eXch Refutes Allegations of Processing Funds from Bybit Hack

The Lazarus Group, a cybercrime syndicate linked to North Korea, is under increased scrutiny following allegations of its involvement in both the historic $1.4 billion Bybit hack and a series of meme coin scams on the Solana blockchain. Onchain investigators and blockchain security firms have identified connections between wallets used in the Bybit exploit and fraudulent activities on Solana’s Pump.fun platform. 

Crypto Exchange eXch Denies Allegations of Laundering Funds for North Korea’s Lazarus Group Following $1.4 Billion Bybit Hack

Crypto exchange eXch has firmly denied allegations of laundering money for North Korea’s notorious Lazarus Group following the historic $1.4 billion Bybit hack on Feb. 21. The exchange issued a statement on the Bitcointalk forum on Feb. 23, asserting that it had no involvement in facilitating illicit transactions for the cybercriminal syndicate linked to the Democratic People’s Republic of Korea (DPRK).

In its statement, the eXch team declared, “We are not laundering money for Lazarus/DPRK,” emphasizing that all funds held on the exchange remained secure and that its operations had not been affected by the Bybit hack. The exchange also criticized those accusing it of illicit activity, branding such claims as unfounded fear, uncertainty, and doubt (FUD).

While maintaining its innocence, eXch did acknowledge that a small fraction of the stolen funds had passed through its platform. The exchange clarified that it had processed an “insignificant portion of funds” from the Bybit hack, which had entered its address 0xf1da173228fcf015f43f3ea15abbb51f0d8f1123. eXch insisted that this was an isolated incident and that the fees collected from these transactions would be donated for the public good.

“There are no other addresses on the Ethereum blockchain, aside from deposit addresses that interact with this address, that are associated with our exchange,” eXch asserted in its statement, attempting to distance itself from the wider laundering allegations.

The rebuttal from eXch follows mounting scrutiny from on-chain analysts and security firms that have accused the platform of playing a more substantial role in laundering funds stolen from Bybit.

On Feb. 22, blockchain investigator ZachXBT posted to his Telegram investigations group, alleging that eXch had laundered $35 million of the stolen funds. He also pointed out that the exchange had mistakenly sent 34 Ether (ETH), worth approximately $96,000, to a hot wallet belonging to another exchange. His findings have been echoed by blockchain security firm SlowMist, which claimed that eXch had received a “significant amount of ETH” connected to the Bybit hack and had converted some of these funds into other cryptocurrencies.

Adding to the allegations, Nick Bax, a member of the white-hat hacker group Security Alliance, estimated that eXch had processed at least $30 million in transactions for the DPRK-linked Lazarus Group in a single day.

Bybit, the victim of what is now considered the largest crypto hack in history, lost over $1.4 billion when attackers gained control of its Ether multisig cold wallet. Despite this devastating loss, the exchange has assured users that withdrawals continue to be processed. However, according to data from DeFiLlama, Bybit’s total assets have plummeted by more than $5.3 billion, which includes the stolen funds.

Bybit has been actively coordinating with law enforcement and other exchanges to freeze and recover stolen funds. As of Feb. 23, it had successfully frozen over $42 million worth of stolen assets, thanks to these efforts.

Despite the ongoing investigations and allegations, eXch has not fully cooperated with Bybit’s attempts to block further fund outflows. In a post on Bitcointalk, eXch revealed an email exchange with Bybit’s risk team, in which the latter requested assistance in freezing the stolen assets. However, eXch refused to comply, citing grievances over past incidents in which Bybit allegedly froze deposits made by its users without providing clear explanations.

“In light of these circumstances, we would appreciate a clear explanation as to why we should consider providing assistance to an organization that has actually undermined our reputation,” eXch stated in its response to Bybit.

Bybit CEO Ben Zhou reacted to the forum post by urging eXch to reconsider its stance, stating, “At this point, it is really not about Bybit or any entity; it’s about our general approach toward hackers as an industry.”

The Industry’s Larger Battle Against Cybercrime

The accusations against eXch and its response shed light on the cryptocurrency industry’s ongoing battle against cybercriminal groups, particularly North Korea’s Lazarus Group, which has been linked to multiple high-profile hacks in recent years. The lack of clear regulatory oversight in the decentralized finance (DeFi) space has made it easier for stolen funds to be moved across various platforms without immediate detection or consequences.

As exchanges like Bybit work to recover stolen assets, the situation highlights the urgent need for stronger security measures, better coordination among crypto platforms, and a unified industry stance against illicit activities. The controversy surrounding eXch’s alleged involvement in laundering Bybit’s stolen funds may continue to develop as further investigations unfold.

For now, eXch maintains its innocence, but with multiple security firms and investigators casting doubt on its claims, the exchange remains under intense scrutiny from the broader crypto community.

Lazarus Group Suspected in Bybit Hack and Solana Meme Coin Scams

The Lazarus Group, the primary suspect behind the staggering $1.4 billion Bybit hack, may also be linked to recent Solana meme coin scams, including rug pulls on the Pump.fun platform, according to onchain investigator ZachXBT.

The crypto industry was shaken on Feb. 21 when Bybit suffered the largest hack in history, losing over $1.4 billion in liquid-staked Ether (stETH), Mantle Staked ETH (mETH), and other digital assets. Blockchain security firms, including Arkham Intelligence, have identified North Korea’s Lazarus Group as the most likely perpetrator behind the exploit.

ZachXBT’s onchain investigations have now suggested that the same entity laundering the hacked Bybit funds may also be responsible for a series of fraudulent meme coin launches on Solana’s Pump.fun platform.

“On Feb. 22, the attacker received $1.08 million from the Bybit hack to 0x363908df2b0890e7e5c1e403935133094287d7d1, who then bridged USDC to Solana,” ZachXBT wrote in a Feb. 23 Telegram post.

According to the investigator, this $1 million was subsequently consolidated across multiple wallets on Solana, some of which had prior links to meme coin scams.

“I made 920+ addresses receiving funds tied to the Bybit hack public and noticed a person laundering for Lazarus Group previously launched meme coins via Pump.fun,” ZachXBT added.

Further onchain findings revealed that the same Lazarus Group-affiliated wallets suspected in the Bybit hack were also behind the $29 million Phemex hack in January.

The connection between the Lazarus Group and Solana’s Pump.fun platform is not entirely surprising given the recent surge in meme coin scams plaguing the Solana blockchain. Investor sentiment has been significantly impacted following high-profile rug pulls and fraudulent projects.

One such example is the dramatic collapse of the Libra (LIBRA) token, which had received public endorsement from Argentine President Javier Milei. Insiders of the project allegedly siphoned over $107 million worth of liquidity in what was described as a rug pull, leading to a 94% price crash within hours and erasing approximately $4 billion in investor capital.

The repercussions of these scams are reflected in Solana’s declining market activity. Monthly capital inflow into Solana and the Solana MEME index have turned negative, registering a -5.9% decline, according to Glassnode.

In addition, Solana’s user activity has been declining significantly. The number of active addresses on the network fell to a weekly average of 9.5 million in February, a sharp drop of nearly 40% from the 15.6 million active addresses recorded in November 2024, according to data from Glassnode.

CryptoVizArt, a senior analyst at Glassnode, commented on this decline, stating:

“A significant cool down in Solana activity is evident, however, we are still relatively higher than pre-bull market baselines.”

The Future of Solana Amidst Controversy

Despite the concerns surrounding fraud and corruption, some industry analysts believe that these challenges could lead to long-term improvements for Solana. The blockchain’s advanced technology continues to attract developers and projects, and increasing regulatory scrutiny may help curb bad actors over time.

Blockchain researcher Aylo shared a similar sentiment in a Feb. 18 X post, suggesting that while the current wave of fraud is damaging, it may ultimately contribute to a stronger and more resilient ecosystem for Solana.

As the industry grapples with security breaches and illicit activity, the role of investigative onchain analysts like ZachXBT remains crucial in exposing fraudulent actors and maintaining trust within the crypto space.