Incident Exolix API Vulnerability Exposes $40M in Private Swap Data

[Trêvoid]

An investigation into the cryptocurrency exchange Exolix has uncovered a critical security flaw: a broken access control vulnerability in its API. This oversight allowed unauthorized parties to access the complete transaction history of multiple integration partners, including major wallets and platforms. By utilizing JWT tokens—often found hardcoded in public repositories or decompiled mobile applications—anyone could query the GET /api/v2/transactions endpoint to dump sensitive user data.


The exposed dataset, spanning January 2025 to May 2026, encompasses over 355,000 transactions totaling roughly $39.5 million. Each record contains granular details, including:

• Unique Deposit and Withdrawal Addresses * On-chain Transaction Hashes for both legs of the swap
• Exact Swap Amounts and Timestamps * Associated User IDs
  The privacy implications are severe, particularly for users of anonymity-focused coins like Monero. Many instant swappers are utilized specifically to obfuscate the link between transparent-chain assets (such as Bitcoin or USDT) and privacy-oriented ones. This vulnerability effectively destroys that anonymity by providing a comprehensive, deanonymizing trail that links transparent addresses directly to privacy-coin destinations.

When confronted, Exolix dismissed the findings as a "feature" requested by partners rather than a security bug. Whether this failure stems from gross incompetence or intentional design, the result is that the transaction history of thousands of users is now compromised, rendering standard "no-KYC" privacy promises void.

Source: rastersec.com/blog/exolix-swapper-dump