TRM Labs links eXch to laundering flows tied to Lazarus Group's February 2025 Bybit theft, in which North Korean state-linked actors stole about USD 1.5 billion in Ethereum. The exchange removed public-facing infrastructure around its announced shutdown but continued API access, and TRM observed on-chain activity consistent with eXch mixed-pool operations. The report says CSAM-linked actors and the Bybit hackers used eXch infrastructure in overlapping deposit and withdrawal activity, with CSAM payments providing liquidity for assets swapped during laundering. eXch's pooled liquidity model fragments and reshuffles transactions across users, complicating attribution and making rapid infrastructure labeling important for investigators and compliance teams.