Crypto Mixer eXch Still Laundering Funds Post-Shutdown, TRM Labs Warns
Despite its official shutdown announcement, the notorious crypto mixer eXch continues to function as a laundering channel for illicit funds, according to a damning new report from TRM Labs.
On April 30, 2025, a day before eXch was scheduled to go offline, the platform removed all public-facing infrastructure, including clearnet and dark web domains.
However, TRM’s investigation reveals that the platform’s backend, specifically its API access, remains operational, facilitating ongoing fund movements consistent with its signature mixed-pool laundering model.
TRM links eXch to major cybercriminal operations, including the Lazarus Group’s record-breaking $1.5 billion Bybit hack and child sexual abuse material (CSAM) threat actors.
eXch’s Architecture: A Laundering Engine Hiding in Plain Sight
TRM Labs’ analysis shows that eXch’s so-called “shutdown” is largely superficial.
While the exchange’s website interfaces were disabled on April 27, its API infrastructure remained active and interacted with on-chain assets.
On April 30, TRM observed new transactions mimicking previous mixed-pool behavior patterns, particularly exposed to CSAM-related funding.
The core mechanism behind eXch’s obfuscation lies in its proprietary mixed-pool architecture, which breaks down deposits and combines them into liquidity pools that make origin tracing almost impossible.
This approach functions similarly to cryptocurrency swap services, allowing users to swap one token for another while depositing their tokens into pools reused for unrelated withdrawals.
As a result, a BTC deposit from a threat actor could easily fund a legitimate user’s withdrawal, thereby blending illicit and clean funds.
TRM found that eXch has already been exposed to over $300,000 in CSAM-related funds, and this exposure is expected to rise.
Even more alarming, the same eXch infrastructure was used simultaneously by CSAM-linked actors and Lazarus Group operatives, suggesting that the former group’s funds provided liquidity to launder the Bybit hackers’ assets.
While eXch outwardly positioned itself as a privacy-focused platform, it consistently obstructed attempts to uphold accountability across the ecosystem.
Following the Bybit attack, eXch refused to comply with fund-freezing requests, withdrawing all public disclosures about its coin liquidity.
This decision drew widespread criticism across the crypto industry, especially when other platforms were rallying to assist Bybit in freezing and recovering assets.
A History of Denial, Rebranding, and Mixed Signals
eXch’s history of controversial activity began long before the shutdown. On February 23, 2025, the exchange denied laundering funds for the Lazarus Group on the Bitcointalk forum, admitting only that an “insignificant portion” of Bybit’s stolen funds had passed through one of its addresses.
The platform claimed that fees from the transaction would be donated for the public good, downplaying the scale of its involvement.
Yet blockchain investigators offered a more troubling picture. On-chain analyst ZachXBT accused eXch of laundering $35 million from the Bybit hack.
In contrast, others like SlowMist and Nick Bax from the Security Alliance estimated the exchange processed $30 million in laundering volume.
Bybit’s assets dropped by over $5.3 billion after the theft, including $1.4 billion in Ethereum.
Even as evidence mounted, eXch continued to stonewall. It resisted Bybit’s request to freeze the remaining stolen assets, even sending emails expressing frustration over perceived slights in previous interactions.
The situation became murkier in late April when eXch abruptly suspended operations on April 27, citing “unspecified law enforcement actions.”
Hours later, the suspension notice disappeared, and the exchange resumed operations.
On April 28, it announced a leadership transition. A new team will take over the infrastructure from May 1, while the original team will remain consultants.
One recommendation from the outgoing leadership was to implement dedicated liquidity pools to mask connections to past operations.
Whether this is a sincere attempt at reform or merely a cosmetic rebranding effort is still unclear.
However, the remaining API access suggests that threat actors can continue using eXch’s anonymization tools, undermining its public claim that it is unwilling to launder criminal proceeds.
- How Tether Co-Founder William Quigley Views Crypto Regulations in Trump’s Second Term
- Trump Appoints PayPal Veteran David Sacks as ‘White House AI and Crypto Czar’
- XRP Price Ready for Comeback: Analysts See Bull Movement and Strong Potential for Upward Trend
- Ripple Behind Trump’s XRP Post? Could This Controversy Trigger a Rally to $1,000? (XRP Price Prediction)
- XRP Price Prediction: South Korean Investors Bet Big on Ripple, Can XRP Reach $5 in May?
Why Trust Cryptonews
Best Crypto ICOs
-
Solaxy (SOLX)
-
BTC Bull Token (BTCBULL)
-
Mind of Pepe (MIND)
-
Best Wallet Token (BEST)
-
SUBBD (SUBBD)
More Articles
in numbers
