Author: Scof, ChainCatcher

Editor: TB, ChainCatcher

On the evening of February 21, the Bybit exchange experienced the largest theft incident in its history, and many institutions and individuals have lent a helping hand to help Bybit overcome this crisis. Although the crisis has been temporarily brought under control, the key task ahead is to track down and intercept the hacker's funds and recover the stolen assets.

However, over the past two days, the eXch platform has washed over 29,000 ETH stolen by the Lazarus hacker from Bybit. This platform immediately attracted widespread attention in the crypto community, with many users saying that although they have been in the industry for years, they had never heard of the eXch project before.

So what kind of platform is eXch? What role did it play in this incident?

What is eXch?

eXch is a centralized mixer without KYC requirements. The basic function of a mixer is to mix different users' funds, thereby disrupting the source and destination of transactions, making it difficult for external observers to track the transaction path.

Users can freely exchange tokens such as BTC, LTC, ETH, and XMR on eXch. After selecting the token type and amount for the transaction, and setting the receiving address and refund address, the platform will complete the transaction at the Bisq (median value based on market trading data) price. The exchange also claims that its liquidity is not provided by third parties, but is stored on its own nodes.

Although it seems very convenient, users who have actually used eXch say that the actual experience is very poor, with high fees and spreads, and when liquidity is depleted, they have to wait for staff to manually send the tokens, sometimes even to the wrong address. Some community members even said that with such high fees and slippage (nearly 10%), only money laundering teams would use this platform.

Recommended reading: ZachXBT: The centralized mixer eXch used by the Lazarus Group for money laundering, the eXch team mistakenly sent 34 ETH to a certain exchange's hot wallet

Currently, there is no information about the eXch team on the internet, and only an X account named @exchcx is recognized as its representative, but this account has not been updated for more than a year.

eXch refuses to cooperate with Bybit to recover the stolen funds

After the incident, Bybit's CEO began seeking support from all walks of life, hoping to jointly intercept the stolen funds.

On February 22, on-chain detectives found that the stolen 5,000 ETH were washed through eXch and converted to BTC through Chainflip. In response to this discovery, Bybit requested eXch to block the funds and track their movements. However, eXch publicly released this request and refused to cooperate. In its reply to Bybit's email, eXch mentioned that they would not provide any assistance because their users had previously been banned by Bybit.

There are two different voices in the community on this:

• Some believe that allowing the money laundering platform eXch to act as a money laundering tool in the largest hacking incident in history has seriously damaged the reputation of the entire industry. Regulatory authorities are likely to intervene, and all platforms should block the funds being transferred through eXch. If anyone is still using this platform, they should withdraw their assets as soon as possible to avoid legal risks.

• Others believe that this incident is not a typical hacking attack, but a security breach caused by a social engineering vulnerability. Bybit should bear the loss caused by the failure of its internal employees to prevent phishing attacks when signing multi-signature transactions, which reflects Bybit's own operational mistakes. eXch's refusal to cooperate may be related to Bybit's negative publicity against it over the years, so eXch has reason not to cooperate.

On February 23, eXch issued a statement on Bitcointalk, stating that "they will not launder money for Lazarus/DPRK" and that the funds they previously handled from the attack on Bybit will be donated to various open-source projects. They emphasized that this move is to protect the idea of decentralization (not your keys, not your money), and pointed out that THORChain has handled more dirty money than them.

In response, many community members began to criticize eXch. Crypto KOL @tayvano_ mocked eXch's attempt to discredit THORChain, saying "because whenever liquidity is depleted, eXch will have to rely on THORChain." Some users even suggested that all VASPs directly blacklist eXch, believing that their actions are just money laundering.

But eXch's response seems to be the same slogan forever: upholding the ideal of decentralization.

Is there a need for mixers to exist?

But this is not the first time that hackers have used eXch to launder stolen funds.

In December 2024, in an incident reported by ZachXBT, the stolen funds ultimately flowed to eXch for washing, converted to LTC and put into the market. The stolen assets were worth $6.5 million at the time.

In September 2024, the data aggregator Truflation was hacked, losing about $5 million, with funds stolen from multi-signature vaults and personal wallets. A month later, the Truflation attacker exchanged 1.37 million DAI for 500 ETH and transferred it to eXch.

In August 2024, an address involved in a phishing attack transferred 300 ETH to the eXch platform after stealing 55.4 million DAI.

With the occurrence of this series of events, more and more users have begun to reflect on the significance of the existence of mixers and question their compliance.

The function of mixers is to protect user privacy and enhance the anonymity of funds, especially in the case of transparent blockchain transaction records, it provides a certain degree of privacy protection for users. However, this tool has also become a breeding ground for hackers, scammers and money laundering gangs, as illegal funds are often washed through mixers, making it more difficult to track and recover stolen assets.

We cannot deny the significance of the existence of mixers, but as the metaphor of "Faust": if the progress of technology is divorced from the shackles of morality, it will eventually become the transaction of the devil. At this stage, the only thing we can be sure of is that finding a balance between privacy and compliance requires more discussion and reform to truly protect the interests of more users.