Despite April Shutdown, eXch Crypto Laundering Platform May Still Be Operating in Stealth Mode

German authorities shut down crypto exchange eXch in April after years of allegedly facilitating money laundering activity for hackers and cybercriminals.

The platform, which never implemented Know Your Customer checks, was best known for its instant cryptocurrency swapper, allowing bad actors to fly under the radar.

Among eXch’s clients was the Lazarus Group. The North Korean state-backed hacking unit thrust eXch into the spotlight back in February, when it used the platform to funnel some of the $1.4 billion it stole from crypto exchange Bybit.

When Bybit traced its stolen funds to eXch and requested assistance, the exchange refused. This led to a fierce discussion over privacy versus security, but ultimately, eXch announced it would close its doors on April 17.

However, according to security firm TRM Labs, the platform may have continued operating in stealth mode after the takedown. Here’s the rise, fall and afterlife of alleged crypto laundromat eXch.

eXch shuts front door, keeps back door unlocked

Alongside its shutdown announcement, eXch posted a message claiming it would not facilitate criminal proceeds. The post was removed within hours, and operations quietly resumed — signs of an internal disagreement or perhaps even a calculated attempt to lower visibility, according to TRM.

German authorities seized eXch’s servers and confiscated 34 million euros ($38 million) in crypto, along with more than eight terabytes of data, effectively dismantling its public-facing infrastructure.

Related: North Korean spy slips up, reveals ties in fake job interview

“Just like we saw with Garantex rebranding as Grinex, eXch didn’t fully die after the shutdown. It quietly kept servicing a handful of partners via API, which meant laundering activity continued even after the public takedown,” said Jeremiah O’Connor, co-founder and chief technology officer of security firm Trugard.

O’Connor added that it’s not unlikely for such platforms to serve loyal customers even after seizures.

“The people behind eXch.ch took full advantage of operating across multiple countries. The domain was registered through a UK-based provider, listed Switzerland as an admin location, hosted infrastructure in France, and had servers seized in Germany,” O’Connor said.

It’s still unclear if eXch will kill its API or come back under a new name. TRM said in the May 2 blog post that the platform’s remaining back-end access continued to provide anonymization infrastructure for threat actors.

No KYC, pooled liquidity draws illicit funds to eXch

EXch’s origins trace back to 2014, according to “Fantasy,” lead investigator at crypto insurance firm Fairside Network. In an October 2024 investigation, Fantasy identified the platform’s first public appearance as a BitcoinTalk forum account promoting automatic swaps between Bitcoin (BTC), Perfect Money and BTC-e vouchers — payment methods commonly associated with high-risk transactions.

Fantasy also traced the original Bitcoin wallet tied to eXch and found it was likely funded via BTC-e, the now-defunct crypto exchange shuttered by US authorities in 2017 for its role in laundering criminal proceeds.

Fantasy’s forensic research found that the modernized form of eXch emerged in 2022, when its Ethereum hot wallet was first funded. Not long after, it became a hub for prominent crypto drainers.

Monkey Drainer — the first known large-scale drainer-as-a-service operator — used eXch before its retirement. Other draining service providers like Pink Drainer and Inferno Drainer also passed funds through the platform, along with several major exploiters.

EXch required no identity verification, allowing users to move funds with anonymity. That made it an attractive tool for cybercriminals looking to clean stolen assets.

“EXch managed to stay active for years — despite facilitating obvious illicit activity — because there’s still a big gap between what regulators ‘can’ do and how fast technology is moving,” Amit Levin, former investigator at Binance, told Cointelegraph.

The platform also drew confidence from threat actors by using a pooled liquidity system that blended user deposits and withdrawals, making it difficult for investigators and law enforcement to trace the flow of funds.

When eXch knew and did nothing

EXch denied laundering funds for North Korean crypto hackers, and in its shutdown notice, it framed the project as an attempt by privacy enthusiasts to “restore balance” in the industry. It criticized Anti-Money Laundering enforcement and condemned companies offering address risk scoring APIs as “parasites” profiting off government fear.

“Service providers in the crypto space are, for the most part, not decentralized; that is, they retain control over or access to customers’ assets, as demonstrated in the case of eXch,” Gal Arad Cohen, partner at S. Horowitz & Co, told Cointelegraph.