eXch - instant exchange BTC / LN / XMR / LTC / ETH / ERC20

[dkbit98]

They never even used Telegram, X, or similar common channels for communication. As far as I know, only SimpleX chat.

They used twitter account but that was not active for a long time, and simplex chat was mainly used by developers.

Wow, what a crazy ending to it all. A lot of parallels here with the Chi**ixer shutdown, and even more with Sinbad. (Sinbad the genie, of course). The moral of the story is don't accept funds from N. Korea funded hackers if you want to continue to exist. Just do the slightest bit of due diligence, and when you see them coming in, isolate the input and send it back!

Oh yes, the evil North Korean hackers, perfect escape goat to blame for everything, they are probably going to create more power Blackouts in future
First you would stop accepting coins that you suspect are connected with them, and than by another, and another...
Soon enough you are not going to accept coins from whole continents, but only accept coins approved by blackrock and government puppets
I am starting to think that those hackers and services are not the real problem here, but that bitcoin is not really fungible, and that is a fact now.

[nutildah]

You're being overly dramatic. I was merely stating the obvious, without judgment.

[virasog]

The problem with eXch is that it's a centralized service in an environment hostile to privacy, or at least to no-KYC exchange. If I were them, I'd simply comply with court orders (ignoring government requests), or at least restrict/review some transactions (flows above $50,000), or temporarily restrict the service when such events occur. While the above solutions aren't ideal, they're much better than losing eXch; we've lost a good service.

When we have something decentralized then we can do whatever we want I am not recommending doing anything illegal here..

Looking at the broader picture, the biggest problem with eXch arose when they took over a large part of the XMR market. More frequent attacks from competitors such as Whitebit, Bybit etc... From earlier, they marked coins with eXch addresses as tainted, and with a long-term negative campaign against them, we came to the point that eXch was the subject of an investigation.

Yes, the centralized exchanges also have their part in bringing this non-KYC services down. They would like that people go to the eXch and get their funds exchanged without any hassle. Those exchanges would ideally want that people uses exchanges to convert their coins and they have the KYC which they use as a weapon to enforce government authorities to get down such services that are operating without any KYC. Exchanges like Coinbase, Kraken, Binance and others etc that operate under strict government regulations can also attack the non-KYC exchanges by blocking Blocking Withdrawals to Privacy Wallets like Wasabi or Samourai. They may Flagging Non-KYC Transactions when you transfer money from CEX to non-KYC exchange and many other tactics.

[lontivero]

Yes, the centralized exchanges also have their part in bringing this non-KYC services down. They would like that people go to the eXch and get their funds exchanged without any hassle. Those exchanges would ideally want that people uses exchanges to convert their coins and they have the KYC which they use as a weapon to enforce government authorities to get down such services that are operating without any KYC. Exchanges like Coinbase, Kraken, Binance and others etc that operate under strict government regulations can also attack the non-KYC exchanges by blocking Blocking Withdrawals to Privacy Wallets like Wasabi or Samourai. They may Flagging Non-KYC Transactions when you transfer money from CEX to non-KYC exchange and many other tactics.

That's correct, but in my opinion, it is even worse than that because centralized exchanges try to over-comply with regulations, going much further than any other kind of financial institution by tracking what you do with your bitcoins AFTER you withdraw from them. If they see that you participate in a CoinJoin with bitcoins that you withdrew from them, they request additional information from you under threat of closing your account, which in some cases means they take the money in your account if they don't like your explanations; what creates an incentive to request more information.

[Ambatman]

The problem with eXch is that it's a centralized service in an environment hostile to privacy, or at least to no-KYC exchange. If I were them, I'd simply comply with court orders (ignoring government requests), or at least restrict/review some transactions (flows above $50,000), or temporarily restrict the service when such events occur. While the above solutions aren't ideal, they're much better than losing eXch; we've lost a good service.

Compromise is the first step in been slowly devoured. Give them a finger and they will eat you whole.
Exch chose their users trust and image over false safety. If they had complied they had be dead either way.

I also don't understand that part. Just like I don't understand the "8 Terabytes part" (reminds me of ChipMixer?) when they're not supposed to have logs. Just nodes?

This part confuses me too. Either exch wasn't completely honest or the German agency are just tryna create FUD
to destroy trust and make alleged guilty unrest.

The all story feels off. Take for example exch came to make a public declaration that they had an insider
I was of the notion that they would have moved and cleared any traces before making such announcement.

They have been in operation for long, they wouldn't be that incompetent.
All we can see is wait and see how this pans out

https://x.com/veritas_web3/status/1921936761833525312?t=_YubhQiUZCGmCTO6YbEoXw&s=19

The majority don't care about privacy as can be seen on the X post link above.

[E0339x]

One of my clients had 500K swiped from their wallet.

The idiot who stole those funds threw them into a bridge and bridged them into BTC on the Bitcoin network.

After taking some time to track the funds, I tracked them to eXch.

Usually, tracking stolen funds to an Exchange is the end of it. We would be able to use our law enforcement contacts to have the exchange divulge the identity of the person behind the deposit address.

But here, because eXch made the choices they did, I have no way to reveal the person who stole half a million USD.

Whether or not your intentions were to help make it easy for criminals to launder money, your actions were the sole reason this thief laundered half a million USD, and threw me off of their track.

This is absolutely not okay, and personally I am pissed off that eXch's actions caused a rift in the otherwise solid infrastructure of exchanges that make it very, very hard for criminals to get any stolen funds anywhere, without butting into a KYC-enabled exchange, where their identity can be revealed by people like myself.

Is privacy important? Yes. Can there be privacy while still somehow being able to not let criminals like the one I am tracking operate without consequences?

I'm unsure. I would love your opinions on this.

- A first hello from E0339x, a forensic crypto investigator.

[joker_josue]

I'm unsure. I would love your opinions on this.

- A first hello from E0339x, a forensic crypto investigator.

First of all, welcome.

The thief doesn't need a non-KYC exchange to exchange the stolen money. There are many other ways to do it, it may take longer, but there is a way to do it. Pointing the finger at an exchange or service without KYC is narrowing the issue and looking for the easiest solution to resolve the issues.

Of course, no one likes to be robbed, and when it is, all possible tools to catch the thief and recover the money are welcome, even those that we previously thought worked well we want to work differently.

So we can't blame the tool because of some people misusing the tool. So how can we mitigate this situation?

First of all, we must remember that we will never be able to mitigate everything. We just have to remember that there is a lot of P2P available in the world. Second, as a community, we have to think of minimally acceptable options for everyone, which allow privacy without KYC, reduce these situations or at least delay the actions of thieves.


EDIT:
As a final note, we must never forget that in Bitcoin we are fully responsible for the safekeeping and security of our money. This is a huge responsibility. You have to be willing to accept this in order to deal with Bitcoin.

[NotATether]

I feel like the whole tracing coins until you find the perpetrator thing has some limitations like the ones described here.

First of all, it relies on KYC exchanges in order to get the identity of the hacker/scammer. Therefore, it only has a 100% success rate if all exchanges are KYC.

We know of course that not all exchanges are like that (for reasons that are off-topic to this post), so this means the success rate of tracing funds is less than optimal.

Usually what happens next after tracing the funds back is to freeze them. Problem solved, though obviously the victim is not always made whole again after this.

It brings the old "prevention is better than cure" adage back to mind. Why? Because crypto, even stablecoins like USDT, was never intended to behave like a credit card where chargebacks are possible. It is more like a wire transfer in this regard.

So we should be looking at ways to prevent people's crypto from being stolen in the first place in order to seek longer-term success.

One solution, which might sound dystopian to some here, would be to regulate wallet providers. By "Regulate", I do not mean ID checks and compliance teams, but similar to what is done with Bitcoin Core:

- All wallets must be open-source and reproducible. There is simply no excuse to make a closed-source wallet.
- The application or hardware wallet must be audited by an independent auditor
- Wallet providers should create tools that allow the user to audit their own operating system. Below are some basic criteria that should cause validation to fail:

• Warn when programming languages / IDEs are installed on the computer such as Node, Python, VScode etc
• Warn when a web browser or email client is installed
• Warn when any application is running that's listening on an outbound port
• Warn when there is no antivirus installed and enabled on the computer and scans are not being performed regularly
• Warn about the presence of any cybersecurity tools or crack tools
• Warn about the presence of any hypervisors / emulators
• Warn is spare documents/files are lying around the filesystem.
• Evaluate the login mechanism for the operating system and collect the OS version, and warn if a strong password is missing and there's no 2FA
• Pure software wallets will get a lower score than hardware-enabled wallets
• Alert if any credentials are detected as being saved in the usual places on the system
• Alert if the system is connected to a LAN with other computers on it (it should not, this is exactly how they get infected when no other software is present)
• Warn when the operating system is Windows and Microsoft's bloatware such as the Store, Microsoft Account, partner content, etc. are detected
• Warn when the operating system is macOS and Touch ID is not being used
• Warn if the system is not actively preventing removable storage access - only input devices and hardware security modules should be allowed. Even so, only specific, known device IDs from a list should be allowed, and the rest should be actively blocked from connecting.
  
• Obviously, exchanges are not recommended. But I understand some businesses require them. Therefore, warn if browser credentials for an exchange are found and hardware security keys are not being used as 2FA.
• Warn if any sort of wallet with smart contract abilities such as WalletConnect wallets are detected. Desktop OSes symply don't have enough security to prevent this from being misused. People who want to use them should use Android/iOS.
• Alert if the OS is not up-to-date and does not automatically install updates and restart services/reboot
• Come to think about it, warn if Windows is being used at all. It's security is quite frankly pathetic and should not be trusted for crypto wallets, and Microsoft does not care about fortifying its own software for non-enterprise users.

- Businesses must only be allowed to use certified software wallets in accredited system environments.
- It should be mandatory to verify all wallet software with PGP. All wallet software must have checksums which are signed with PGP, with a public key file containing an email address available to download. Many different third-party repositories should keep databases of all software and their keys.

I should mention that most of these criteria are for desktops. However, mobile devices absolutely should be audited this way as well. (e.g. disable iMessage, RCS, Bluetooth, remove non-essential apps from the device, always keep the device up to date, etc.)

Some will say that this is too complicated. My response: you must provide your own security. Because you are custodying large quantities of financial assets yourself, and not a financial institution, you must not be technologically irresponsible with their safekeeping.

It only takes a few hours to prepare a secure wallet environment yourself, versus weeks to claw back stolen funds (if at all) stemming from operational negligence.

These policies can and should be implemented. However, i expect the people who are able to do something like this to endlessly argue with other people about KYC vs. no KYC, maximum trading limits, asset forfeiture of random people with dirty coins, sanctions, and other things that don't matter.

Because from the user's point of view, the only thing that actually matters is whether your money is still there.

Edit: A few hours after writing this, I had two $100 payments blocked for AML reasons^* (including a supposedly low-risk Litecoin address according to AML checkers), so please don't by any means think that only regular, "verified" users are suffering. We face hardships as well. We're all in the same boat when it comes to theft.

^*I purposely keep my risk appetite low by making small transactions. But other people aren't so lucky. I know quite a lot of people around this site who have lost thousands of dollars like this.

[examplens]

One of my clients had 500K swiped from their wallet.

The idiot who stole those funds threw them into a bridge and bridged them into BTC on the Bitcoin network.

After taking some time to track the funds, I tracked them to eXch.

Usually, tracking stolen funds to an Exchange is the end of it. We would be able to use our law enforcement contacts to have the exchange divulge the identity of the person behind the deposit address.

You and your client are lucky. All funds of eXch were seized by FIOD and BKA. As they are representatives of the law, there should be no problem with refunding the stolen coins, provided sufficient proof of ownership is provided. An excellent opportunity for them to prove that they fight against illegal business and theft.
Yes, I sound sarcastic, but that's what justice looks like.

[bitmover]

Wow, what a crazy ending to it all. A lot of parallels here with the Chi**ixer shutdown, and even more with Sinbad. (Sinbad the genie, of course). The moral of the story is don't accept funds from N. Korea funded hackers if you want to continue to exist. Just do the slightest bit of due diligence, and when you see them coming in, isolate the input and send it back!

You can say "but what about privacy for non-hackers?" And yes, you're right, you deserve privacy. One of the steps involved in that is not using services that have accepted coins from N. Korean hackers.

It doesn't matter what should or shouldn't be in a perfectly fair and moral world, because that world doesn't exist.

Perfectly said

I will just add that North Korean hackers do not have any rights. They do not deserve privacy.

They are people doing dirty jobs for a terrible dictatorship and war mongering regime.

Services shouldn't be greed and just refuse their coins.

[LoyceV]

I will just add that North Korean hackers do not have any rights. They do not deserve privacy.
They are people doing dirty jobs for a terrible dictatorship and war mongering regime.

I'm pretty sure those hackers would qualify for political asylum if they'd step into my country. I don't think they have much of a choice, and I also don't think they see anything from the millions of dollars they steal. If they don't do their job, it'll probably end badly for them and their family.
I'd say cut North Korea's internet connection

[bitmover]

I'd say cut North Korea's internet connection

Yeah  that would be good lol but impossible to do..

They have many relationships with China and Russia,  and they would always be sharing data. .

[Cricktor]

~~~

I'm surprised or misunderstand you completey. You make it sound like as if eXch kept assets like a sinkhole that went through their instant exchange which wasn't the case. It's not how eXch operated, except for their percentage cut for every instant exchange performed by them.

I see what E0339x tries to do, blame eXch for making it difficult to further follow the asset flow because they don't keep or log details nor care about "tainted coins". But that's basically blaming all privacy oriented exchanges or P2P exchange opportunities.

I don't like it too when criminals slip through, but the solution can't be to demand all-KYC or better a fully supervised blockchain (which likely nobody wants to use).

It's more work, but I think due to the limited amount of supported assets by eXch, it could be possible to trace the asset flow of stolen coins with timing analysis even when they pass through eXch, unless Monero or another strong-privacy coin is involved where you can't easily follow assets on their respective blockchain.

[Pmalek]

<Snip>

You have to understand that your client is entirely responsible for what happened to them. It doesn't matter if they were phished, hacked, or simply sent their coins to the wrong address. In bitcoin, everyone is their own bank clerk, security department, and bank manager. Those who can't accept such responsibilities unfortunately suffer the consequences. This is not me being an a**hole. I am just stating a fact.

eXch was an anonymous exchange. If it was used by criminals of any kind, law enforcement should go after them and not the service. What if the coins never went to eXch or a different anonymous exchange but to a non-custodial wallet? What would you like to happen then? Should non-custodial wallets also require KYC from all its users and be required to have backdoors and ways to block and seize user funds? Once we do that, what's next? Should we create a Bitcoin Foundation and empower them with making Bitcoin centralized and custodial and give them the power to seize any coins with the click of a button in case a future client of yours has their BTC stolen? Why would we need to have Bitcoin at all after that?

Bitcoin is digital money that can move without an intermediary giving it permission. We all as the community of its users need to accept that and learn how to work around that and not ask Bitcoin to give us a second chance and a restart button.     

[JayJuanGee]

- All wallets must be open-source and reproducible. There is simply no excuse to make a closed-source wallet.

We may well be deviating from the topic a bit, yet I am frequently curious regarding the extent to which wallets with secure elements are open source.. not that I understand wallet vulnerabilities in regards to server choices for those who are not running a full node and/or channelling their transactions through their own node rather than the node of the wallet manufacturer.

[NotATether]

- All wallets must be open-source and reproducible. There is simply no excuse to make a closed-source wallet.

We may well be deviating from the topic a bit, yet I am frequently curious regarding the extent to which wallets with secure elements are open source.. not that I understand wallet vulnerabilities in regards to server choices for those who are not running a full node and/or channelling their transactions through their own node rather than the node of the wallet manufacturer.

Well since you mentioned secure elements I assume you're talking about hardware wallets...

It is often impractical to make hardware designs open-source. I was referring to the software that controls these wallets such as Ledger Live for example. For obvious reasons, the USB interface for making transactions is already documented, and the components in the hardware wallet itself are often enumerated (they should always be), so that should eliminate the risk of malicious firmware being loaded on to the device.

[E0339x]

First of all, welcome.

The thief doesn't need a non-KYC exchange to exchange the stolen money. There are many other ways to do it, it may take longer, but there is a way to do it. Pointing the finger at an exchange or service without KYC is narrowing the issue and looking for the easiest solution to resolve the issues

Thanks! Absolutely, I am looking for the easiest solution. I've worked a few cases now, and this was the first time the idiot wasn't actually a complete idiot. Well played on his part, but also - Screw that guy! All of my other cases used EVMs and deposited to KYC'ed exchanges. Easy pickings.

I personally despise malicious actors, so my bias is I would prefer to simply bury them rather than have to play ball and follow their steps through loops and loops and loops.

You and your client are lucky. All funds of eXch were seized by FIOD and BKA. As they are representatives of the law, there should be no problem with refunding the stolen coins, provided sufficient proof of ownership is provided. An excellent opportunity for them to prove that they fight against illegal business and theft.
Yes, I sound sarcastic, but that's what justice looks like.

Good looking out. I didn't know this. I thought we were out of luck.

I'll do some research on my own side, but in case you've already done what I'm about to do, can you share how best to get in touch with these organizations to request the return of funds?

Thanks.
==

I see what E0339x tries to do, blame eXch for making it difficult to further follow the asset flow because they don't keep or log details nor care about "tainted coins". But that's basically blaming all privacy oriented exchanges or P2P exchange opportunities.

I don't like it too when criminals slip through, but the solution can't be to demand all-KYC or better a fully supervised blockchain (which likely nobody wants to use).

It's more work, but I think due to the limited amount of supported assets by eXch, it could be possible to trace the asset flow of stolen coins with timing analysis even when they pass through eXch, unless Monero or another strong-privacy coin is involved where you can't easily follow assets on their respective blockchain.

Re: Timing analysis - I understand the theory behind it, but I can only make assumptions on how quickly those funds moved out of an exchange, and therefore during which dates they got moved out. Can it be any more precise?

[LoyceV]

Good looking out. I didn't know this. I thought we were out of luck.

I'll do some research on my own side, but in case you've already done what I'm about to do, can you share how best to get in touch with these organizations to request the return of funds?

I'd start by checking the contact details on their websites.

Here's a fictional put possible plot twist.
Step 1. Exchange your own half a million USD on eXch and receive coins on a different chain
Step 2. Claim it was stolen and hire you after the site gets seized
Step 3. ???????????
Step 4. Profit!

I can only make assumptions on how quickly those funds moved out of an exchange, and therefore during which dates they got moved out. Can it be any more precise?

You're talking about an instant exchanger. Assuming they had enough funds, exchanges were completed the moment the deposit got confirmed.

[Lucius]

One of my clients had 500K swiped from their wallet.

I assume it's a hot wallet or maybe funds that were on a CEX? I really don't know what to say about people who store half a million $ in a way that any slightly skilled hacker can steal - and that's actually the main problem in this story, because if those funds were stored in an adequate way, this story wouldn't even exist, right?

- A first hello from E0339x, a forensic crypto investigator.

~snip~
I'll do some research on my own side, but in case you've already done what I'm about to do, can you share how best to get in touch with these organizations to request the return of funds?

No offense, but someone who calls themselves a forensic crypto investigator shouldn't be asking such a question - because how can you expect to be able to follow the money trail, when you can't find the contact information for the agencies that have already been mentioned so many times.

[examplens]

I'll do some research on my own side, but in case you've already done what I'm about to do, can you share how best to get in touch with these organizations to request the return of funds?

That is a question that many of us would like to get an answer to. For example, how can they report obvious scams, where one group of people is trying to steal money from others?
When we talk about eXch, there are organized scam schemes that abuse eXch's name and popularity, but as I said, it is not in the interest of those mentioned above to fight against it.
You can look at exch2.cx. Pretty tricky. The owner of this (proven fraud) is trying to take advantage of ignorant exch users, but if you demand responsibility from him, then he will claim that the identical name is just a coincidence.

No offense, but someone who calls themselves a forensic crypto investigator shouldn't be asking such a question - because how can you expect to be able to follow the money trail, when you can't find the contact information for the agencies that have already been mentioned so many times.

Bybit, with its bounty rewards generated many new crypto forensics, and anyone who can send coins through more than three addresses deserves a blockchain forensics diploma on the wall.