Exolix API Vulnerability Exposes $40M in User Swap Data

[Trêvoid]

A critical security flaw in the Exolix instant swap service has compromised the privacy of over 355,000 transactions, totaling nearly $40 million. By exploiting broken access control in Exolix’s API, researchers discovered that hardcoded JWTs easily extracted from partner applications and public repositories granted unauthorized access to complete swap histories.



This vulnerability leaked sensitive data, including deposit/withdrawal addresses, on-chain hashes, and exact amounts for thousands of users. The breach is particularly severe for privacy-focused users, as the leaked data directly links transparent assets (like BTC or USDT) to Monero addresses, effectively deanonymizing transactions. Despite disclosure, Exolix dismissed the vulnerability as a "feature."   
 
Reference:
(2026, May 28). $40M in Exolix Swaps Exposed via API Vulnerability. [rastersec.com]

[Zaguru12]

Exolix dismissed the vulnerability as a "feature."

Another one of their carelessness again, that’s how they actually did send a customer a stolen funds which later got frozen and they simply didn’t account for it even after accepting the fact that it was there mistake and even asked the customer to return the stolen funds back which is definitely impossible.

With this new development they should be avoided totally there are better instant swaps options available. This warning is purposely for unstoppable wallet users because it’s Exolix that is there swap provider. Don’t use the swap on that wallet for now

[logfiles]

The breach is particularly severe for privacy-focused users, as the leaked data directly links transparent assets (like BTC or USDT) to Monero addresses, effectively deanonymizing transactions. Despite disclosure, Exolix dismissed the vulnerability as a "feature."

Not sure if anyone serious with their privacy would OP for Exolix instead of dozens of other exchange services that will never request for KYC verification. Exolix on the other side has an AML/KYC policy where they will request a user to undergo verification at any time they want
The Joke is on anyone who used exolix in the past and expected absolute privacy.

[bitmover]

This vulnerability leaked sensitive data, including deposit/withdrawal addresses, on-chain hashes, and exact amounts for thousands of users. The breach is particularly severe for privacy-focused users, as the leaked data directly links transparent assets (like BTC or USDT) to Monero addresses, effectively deanonymizing transactions. Despite disclosure, Exolix dismissed the vulnerability as a "feature."

Reference:
(2026, May 28). $40M in Exolix Swaps Exposed via API Vulnerability. [rastersec.com]

The biggest problem of kyc is that when we send our sensitive data, it will be forever in their databases and we dont know how their security system works and if it is reliable.

We are basically forced to send our documents , knowing that they will be careless with them.

I think there should be some central system which handles all those documents, and we should send our document just once instead of sending them to many small services.

[hugeblack]

I find it difficult to believe in such a "critical security flaw" because it gives them a perfect excuse if they share this data with a third party or even sell it. In any case, whether it is done through a security flaw or sold, your data is not safe when it is sent to these scammers.

[rat03gopoh]

^^
They've revealed it as a feature instead of a vulnerability. Their mistake may be that this "feature" was supposed to be their one secret never revealed to the public: how to perfectly extract transaction information for third parties.