorChain.
North Korean threat groups were not new to eXch. Blockchain security firm Match System, among others, reported spotting them in 2024 in several instances.
In response to the criminal use of its platform, eXch denied involvement, rebuffed claims, and resisted assisting Bybit.
Rebutal and Resistance Against Bybit— A Long Standing Feud
On February 23rd, and March 15th, the eXch administrator took to the Bitcoin Talk forum to share the platform’s official stance regarding the Bybit funds funneled through their system.
The Denial
On February 23rd, they first denied being extensively used by TraiderTraitor, instead acknowledging that only an ‘insignificant portion of funds’ was processed in ‘an isolated incident,’ with any fees generated from it to be donated.
For eXch, the discovery of tracks linking tens of millions in DPRK-tainted funds to their platform is nothing more than a byproduct of a ‘constant attack on our exchange by a small group of people abusing their influence.’
This sentiment was reiterated in a press release published on Bitcoin Talk on March 15th, 2025.
In the release, eXch claims that after an investigation, they found the fund flows were mistakenly attributed to their platform. In reality, the transactions were linked to a new Bitcoin privacy service, which generates transactions resembling their rebalancing operations through ThorChain. Furthermore, according to them, mixers are using eXch as their backend, leading to tainted funds ending up in their mixed pool.
This time, however, they decided to name-and-shame the ‘small group of people abusing their influence.’ In summary, they accuse notable figures such as crypto sleuth ZachXBT and Nick Bax to be ‘wannabe-researchers,’ while calling blockchain security firm Slowmist ‘the one-man company who hates eXch most.’ eXch claims that these individuals are conspiring to bring down the platform by misleading the public into thinking it is massively involved in criminal processes.
Worse, they allege that either these individuals or members of the ‘white hat communities’ are involved in ‘conspiracy and malicious acts committed against eXch’s infrastructure in attempts to claim the Lazarus Bounty reward.’ They go on to list these alleged actions in great detail, including server takeovers and penetration testing.
Wild, unbacked claims of sabotage aside, it is important to note that eXch did not offer any assistance in tracking the ‘insignificant portion of funds’ they identified, nor the funds from other mixers using eXch’s backend that ended up in their mixed pool.
The reason for their lack of cooperation in the Bybit case, beyond denying their involvement, lies in their long-standing policy of refusing to assist in criminal cases, whether by cooperating with blockchain security firms, blockchain forensics, or law enforcement, but also due to their ongoing feud with Bybit.
eXch, an Uncooperative Entity Feuding with Bybit
eXch has built its reputation on refusing to assist in criminal cases. While the platform typically responds to law enforcement requests, it never provides any meaningful information that could help track down questionable entities using their services.
eXch refuses to actively participate in hunting criminals, adhering to its commitment to censorship resistance. In this view, if ‘code is law,’ then their stance is one of ‘laissez-faire, laissez-passer.’
Their debonair, if not outright insolent, attitude toward the misuse of their platform — booping law enforcement on the nose really— has solidified eXch’s reputation as a haven for crypto criminals. This has led to its widespread adoption in high-profile cases throughout 2024.
However, there are three key factors that prevent eXch from becoming the platform of choice: a much higher level of liquidity, lower fees (as eXch is often considered on the pricey side), and an automated reserve-filling process. The current manual process can leave customers waiting for several hours, or even up to a full day, to complete a transaction.
Despite these drawbacks, many are willing to pay the price for the convenience and safety from scrutiny eXch provides.
Beyond its refusal to rub elbows with law enforcement, eXch would have been hard-pressed to help Bybit, given its long-standing feud with the platform.
Really, eXch founder was (porbably) stomached at the audacity of Bybit to ask them to provide any kind of help. And the response to Bybit email asking for help shared by eXch reflected just that!
The root of the feud lies in the blacklisting of eXch by Bybit, at least since 2024, when, according to eXch, the CEX addresses were labeled as ‘high risk,’ and the resulting fund freeze by Bybit caused significant issues for customers of both platforms.
In an Open Demand Letter posted on January 15th, 2025, the eXch administrator requested that the IRS, DoJ, SEC, FBI, FDIC, FIOD, and OFAC use their ‘institutional power to force the following companies to stop discrimination and abuse against eXch,’ in accordance with ‘anti-monopoly market laws.’
At the top of the list of entities allegedly discriminating against eXch is Bybit, which is openly accused of ‘artificially lowering eXch’s risk score for intentional reputational influence,’ and of ‘preventing coins originating from eXch from entering their cryptocurrency wallet pools without any fair or legal ground for doing so.
With Bybit at the top of its hit list it’s hard to envision eXch conceading to help them, even if they were more flexible on tracking funds in criminal cases.
Conclusion: Escalation and Downfall
It seems that the accusations leveled against the white hat community and blockchain security firms caused more reputational damage within the crypto community than their non-cooperation ever did. The March press release, in particular, reads like a series of unhinged and paranoid delusions written by the eXch team themselves.
They would have been better off sticking to their February statement and weathering the storm in silence. Especially at a time when their non-criminal user base is openly discussing abandoning the CEX due to its (unwilling) involvement with North Korean hackers.
For many, funds on the CEX are now tainted by criminal activity tied to the largest heist in history. Moreover, its association with North Korea could attract significant regulatory attention, particularly from US authorities. With that comes the risk of legal repercussions, similar to the fallout faced by users of Tornado Cash.
Had this been any other heist, eXch might have weathered the storm without much trouble. If this had happened three years ago, when privacy platforms sometimes used for criminal activities were largely left alone and not held accountable, eXch might not have even been mentioned.
But the crypto community has evolved, embracing a new paradigm where every actor is held accountable when dragged into criminal activity, even if they were unwilling participants.
It was clear that eXch would have to pay the price for staying true to its principles and refusing to reverse its stance on Bybit. According to Arkham data, within just two months, the exchange experienced a loss of 43 million in BTC, ETH, DAI, USDT, and USDC holdings — an astounding 98% drop since the end of January.
Just a week before, on March 17th, when we checked those same holdings, they were around $9 million.
Although Arkham, as previously mentioned, does not take into account XMR and LTC data — key currencies on the platform and crucial for understanding the true health of eXch as most holdings could be in LTC and XMR — we directly observed that both reserves and volumes of those currencies were at very low levels the week before this report was written.
Upon checking the 24h volume data provided by eXch on March 26th, we discovered that eXch had stopped providing it altogether. According to their website, the reason for its disappearance is ‘to enhance our customers’ privacy.’ Instead, they will now provide ‘monthly statistics only.’
The reason provided is, at best, flimsy. It seems more likely that by renouncing this transparency, the platform aims to avoid self-involvement in criminal cases by not directly providing data to outside observers — such as when we tracked the movement of funds on eXch shortly after the hack, when it was used by TraiderTraitor.
We also hypothesized that this latest development may have stemmed from an attempt to conceal the true, desolate state of the platform — where everything seems to be at a standstill nowadays.
But on March 31st, the eXch founder announced major operational changes that answered this line of questioning. First, they revealed a jurisdictional merger with another company, effectively renouncing half of the company to “Bitcoin and privacy enthusiasts” in a bid to save their hides from per-pro-secution — or as they put it, to “reduce risks for (their) founding team.”
Secondly, a stablecoin delisting was announced, with USDT and USDC being removed from eXch. The reason: both Circle and Tether have the ability to blacklist and freeze tokens. Only DAI will be maintained.
Thirdly, eXch stated that they had ceased operating their static aggregation addresses for ETH and BTC liquidity, as they believe their efforts to provide transparency for users were “abused” by the white hat industry. Moving forward, they will conceal ETH and BTC flux in a way that ensures “nobody can associate the outputs with eXch as easily as before.”
We can’t say that eXch is currently at a stalemate, as they have clearly chosen their side and stuck to their guns. Since they refuse to change, only time will tell if they can win back their core customers, as well as their unsavory ones, all while managing to slip through the cracks of regulatory bodies.
About us
Nefture is a Web3 real-time security and risk prevention platform that detects on-chain vulnerabilities and protects digital assets, protocols and asset managers from significant losses or threats.
Nefture core services includes Real-Time Transaction Security and a Threat Monitoring Platform that provides accurate exploits detections and fully customized alerts covering hundreds of risk types with a clear expertise in DeFi.
Today, Nefture proudly collaborates with leading projects and asset managers, providing them with unparalleled security solutions.
eXch.cx, Crypto Money Laundering and the Bybit Hack was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.
