This page documents the seizure timeline, outlines what investigators actually captured, and summarizes the payment-processor backlash that followed. Use it alongside the exchange-freeze survival guide, private exchange case studies, and the Roman Storm/Tornado Cash trial recap to see how regulators stitch these actions into a single narrative.
Key Events: Bybit Hack to FIOD Raid
Tracking the sequence helps explain why prosecutors moved so quickly, and why bounty hunters, exchanges, and law enforcement all converged on the same target.
- February 2025 – Bybit discloses compromise: Bybit confirmed a private key attack that drained roughly $1.3 billion. The exchange launched a $140 million bounty for information leading to recovery (Infosecurity Magazine), unleashing a wave of bounty hunters and blockchain sleuths.
- March – April 2025 – Pressure campaign: Self-styled investigators spammed mixers, P2P desks, and infrastructure providers with “settlement” threats: pay us or we’ll flag you to exchanges. eXch publicly rejected the extortion but noted that compliance inboxes were overwhelmed.
- Early May 2025 – Warning signs: eXch posted on Bitcointalk that “friends in government” tipped them off about an incoming data grab. Withdrawals slowed as the team tried to evacuate cold wallets.
- Mid-May 2025 – FIOD acts: The Dutch agency confirmed the seizure, mimicking the press-release cadence used in the Sinbad and Blender cases. Officials bragged about freezing addresses believed to hold Bybit bounty funds.
The Dutch statement painted eXch as a fully custodial mixer, glossing over the fact that liquidity queues processed multi-hop swaps rather than traditional user deposits. The jurisdictional hook was simple: the servers lived in a Dutch data center, so prosecutors could characterize coordination as control.
What Investigators Captured
According to mirrored logs and partner testimony, authorities seized far more than public announcements suggested:
- Server images: Full snapshots of the web front-end, matching engine, and wallet infrastructure, including encrypted keys.
- Hot-wallet balances: Roughly 210 BTC and 8,000 ETH queued for payouts, plus smaller XMR/ZEC pools mid-mix.
- User metadata: Support tickets, payment method notes, and Tor bridge metrics that had been stored for abuse mitigation.
None of the confiscated funds were returned to users. Prosecutors claimed mutual legal assistance requests would handle restitution, but no MLAT process has surfaced. The outcome mirrors the Cryptomixer EU seizure where public deterrence outweighed customer remediation.
Payment-Processor & Exchange Backlash
The raid provided compliance teams with a convenient scapegoat. Within days, fiat processors and exchanges circulated internal bulletins treating any eXch-tainted coins as suspect, even when customers provided proof-of-funds.
- Major ramps added eXch to heuristic blocklists, triggering automatic account closures and clawbacks.
- Chain-surveillance vendors raised risk scores, forcing OTC desks and remaining P2P platforms to reject coins with a single eXch hop.
- Travel-rule middleware started voiding invoices after AML analysts overrode customer attestations, citing “involvement in the eXch situation.”
This collective response is cataloged in our Exchange Freezes explainer, but eXch was the catalyst. It demonstrated how a single seizure can justify network-wide debanking long after the actual infrastructure is gone.
Mitigation Lessons for Privacy Services
- Distribute infrastructure: Running all coordinators, relays, or liquidity bridges from one jurisdiction enables unilateral takedowns. Community relays or multi-party custody make it harder to equate coordination with control.
- Maintain redundant communication: eXch’s only warning lived on Bitcointalk. Operators should sign status updates, host mirrors, and provide public keys so users can verify shutdown messages.
- Document extortion attempts: “Pay us or we’ll flag you to Bybit” messages are the new phishing. Logging and publishing threats can inoculate the community and prove you refused off-book settlements.
- Prepare for AML spillover: Keep sanitized payouts, xpubs, and travel-rule payloads handy. Payment gateways and other regulated entities quickly blocked addresses which received coins from eXch after the service was seized. Tools like the BitMixList AML Checker help prove coins were clean before entering a seized service.
The facts captured here provide context whenever exchanges cite “the eXch case” to justify freezing legitimate funds.
References
- Infosecurity Magazine: Bybit offers $140M bounty after mega breach (Feb 2025)
- BitMixList: Exchange Freezes Guide
- BitMixList Aftermath Chapter – eXch Section
- BitMixList: Private Exchange Case Studies
- BitMixList: Roman Storm / Tornado Cash Trial Recap
Author
NotATether
Bitcoin privacy researcher and maintainer of BitMixList. Focused on mixer history, enforcement timelines, and practical privacy workflows for users operating in high-friction jurisdictions.
