eXch, once favored by hackers, continues operations despite German shutdown

eXch, a platform once favored by hackers and cybercriminals for its lack of Know Your Customer (KYC) checks, was shut down by German police in April. However, recent activity suggests that the platform may still be operational in some capacity. eXchXCH-- acted more like an instant swapper, allowing bad actors to move funds anonymously for years. One of its notable clients was the Lazarus Group, a North Korean state-backed hacking unit that used eXch to launder some of the $1.4 billion it stole from Bybit in February. When Bybit traced the stolen funds to eXch and requested assistance, the platform refused, leading to a debate over privacy versus security. Ultimately, eXch announced its closure on April 17, and German authorities seized its servers and confiscated 34 million euros ($38 million) in crypto, along with more than eight terabytes of data, on April 30.

Despite the shutdown, security firm TRM Labs reported that eXch may have continued operating in stealth mode. The platform posted a message claiming it would not facilitate criminal proceeds, but the post was removed within hours, and operations quietly resumed. This suggests an internal disagreement or a calculated attempt to lower visibility. Jeremiah O’Connor, co-founder and chief technology officer of security firm Trugard, noted that it is not uncommon for such platforms to continue servicing loyal customers even after seizures. eXch’s infrastructure was spread across multiple countries, with the domain registered through a UK-based provider, listed Switzerland as an admin location, hosted infrastructure in France, and had servers seized in Germany. It remains unclear if eXch will kill its API or reemerge under a new name, but TRM Labs indicated that the platform’s remaining back-end access continued to provide anonymization infrastructure for threat actors.

eXch’s origins date back to 2014, according to “Fantasy,” lead investigator at crypto insurance firm Fairside Network. The platform first appeared on a BitcoinTalk forum account promoting automatic swaps between Bitcoin (BTC), Perfect Money, and BTC-e vouchers. Fantasy traced the original Bitcoin wallet tied to eXch and found it was likely funded via BTC-e, a now-defunct crypto exchange shuttered by US authorities in 2017 for its role in laundering criminal proceeds. The modernized form of eXch emerged in 2022, becoming a hub for prominent crypto drainers such as Monkey Drainer, Pink Drainer, and Inferno Drainer, along with several major exploiters. eXch required no identity verification, making it an attractive tool for cybercriminals looking to clean stolen assets. Amit Levin, former investigator at Binance, highlighted the gap between regulatory capabilities and the speed of technological advancements, making enforcement challenging. The platform also used a pooled liquidity system that blended user deposits and withdrawals, complicating the tracing of funds.

eXch denied laundering funds for North Korean crypto hackers and framed its project as an attempt by privacy enthusiasts to “restore balance” in the industry. It criticized Anti-Money Laundering enforcement and condemned companies offering address risk scoring APIs as “parasites” profiting off government fear. Gal Arad Cohen, partner at S. Horowitz & Co, emphasized that financial intermediaries in the crypto sector should be held to equivalent standards and regulatory requirements as traditional financial service providers. The closure of eXch was seen as a “huge win” for crypto by Alex Katz, CEO of security firm Kerberus, but he warned that bad actors could migrate to alternative projects like THORChain, which was mentioned in eXch’s farewell manifesto. In the Bybit hack, THORChain was used as the main bridge to swap around 500,000 Ether (ETH) to Bitcoin. eXch’s operators stated that its partners would retain access to its API for a limited time, with future operations depending on the “new management team.” The old team recommended setting up new liquidity pools to maintain seamless functionality and offered consultations. eXch signed off with a defiant message: “Privacy is not a crime.” German authorities reported that $1.9 billion in crypto flowed into eXch since its inception, with its operators suspected of commercial money laundering and running a criminal trading platform.