Author: Scof, ChainCatcher
Editor: TB, ChainCatcher
On the evening of February 21, the exchange Bybit suffered the largest theft in history. Many institutions and individuals lent a hand to help Bybit through this crisis. Although the crisis has been temporarily controlled, the next key task is to try to track and intercept the hacker funds and recover the stolen assets.
However, in the past two days, the eXch platform has laundered more than 29,000 ETH stolen from Bybit by Lazarus hackers. The platform immediately attracted widespread attention in the crypto community, and many users said that despite their many years in the industry, they had never heard of the eXch project before.
So, what kind of platform is eXch? What role did it play in this incident?
What is eXch?
eXch is a centralized coin mixer that does not require KYC. The basic function of a coin mixer is to mix funds from different users, thereby disrupting the source and destination of transactions, making it difficult for external observers to track the transaction path.
Users can freely exchange BTC, LTC, ETH, XMR and other tokens on eXch. After selecting the type and quantity of the token to be traded, and setting the receiving address and refund address, the platform will complete the transaction at the Bisq price (based on the median value of market transaction data). The exchange claims that its liquidity is not provided by a third party, but is stored on its own nodes.
Although it seems very convenient, users who have actually used eXch said that the actual experience is very bad, the handling fees and spreads are very high, and when liquidity is exhausted, they need to wait for staff to manually send tokens, and sometimes they are sent to the wrong address. Some community members even said that under the premise of such high handling fees and slippage (nearly 10%), only money laundering teams will use this platform.
There is currently no information about the eXch team on the Internet. There is only an X account named @exchcx that is certified as its representative, but the account has not been updated for more than a year.
eXch refuses to cooperate with Bybit to recover stolen funds
After the incident, Bybit CEO began to seek support from all walks of life, hoping to jointly intercept the stolen funds.
On February 22, on-chain detectives discovered that the 5,000 stolen ETH were laundered through eXch and converted to Bitcoin through Chainflip. In response to this discovery, Bybit asked eXch to block the funds and track their movements. However, eXch made the request public and refused to cooperate. In its reply to Bybit, eXch mentioned that since its users had been banned by Bybit, they would not provide any help.
In this regard, there are two different voices in the community:
- Some people believe that eXch, which allows money laundering, has served as a money laundering tool in the largest hacking incident in history, seriously damaging the credibility of the entire industry. Regulators are likely to intervene, and all platforms should block funds transferred through eXch. If anyone is still using the platform, they should withdraw their assets as soon as possible to avoid legal risks.
- Others believe that this incident was not a typical hacker attack, but a security lapse caused by a social engineering loophole. Bybit should bear the losses caused by its internal employees' failure to prevent phishing attacks when signing multi-signature transactions, which reflects Bybit's own operational errors. eXch's refusal to cooperate may be related to Bybit's bad publicity for it over the years, so eXch has reason not to cooperate.
On February 23, eXch released a statement on bitcointalk, saying that it "will not launder money for Lazarus/DPRK" and that the funds from the previous attack on Bybit will be donated to various open source projects. They emphasized that this move is to protect the concept of decentralization (not your keys, not your money.), and pointed out that Trorchain has processed more black money than them.
In response, many community members began to criticize eXch. Crypto KOL @tayvano_ joked about eXch's behavior of dragging down Thorchain, saying "because every time liquidity is exhausted, eXch will rely on Thorchain." Some users even suggested that all VASPs should directly blacklist eXch, believing that their practice is money laundering.
And eXch’s response seems to always be the same slogan: maintaining the ideal of decentralization.
Is it necessary for a coin mixer to exist?
But this is not the first time hackers have used eXch to launder coins.
In December 2024, in a theft reported by ZachXBT, the stolen funds eventually flowed to eXch for laundering, converted into LTC and put into the market. At that time, the stolen assets were worth 6.5 million US dollars.
In September 2024, economic data aggregator Truflation suffered a hacker attack, losing about $5 million, and funds were stolen from the treasury multi-signature and personal wallets. A month later, the Truflation attacker exchanged 1.37 million DAI for 500 ETH and transferred it to eXch.
In August 2024, an address involved in a phishing attack transferred 300 ETH to the eXch platform after stealing 55.4 million DAI.
The hackers who attacked Bybit started laundering coins yesterday afternoon. In the past 30 hours, they have used a large number of addresses to use cross-chain exchange platforms/mixing platforms such as Chainflip, THORChain, LiFi, DLN, and eXch to exchange 37,900 ETH (US$106 million) into BTC and other assets.
As this series of events occurred, more and more users began to reflect on the significance of the existence of mixers and questioned their compliance.
The function of the mixer itself is to protect user privacy and enhance the anonymity of funds, especially when the blockchain transaction records are open and transparent, it provides users with a certain degree of privacy protection. However, this tool has also become a hotbed for hackers, fraudsters and money laundering gangs. Illegal funds are often washed through the mixer, making it more difficult to track and recover stolen assets.
We cannot deny the significance of the existence of mixers, but as the metaphor of "Faust" suggests: if technological progress is separated from the shackles of morality, it will eventually become a deal with the devil. At this stage, the only thing we are sure of is how to find a balance between privacy and compliance. More discussions and changes are needed to truly protect the interests of more users.
