Investigating Hackers', Exploiters' Favorite Instant Crypto Exchange

Thank you Blocksec for allowing me access to their Metasleuth platform to conduct the on-chain portion of this report. Look into using Metasleuth for your next investigation

Context

If you’ve done any reading or sleuthing regarding the movements of funds after hacks, you’ve probably encountered eXch[.]cx before (incidents including but not limited to: the DPRK a/k/a Lazarus, Monkey Drainer, Inferno Drainer, Pink Drainer, Mark Cuban stolen funds, the Lykke exploiter, Mango Farm’s exit scam, Terra IBC exploiter (Astroport token), the FixedFloat exploiter, various phishing customers, CEX fraud, and many, many more). But, where exactly did this infamous hardline no-KYC exchange come from?

Exch’s 2014 Origins

Exch originally operated under the eXch[.]cc domain between April 2014 and May 2016, only supporting Bitcoin, Perfect Money, and BTC-e vouchers. Their first online presence outside of the domain was established April 19th, 2014 when a BitcoinTalk forum account was registered. On this account, a thread was published under the “Service Discussion” topic promoting the site’s 24/7 automatic exchanging of Bitcoin and Perfect Money (later WebMoney and manual PayPal exchanges were supported). The thread received a handful of replies about the service, but activity would quickly peter out at the beginning of 2015. Exch’s personal BitcoinTalk account activity would abruptly cease in May 2015.

Looking into the account’s more recent activity, post-2022, we can get an idea of what happened between 2015 and 2016 that led to the closing of the service. No exact specifics are mentioned, but the falling out of a partnership between eXch and BTC-e seems to be the main reason.

During 2014, eXch’s BitcoinTalk account would reply to many threads on the forum, ranging from technical to personal. While many of the account’s posts have been scrubbed (various instances of quoted posts exist with no original post), the currently available posts can paint a picture of the operator. A male, non-native English speaker, ex-smoker, interested in privacy, cybersecurity, Porsches, and 90’s era music and film, favorite game Lineage 2, and likely living in Austria (Innsbruck) or Germany.

We can gather a handful of other clues from BitcoinTalk activity, such as consistently posting in the afternoon and evening for American time zones, which would align with Austria and Germany’s evening and night, and noticing that some of the posts that include images utilize German-based image hosters (i.e., myimg.de).

Buried in a 2023 BitcoinTalk post by the eXch account, we can find eXch’s old BestChange profile. While there is not a lot of information on the profile, it does show the country of operation as Germany.

Tracing eXch’s Original Bitcoin Wallet

Exch’s original “.cc” Bitcoin wallet was funded on January 25th, 2014 between two transactions totaling roughly 12.5 BTC. It can be found hidden in various archives of the old site (open inspect element and search for “OUR BITCOIN ADDRESS”). Following the original chain of UTXOs, these funds are likely to originate from BTC-e (specifically this consolidation wallet). Throughout eXch’s normal operation, interactions with darknet markets, high risk merchants, OFAC sanctioned entities, and Coinjoin services were common. Entities include, UniCC Shop, LuxSocks, Ali Khorashadizadeh, JokerStash, AlphaBay, RAMP, and Evolution Market.

Exch would continue to operate normally until May 21st, 2016 when transactions abruptly stopped; a total of 57.677 BTC (roughly $136,000 at the time) still remained in the wallet.

On May 25th, four days later, eXch’s remaining BTC would start moving. Over the next three days, coins would be deposited into various exchanges including BTC-e, Kraken, Bithumb, Korbit, the P2P exchange Paxful, and primarily Bitfinex (roughly 40 of the 57 BTC). A small portion of funds, roughly 3.1 BTC, would end up being deposited into Bitcoin mixers, specifically Bitmixer and Bitcoin Fog. Both mixers would eventually shut down, whether willingly or not. See the interactive chart here.

The Funding of Modern eXch Wallets

Exch’s current Ethereum hot wallet was funded on July 20th, 2022 with $113 worth of ETH originating from Binance. Over the next four months, various test transactions occur and liquidity is finally added. Funds primarily originate from OKX, but Binance was used at least one other time, as well as Kraken in 2023.

Using timing analysis, its possible to identify a likely OKX deposit address belonging to eXch, 0xf5dc. Exactly 40 ETH and 70,000 USDC is withdrawn from eXch’s hot wallet on October 2nd, 2022 which is then deposited into OKX between four transactions. Specifically, 30,000 USDC is deposited at 12:52 PM UTC. Subsequently, 29,860 DAI is withdrawn from OKX to one of eXch’s original funding wallets at 1:02 PM UTC. This DAI Is then directly sent to eXch to provide liquidity. See the interactive chart here

The other deposits do not seem to have conclusive outputs, which likely means funds were exchanged and withdrawn as Monero. Later, eXch would start utilizing DEXs instead of CEXs, specifically for balancing stablecoins.

The use of these three CEXs specifically aligns with both posts by eXch on BitcoinTalk, as well as their site. Exch has previously stated on the forum that they occasionally used Binance and Kraken to increase XMR reserves, but stopped doing so as “they became very uncomfortable with us draining so much liquidity from them.” In addition, eXch previously obtained pricing information for coins by using the “latest trading data of the following markets: Binance, OKEX, Kraken” which can be seen in various archives.

Not-So-Clean Funds

Exch has been consistently accepting clearly stolen funds, days and even months after they’ve been publicly attributed to exploits and hacks. For example, tokens from the Terra IBC/Astroport exploit were bridged to Ethereum on July 30th, 2024 and then swapped using eXch over the following 6 days. There was no obfuscation of the funds going into eXch, they were directly deposited.

The funds from the Terra IBC exploit were attributed within four hours of them being bridged, in this Tweet by Rarma. Subsequently, the address was labeled on Etherscan and other providers (such as BlockSec). In the following days, the exploit and address would gain continued coverage, such as from Rekt News, Binance, and Blockbasis.

Maybe there is some leniency here, eXch is a relatively small platform with few to maybe even zero employees. However, this can be immediately dismissed as another researcher, RealVovochka, emailed eXch on August 1st, 2024 (two days after the hack) asking for assistance in identifying funds that had already passed through the platform, providing both deposit addresses and the exploiter’s main wallet. Exch responds after eight hours and proceeds to give a non-answer to the request, but, more interestingly, claims to use Elliptic’s risk screening service and states they were “too slow to mark these funds as stolen” thus it was not their fault. Where this falls apart, is the fact that the exploiter, now known to both eXch and the wider community, proceeds to send another $259,000 between seven deposits into eXch three days after Vovochka’s email and four days the initial attribution.

This is not an isolated incident. The Lykke exploiter has moved almost $6 million DAI through eXch between early August and Late September 2024. Once again, there is no obfuscation. Five months after the attribution, eXch is still happily accepting the exploiter’s funds.

The chart below shows the exploiter’s movement of funds, primarily sending DAI to eXch. See the interactive chart here (red nodes are the Lykke exploiter and the blue node is eXch’s Ethereum hot wallet).

I find it highly unlikely this is the fault of the risk screening, these exploits are too high profile to fly under the radar of an analytics and compliance company like Elliptic.

These are just two recent examples, eXch has been accepting high risk funds nearly since its inception. Monkey Drainer’s federalagent.eth wallet started using eXch just six months after the platform came back online in 2022. Between March and April of 2023, Monkey would deposit over $1.45 million worth of ETH into eXch.

Even further back, eXch started receiving funds from the Magos ICO scam (archive) less than 30 days after relaunching their service. The first Magos deposit was the 140th incoming transaction to eXch, and the majority of transactions before this were test deposits by eXch themselves. See the interactive chart here.

All of these examples directly go against eXch’s claims on the BitcoinTalk forum about how “clean” their funds actually are.

The Precedent of No-KYC Exchanges

As of September 2024, there have been two independent actions taken against no-KYC exchanges. Specifically, Germany’s “Operation Final Exchange” which seized the infrastructure of 47 Russian-based no-KYC exchanges and OFAC’s sanctions against a different no-KYC exchange, PM2BTC. These services primarily serviced cybercriminal proceeds, including those coming from darknet markets, ransomware gangs, scams, and fraud.

Closing Remarks

In my opinion, there are likely few to zero further OSINT leads regarding eXch and the ball is now in law enforcement’s court. Exch has accepted high risk funds without remorse both during 2014-2016 and 2022 onwards. If any official agencies are interested in information I have not made public, please reach out via Telegram (@Fable) or email f [at] nta [dot] sy.