eXch, once a popular crypto swapper among hackers and drainers due to its lack of Know Your Customer (KYC) checks, was shut down by German police in April. However, ongoing activity suggests the platform might still be operating in stealth mode. This article delves into the rise, fall, and potential afterlife of eXch, a platform allegedly used for crypto laundering.
eXch: A Haven for Illicit Crypto Transactions
eXch operated as an instant crypto swapper, allowing users to exchange cryptocurrencies without providing personal information. This anonymity made it attractive to cybercriminals, including the Lazarus Group, a North Korean state-backed hacking unit. The Lazarus Group used eXch to funnel funds stolen from Bybit, a crypto exchange. When Bybit traced the stolen funds to eXch and requested assistance, the platform refused.
Following the Bybit incident, eXch announced it would close its doors on April 17. On April 30, German authorities officially seized eXch’s servers and confiscated 34 million euros ($38 million) in crypto and eight terabytes of data.
Stealth Mode Operations
Despite the shutdown, security firm TRM Labs reported that eXch might have continued operating in stealth mode. After announcing its shutdown, eXch posted a message claiming it would no longer facilitate criminal proceeds, but the message was quickly removed, and operations quietly resumed. This could indicate internal disagreements or a calculated attempt to lower visibility.
Jeremiah O’Connor, co-founder and chief technology officer of security firm Trugard, noted that eXch’s continued activity is similar to what happened with Garantex, a sanctioned exchange that rebranded as Grinex. eXch may have continued servicing a select group of partners via API, allowing laundering activity to persist even after the public takedown.
O’Connor also pointed out that eXch took advantage of operating across multiple countries. The domain was registered through a UK-based provider, listed Switzerland as an admin location, hosted infrastructure in France, and had servers seized in Germany.
eXch’s Origins and Rise
According to “Fantasy,” lead investigator at crypto insurance firm Fairside Network, eXch’s origins trace back to 2014. The platform first appeared on a BitcoinTalk forum account promoting automatic swaps between Bitcoin (BTC), Perfect Money, and BTC-e vouchers. These payment methods were commonly associated with high-risk transactions.
The modernized form of eXch emerged in 2022, becoming a hub for prominent crypto drainers, including Monkey Drainer, Pink Drainer, and Inferno Drainer. These services used eXch to move funds due to its no-KYC policy.
Why eXch Remained Active
Amit Levin, former investigator at Binance, explained that eXch remained active for years because of the gap between what regulators can do and how fast technology is moving. The lack of registration, KYC, and accountability made enforcement nearly impossible.
eXch also used a pooled liquidity system, blending user deposits and withdrawals, making it difficult to trace the flow of funds.
eXch’s Response and Future
eXch denied laundering funds for North Korean crypto hackers and framed the project as an attempt to restore balance in the industry. The platform criticized Anti-Money Laundering enforcement and companies offering address risk scoring APIs.
Gal Arad Cohen, partner at S. Horowitz & Co, stated that financial intermediaries operating in the crypto sector should be held to equivalent standards and regulatory requirements as traditional financial service providers.
While the closure of eXch is a win for crypto, Alex Katz, CEO of security firm Kerberus, warned that bad actors could migrate to alternative projects like THORChain. In the Bybit hack, THORChain was used to swap around 500,000 Ether (ETH) to Bitcoin.
eXch stated that its partners would retain access to its API for a limited time, with future operations depending on a new management team. The old team recommended setting up new liquidity pools and offered consultations. eXch signed off with the message, “Privacy is not a crime.”
German authorities reported that $1.9 billion in crypto flowed into eXch since its inception. Its operators are suspected of commercial money laundering and running a criminal trading platform.
Key Takeaways:
- eXch was a no-KYC crypto swapper popular among cybercriminals.
- It was used to launder funds from the Bybit hack by the Lazarus Group.
- German police shut down eXch in April, but activity suggests it might still be operating.
- eXch’s pooled liquidity system and lack of KYC made it difficult to trace funds.
- The platform’s operators are suspected of commercial money laundering.
