2025 Crypto Crime Report: See the key trends that shaped the illicit crypto market over the past year. Read the report

Request a demo
Search
Search
Insights
May 2, 2025

eXch Remains Active Despite Shutdown: How the Bybit Hack-linked Exchange Continues to Enable Laundering of CSAM Funds

TRM BlogInsights
eXch Remains Active Despite Shutdown: How the Bybit Hack-linked Exchange Continues to Enable Laundering of CSAM Funds

On April 30, 2025, one day before cryptocurrency exchange eXch’s announced shutdown (May 1, 2025), the platform removed all known public-facing infrastructure — including four clearnet and dark web domains. TRM Labs has linked the exchange to money laundering activity for Lazarus Group’s Bybit hack and identified a long-term laundering relationship with child sexual abuse material (CSAM) threat actors.

Key takeaways

  • Despite eXch’s announced shutdown, eXch continues to offer application programming interface (API) access to its business partners and TRM has observed continued on-chain activity — including laundering behavior consistent with its mixed-pool infrastructure.
  • TRM has found that eXch is one of the primary destinations for CSAM funds. We have identified that eXch has been directly exposed to more than USD 300,000 in CSAM-related funds. However, we expect this figure to increase as we continue our attribution on eXch.
  • eXch’s architecture introduces risk for investigators and compliance teams, as its mixed-pool model fragments transactions and shares liquidity across users — potentially linking illicit and legitimate flows in the same liquidity cycle. This complicates risk assessments and underscores the importance of rapid infrastructure labeling.

eXch’s on-chain activity following initial shutdown

eXch has said, “for a limited time,” it will continue to provide API access to its business partners, which include mixers and other on-chain privacy services. After eXch originally took its browser interface offline on April 27, 2025, TRM observed on-chain activity on April 30, 2025 similar to what we previously identified as eXch mixed-pool operations that are exposed to CSAM. This infrastructure remained active and interacted with newly withdrawn funds linked to CSAM over several days.

The proprietary mixed-pool mechanism is central to eXch’s architecture and fragments, and reshuffles inputs in a manner that mimics peer-to-peer transactions. eXch designed the structure to obfuscate the source and destination of funds and complicate blockchain tracing through multiple chains. 

This on-chain activity — alongside eXch’s own disclosure that certain API access remained available — suggests that CSAM-linked actors may have continued to use eXch infrastructure during this period. 

eXch’s links to the Bybit hack

Following the Bybit hack on February 21, 2025 — in which North Korean state-linked cybercriminal group Lazarus stole a record USD 1.5 billion in Ethereum (ETH) from the Dubai-based cryptocurrency exchange — allegations emerged that the group was using eXch to launder the funds. eXch then discreetly withdrew public disclosures of its coin liquidity. This was likely intended to limit traceable associations between its asset balances and ongoing laundering flows.

Example flow of Bybit Exploit funds moving through eXch and bridging back and forth between ETH and Bitcoin (BTC)
Screenshot of eXch.cx in its Tor browser version, April 27, 2025

Although eXch publicly positioned itself as a privacy-focused exchange, it developed a reputation for obstructing ecosystem accountability. This was demonstrated by it refusing to assist Bybit in freezing funds potentially connected to its hack (see below). Its persistent refusal to cooperate at a time when the cryptocurrency industry was largely united to assist a fellow platform quickly thrust eXch into the spotlight. 

eXch email reply to Bybit risk team refusing to freeze funds linked to the hack

eXch’s CSAM links

TRM’s analysis has found that eXch is one of the primary destinations for CSAM funds. We have identified that eXch has been exposed to more than USD 300,000 in CSAM-related funds. However, we expect these figures to increase as our attribution on eXch continues. 

Following the Bybit cyber attack, for example, TRM analysts observed an unexpected on-chain event where CSAM threat actors and North Korean state-linked actors behind the crypto theft simultaneously deposited and withdrew funds using the eXch infrastructure. On this occasion, CSAM payments were used to provide liquidity for the assets the Bybit hackers swapped as part of their laundering process.

This underscores the critical role of TRM’s attribution work to identify eXch’s infrastructure. Without mapping its infrastructure, on-chain risk assessments could be misinterpreted and lead to incorrect assumptions about the risk level of outgoing transactions from the service, or the true destination of funds initially linked to CSAM.

CSAM threat actors depositing funds to eXch at the same time that North Korean state actors withdraw recently converted funds

What is a mixed pool and how do they work?

According to eXch, “In a mixed pool all received and sent transactions are mixed together and there is no way to discover how many people are behind certain addresses and traceability is extremely difficult, which is very good for privacy but bad for risk scoring.”

Despite similarities in name to traditional cryptocurrency mixers, eXch’s mixed pool mechanism functions more like a cryptocurrency swap service. Users can swap one coin (e.g. BTC) with another (e.g Monero [XMR]). During this process, deposits of the same token type — such as BTC — are pooled together and reused as liquidity for other users’ withdrawals.

For example, BTC deposited by a threat actor could later be used to finance a BTC withdrawal from an unrelated user. The liquidity-sharing model complicates attribution as it introduces the possibility that illicit deposits are indirectly linked to legitimate withdrawals, especially if those transactions occur within the same liquidity cycle.

This obfuscation has meaningful implications for investigators. Tracking fund flows through eXch requires more than standard transaction tracing; it demands rapid identification of its infrastructure and a deep understanding of how its pooled liquidity operates. This highlights the critical role of blockchain intelligence tools, such as TRM Labs, in identifying and mapping such non-transparent mechanisms.

Notably, eXch’s architecture does not appear to scrutinize the origin of incoming funds. Combined with the service’s opaque infrastructure, risk associated with illicit deposits could unintentionally spread to otherwise unrelated withdrawals. Without clear attribution, these withdrawals could be blocked or mischaracterized, further underscoring the importance of proactive infrastructure labeling and monitoring.

Mixed messaging: Operational pause or strategic pivot? 

Despite originally announcing its shutdown on April 17, 2025, eXch stated on April 27, 2025 that it was suspending its public interface’s activities that day, citing “unspecified law enforcement actions.” The exchange also said it was unwilling to launder criminal proceeds. However, eXch removed the message a few hours later — leaving no public record of its communication on this topic. And on April 28, 2025 the platform resumed operations. 

Suspending then quickly resuming its public-facing operations suggests that there may have been an internal disagreement. Alternatively, it may also have been a deliberate strategy to reduce on-chain visibility and scrutiny without disrupting its operations.

In the same announcement, eXch said that starting from May 1, 2025, a new team will handle its infrastructure. The former leadership will continue in a consulting capacity, providing guidance and recommendations. One of these recommendations is to create dedicated liquidity pools, which is likely an attempt to obscure on-chain ties to the previous eXch operations.

Will eXch rebrand?

It’s unclear whether eXch will completely shut down its remaining API operations or resume operations as a new service. However, the remaining API access continues to provide anonymization infrastructure for threat actors. TRM will continue to actively monitor eXch-linked indicators to ensure early detection of infrastructure reuse or rebranding, and to support investigators with timely, high-confidence attribution.

This is some text inside of a div block.
Subscribe and stay up to date with our insights
arrow right
February 27, 2025

The Bybit Hack: Following North Korea’s Largest Exploit

arrow right
March 4, 2025

Bybit Hack Update: North Korea Moves to Next Stage of Laundering

arrow right
March 28, 2025

The Evolving CSAM Landscape: Vendors Increasingly Leveraging AI As They Return to the Dark Web

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
No items found.
Screenshot of the splash page used by law enforcement agencies following the takedown of Garantex, with bold red lettering reading, "This domain has been seized," along with the logos of various international law enforcement agencies involved in the action.
BLOG
Learn more about the global law enforcement operation that took down Garantex
Read the post →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
2025 Crypto Crime Report: Explore how the crypto crime landscape evolved over the past year
DIG IN NOW →
Bright blue fiber optic cables on a dark blue background, with flashes of white sparks interspersed throughout.
REPORT
As AI technology becomes more sophisticated, so will the ways in which criminals use it. See what TRM is doing to counter AI-enabled crime.
FIGHT AI WITH AI →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
The crypto crime landscape saw significant shifts in 2024, including decreases in illicit volumes. Dig into the data here.
PREVIEW THE CRYPTO CRIME REPORT →
Cork board with mugshots of Heather "Razzlekhan" Morgan and Ilya Lichtenstein, with their names written in handwritten script below their photos, and push pins on the board connected by red string.
DOCUMENTARY
Stream “Biggest Heist Ever” and get a behind-the-scenes peek from the TRM team
CHECK IT OUT →
A light blue two dimensional circle (representing a stablecoin) floating against dark blue and white curved lines (representing waves), with thin dotted blue and white lines overhead to represent wind.
REPORT
Explore the macro trends and jurisdictional developments that shaped the global crypto policy landscape in 2024
READ THE REPORT →
Illustration on a dark blue background showing a bug and exclamation mark (representing illicit activity), a globe with pin points, a coin, and a bar chart.
REPORT
See the countries with the highest rates of crypto adoption — and the highest rates of exposure to illicit activity
READ THE REPORT NOW →
A blue rectangle with geometric shapes in the background and dots connected by thin lines in the foreground, representing connections on the bockchain.
WHITE PAPER
Explore four ways TRM improves compliance in the modern sanctions enforcement era
Download the white paper →
Illustration of a pig butchering chart featuring various cryptocurrency logos in each section, with a bright blue sheriff's badge on top, symbolizing law enforcement's role in combating fraud.
CASE STUDY
See how Deputy District Attorney Erin West and the REACT Task Force are fighting back against pig butchering
WATCH THE VIDEO →
Illustration of an eye, skull and crossbones, and a pie chart on a light blue background, symbolizing the dangers of crypto scams and financial fraud.
REPORT
Explore the key trends that shaped that the illicit crypto economy in 2023
GET THE REPORT →
Close-up photograph of the United States Capitol building with snow falling
BLOG
Learn why cryptocurrency has become a central issue in the 2024 US election
READ THE POST
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Take a deep-dive into the Russian-speaking illicit crypto ecosystem
READ THE FULL REPORT
Outline of pig with law enforcement shield overlaid
Case Study
Learn more about how the REACT Task Force is tackling pig butchering
Read the case study
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Explore recent ransomware trends in the Russian-speaking crypto ecosystem—including the role of ransomware groups in cybercrime around the world
GET THE REPORT
Person typing on a laptop keyboard with dark blue filtered overlay
BLOG POST
Learn about summer 2024’s spate of ransomware attacks, and the proliferation of RaaS around the world
READ THE POST
REPORT
Learn about cryptocurrency’s role in the international synthetic drug precursor market
GET THE REPORT