Crypto Mixer eXch Still Laundering Funds Post-Shutdown, TRM Labs Warns

Despite its official shutdown announcement, the notorious crypto mixer eXch continues to function as a laundering channel for illicit funds, according to a damning new report from TRM Labs. On April 30, 2025, a day before eXch was scheduled to go offline, the platform removed all public-facing infrastructure, including clearnet and dark web domains. However, TRM’s investigation reveals that the platform’s backend, specifically its API access, remains operational, facilitating ongoing fund movements consistent with its signature mixed-pool laundering model. Cryptocurrency exchange eXch, linked by TRM to laundering in the Feb 21 Bybit hack, has shut down — but activity persists via its API. More than USD 300,000 in CSAM-related funds have been traced through eXch. Learn more here https://t.co/SBcOt2s2gm pic.twitter.com/z6o3dnQxTI— TRM Labs (@trmlabs) May 2, 2025TRM links eXch to major cybercriminal operations, including the Lazarus Group’s record-breaking $1.5 billion Bybit hack and child sexual abuse material (CSAM) threat actors.eXch’s Architecture: A Laundering Engine Hiding in Plain SightTRM Labs’ analysis shows that eXch’s so-called “shutdown” is largely superficial. While the exchange’s website interfaces were disabled on April 27, its API infrastructure remained active and interacted with on-chain assets. Privacy-focused crypto exchange eXch will shut down on May 1 following scrutiny over alleged ties to North Korea’s Lazarus Group.#bybithack #eXchhttps://t.co/ZXQCBVbotz— Cryptonews.com (@cryptonews) April 18, 2025On April 30, TRM observed new transactions mimicking previous mixed-pool behavior patterns, particularly exposed to CSAM-related funding. The core mechanism behind eXch’s obfuscation lies in its proprietary mixed-pool architecture, which breaks down deposits and combines them into liquidity pools that make origin tracing almost impossible.This approach functions similarly to cryptocurrency swap services, allowing users to swap one token for another while depositing their tokens into pools reused for unrelated withdrawals. As a result, a BTC deposit from a threat actor could easily fund a legitimate user’s withdrawal, thereby blending illicit and clean funds. TRM found that eXch has already been exposed to over $300,000 in CSAM-related funds, and this exposure is expected to rise. Source: TRMLabsEven more alarming, the same eXch infrastructure was used simultaneously by CSAM-linked actors and Lazarus Group operatives, suggesting that the former group’s funds provided liquidity to launder the Bybit hackers’ assets. While eXch outwardly positioned itself as a privacy-focused platform, it consistently obstructed attempts to uphold accountability across the ecosystem. Following the Bybit attack, eXch refused to comply with fund-freezing requests, withdrawing all public disclosures about its coin liquidity. This decision drew widespread criticism across the crypto industry, especially when other platforms were rallying to assist Bybit in freezing and recovering assets.A History of Denial, Rebranding, and Mixed SignalseXch’s history of controversial activity began long before the shutdown. On February 23, 2025, the exchange denied laundering funds for the Lazarus Group on the Bitcointalk forum, admitting only that an “insignificant portion” of Bybit’s stolen funds had passed through one of its addresses. eXch has denied allegations of laundering money for North Korea’s #Lazarus Group following the $1.4 billion hack on @Bybit_Official on February 21.#eXch #Bybithttps://t.co/FWTnP5hiJS— Cryptonews.com (@cryptonews) February 24, 2025The platform claimed that fees from the transaction would be donated for the public good, downplaying the scale of its involvement.Yet blockchain investigators offered a more troubling picture. On-chain analyst ZachXBT accused eXch of laundering $35 million from the Bybit hack. In contrast, others like SlowMist and Nick Bax from the Security Alliance estimated the exchange processed $30 million in laundering volume. Bybit’s assets dropped by over $5.3 billion after the theft, including $1.4 billion in Ethereum.At this point is really not about bybit or any entity, it's about our general approach towards hackers as an industry, really hope that @eXch can reconsider and help us to block funds outflowing from them. We are also getting help from Interpool and international regulatory... https://t.co/wRzN925X9l— Ben Zhou (@benbybit) February 23, 2025Even as evidence mounted, eXch continued to stonewall. It resisted Bybit’s request to freeze the remaining stolen assets, even sending emails expressing frustration over perceived slights in previous interactions. The situation became murkier in late April when eXch abruptly suspended operations on April 27, citing “unspecified law enforcement actions.” Hours later, the suspension notice disappeared, and the exchange resumed operations. On April 28, it announced a leadership transition. A new team will take over the infrastructure from May 1, while the original team will remain consultants.One recommendation from the outgoing leadership was to implement dedicated liquidity pools to mask connections to past operations. Whether this is a sincere attempt at reform or merely a cosmetic rebranding effort is still unclear. However, the remaining API access suggests that threat actors can continue using eXch’s anonymization tools, undermining its public claim that it is unwilling to launder criminal proceeds.The post Crypto Mixer eXch Still Laundering Funds Post-Shutdown, TRM Labs Warns appeared first on Cryptonews.