Crypto exchange eXch to shut down, following allegations it laundered $1.4bn from Bybit hack

eXch, a privacy-focused cryptocurrency exchange company, has announced it will discontinue operations on May 1, 2025, following allegations that it facilitated the laundering of funds stolen in a historic $1.4 billion hack of Bybit.

The decision comes as the exchange faces intense scrutiny from a transatlantic law enforcement operation targeting its alleged role in processing illicit funds linked to North Korea’s notorious Lazarus Group.

In a statement released on April 17, eXch’s management team revealed they had voted to “cease and retreat” rather than continue operating in what they described as a “hostile environment” shaped by Signals Intelligence (SIGINT) targeting and misinterpretations of their privacy-focused mission.

The platform, a non-KYC (Know Your Customer) exchange known for its minimal user verification requirements, initially denied claims from blockchain investigators that it had laundered digital assets for the Lazarus Group, a state-sponsored North Korean hacking syndicate.

However, the exchange later admitted to processing an “insignificant portion” of the stolen funds, estimated at roughly $35 million, from the February 21, 2025, Dubai-based exchange, Bybit hack.

In its announcement, the exchange emphasised its commitment to user privacy, criticising other exchanges for imposing “nonsensical policies” in their efforts to combat money laundering.

“We have demonstrated the feasibility of running operations without imposing unfair policies on our customers,” the exchange stated. It also denied enabling illicit activities such as money laundering or terrorism.

The Bybit hack, described as the largest cryptocurrency theft in history, saw hackers, later identified as the Lazarus Group, steal approximately $1.5 billion in Ethereum tokens by exploiting vulnerabilities in Bybit’s multisig cold wallet system. The breach, which occurred during a routine transfer, involved malware that tricked the exchange into approving malicious transactions.

Bybit CEO Ben Zhou revealed that the hack was facilitated through a compromised developer machine tied to Safe{Wallet}, a software provider used by the exchange. The incident triggered a massive $5 billion in user withdrawals, raising fears of insolvency, though Zhou assured clients that Bybit’s treasury could cover the losses if the funds were not recovered.

Blockchain analysis firms, including Elliptic and TRM Labs, confirmed the Lazarus Group’s involvement, noting that the stolen funds were rapidly laundered through decentralised exchanges (DEXs), cross-chain bridges, and platforms like eXch.

eXch allegedly refused the request to freeze the stolen Bybit’ funds

According to Elliptic, eXch processed tens of millions of dollars in stolen assets, earning significant fees while refusing Bybit’s requests to freeze the funds.

The refusal sparked controversy, with Bybit launching a bounty programme, Lazarus Bounty, which paid over $2 million to investigators who helped freeze approximately 89% of the stolen $1.4 billion by March 20, 2025.

Despite these efforts, analysts estimate that 20% of the funds remain unrecoverable, having “gone dark” through sophisticated laundering techniques.

The Lazarus Group, operating under North Korea’s Reconnaissance General Bureau, has been linked to over $6 billion in cryptocurrency thefts since 2017, with proceeds reportedly funding the regime’s ballistic missile program.

The group’s tactics in the Bybit hack included social engineering, phishing, and supply chain compromises, followed by a multi-stage laundering process. Stolen tokens were converted to Ether, dispersed across thousands of wallets, and swapped for Bitcoin and other assets on platforms like eXch and THORChain.

The speed and scale of the laundering, $160 million processed within 48 hours, underscored the group’s advanced capabilities, raising alarms about the crypto industry’s vulnerabilities.

The company’s closure highlights the growing regulatory pressure on non-KYC exchanges, which are increasingly viewed as potential conduits for illicit transactions. The exchange’s management lamented that their privacy-focused approach was misinterpreted, stating:

“We do not see any point in operating where we are the target of SIGINT simply because some people misinterpret our goals.” 

The transatlantic operation targeting eXch, though not detailed publicly, is believed to involve U.S. and European authorities, with the FBI confirming the Lazarus Group’s role in the Bybit heist.

The FBI urged crypto platforms to block transactions linked to the group’s Ethereum addresses, warning that the funds were being dispersed across multiple blockchains for further laundering.

Meanwhile, Bybit has regained its pre-hack market share, holding roughly 7% of global crypto trading volume as of April 10, 2025.

However, the hack prompted the exchange to shutter some Web3 services and its non-fungible token marketplace, reflecting the broader impact on its operations. The incident has also reignited debates over decentralisation and anti-money laundering (AML) measures in the crypto industry.

Some protocols, like Chainflip and THORChain, faced internal debates over blocking illicit funds, with concerns that such actions could compromise their decentralised ethos. This shutdown marks a significant moment in the ongoing battle against crypto-related crime, as regulators and law enforcement intensify efforts to curb money laundering.