The Exolix Case: Is This "Private" Crypto Swapper Hiding Anything?

Mila Mostovaya

What Happened: The $40M Exolix API Leak

Recently, İrem Kuyucu, a security developer, revealed some API vulnerabilities in Exolix Swaps.

In plain terms: the keys handed to partner apps were unscoped and lasted five years. One key unlocked everything and never expired. No rate limiting, no IP restriction. So a single request could page through a partner's entire swap history.

The numbers weren't small: roughly 355,000 transactions and about $39.5 million in volume, from January 2025 to May 2026. Deposit addresses, withdrawal addresses, on-chain transaction hashes, amounts, timestamps: all exposed.

A privacy swapper exists to break the link between two coins. This leak did the opposite. For users who lean on Monero it ties private coins to transparent ones, with exact amounts and hashes. That's the one thing on-chain analysis usually can't get on its own.

Exolix reportedly called the open access "a feature, not a bug," added some filtering, and left the root problem in place.

However, some respectful platforms and us weren't persuaded by Exolix's statement.

CoinSpace

The first investigation ended on an honest question: honeypot, or plain incompetence?

Honeypot in crypto is a type of fraud based on a fake smart-contract. Usually, it looks like a profitable investment, you are buying this asset, but after you cannot sell, withdraw that and so on.

That's why we decided to find out other cases linked with Exolix.

Is Exolix a Scam? How We Investigated and What We're Not Claiming

We ran a background check on the company itself, entirely from open sources: public reviews, forum threads, archived pages, and terms of service.

We are not calling anyone a scammer. Some of what follows is confirmed. Some is a user's word against the company's. Some are flatly unverifiable and we mark each piece as we go. This is a guide to reading the open record and spotting red flags, not a verdict. You can draw your own conclusions.

What We Found: Exolix Red Flags, Reviews, and Scam Accusations

What Exolix Actually Is

By its own description, Exolix is an instant, anonymity swapper, launched in 2018 and listed as starting in Hong Kong, now based in Estonia. Trustpilot says their contact info in Ukraine, though.

CoinSpace

The service supports 400-plus assets, and offers fixed and floating rates. Its marketing leans on speed, privacy, and "no personal data requested."

Own Liquidity, or a ChangeNOW Reseller?

Here sources openly disagree, which is telling on its own.

The directory KYCnot.me tags Exolix as running its own liquidity, and even gives it a small trust bump, on the logic that there's no outside partner who could freeze your funds. Users say the opposite: one calls it a service running on someone else's liquidity.

CoinSpace

Another claims Exolix and a sister site, Swapuz, both resell ChangeNOW, a large, well-known swap network.

CoinSpace

We can't settle it from outside. But notice the twist: if there's no third party, then the freezes and ID checks people report aren't a partner's rule. They're Exolix's own policy. No one else to blame.

The Swapuz Connection: Fact vs. Rumor

The most concrete "connection" claim involves Swapuz, another swapper.

The solid part: a Swapuz rep publicly admitted that their February 2022 terms once referenced Exolix, explained as leftover template text, while flatly denying any corporate or operational link.

CoinSpace CoinSpace

The "proof" people cite is an archived Swapuz page from 2022. We opened it. It isn't a readable terms document. It's a minified code bundle, and we couldn't confirm the word "Exolix" anywhere visible.

As evidence, it doesn't hold up. And the bigger claim that Exolix belongs to a "network" of brands built on forged documents traces to a Bitcointalk thread (topic 5499189) that is now gone. You can't read it, and neither can we. That one stays unverified.

CoinSpace

Exolix Reviews: The Complaint Pattern

If the only problem were the API, the reviews would be scattered. They aren't. The same shapes repeat across KYCnot.me and Trustpilot, for years.

  • Surprise KYC on a "no-KYC" service. A user says they were asked mid-swap for a photo with ID, a selfie, a video with the document, and proof of fund origin, then never got the money back.
CoinSpace
  • Stuck swaps and an "overdue" status. On-chain the deposit confirms, on Exolix's side it hangs. Trustpilot has reports of a swap stuck at a red X for eight days despite a confirmed transaction, and an "overdue" status past 72 hours with no reply.
CoinSpace

To be fair, positive reviews exist too. The point isn't that everyone loses. It's that the losses rhyme.

The $11,000 "Tainted Coins" Scam Accusation (Contested)

A user reported swapping into Monero and receiving coins a block explorer had flagged as tied to a phishing scam, then losing around $11,000.

CoinSpace

The full story lives in a Bitcointalk "Scam Accusations" thread from October 2025.

CoinSpace

But the thread is full of pushback. One member argued the sending wallet wasn't actually flagged, and that the only phishing link was address-poisoning, a common on-chain scam where attackers send tiny "dust" transfers to muddy a wallet's reputation, that hit Exolix's wallet after the send.

Read more: How the Address Poisoning Scam Targets Your Crypto Wallet

Others said Exolix completed the swap as asked, and the receiving exchange froze the coins, so the user blamed the wrong party. So: a real, public dispute, not a proven case. Exolix admitted its guilt but no real actions were done.

One more thing, tied to the original investigation. The leak window is January 2025 to May 2026, and this swap happened in October 2025, inside it. That means this exact transaction almost certainly sits in the leaked dataset, addresses and hashes included.

In principle, that makes the story checkable on-chain instead of he-said-she-said. We don't have the dataset and won't work off stolen data, but the point stands.

The Fine Print: What Exolix's Terms Actually Allow

Per a exolix.com/terms, Exolix's terms let it freeze any transaction for as long as an AML/KYC check takes, move funds to cold storage meanwhile, refuse users from the US and sanctioned regions, and, for those users, seize the funds and donate them to charity.

Unclaimed funds may be held for up to a year.

How the Leak Landed Online

The disclosure got picked up in the niche security scene.

The podcast Anti Moonboy News #73 walked through the exploit and made a broader point: don't trust coin-swap services, because they collect your data.

A crypto outlet, CryptoAdventure, framed the real danger as metadata: the linking of Monero addresses to transparent chains.

How to Avoid Crypto Swap Scams: A Practical Checklist

We'll leave the verdict to you. But whatever Exolix is, these cases teach the same lessons about using any instant swapper. Treat it as an anti-scam checklist.

  1. "No-KYC" is marketing, not a guarantee. Most swappers reserve the right to demand ID and freeze funds mid-swap. Read the terms first. If the seizure clauses scare you, that's the point of reading them.
  2. Test with a small amount first. Run a tiny swap through the exact same pair and route before moving anything meaningful. Cheapest insurance there is.
  3. Prefer fixed rates over floating when the amount matters. Floating rates can move against you between deposit and payout; fixed locks the number for a short window.
  4. Use an aggregator with a dispute process. Several users only got funds released after a middleman (like Trocador) stepped in. Reputation directories like KYCnot.me help too. Read the comments, not just the score.
  5. Keep your receipts. Save the order ID, transaction hashes, and screenshots of every status. If a swap goes sideways, that record is your only leverage.
  6. Learn the on-chain scams so you can spot them. Watch for address-poisoning (dust sent to trick you into copying a scammer's address) and smart-contract scams, malicious tokens or fake "approval" prompts that drain a wallet once you sign. Don't act on a single unsolicited transaction, never approve a contract you didn't initiate, and if you're moving large sums, check the AML reputation of coins you receive.
  7. Assume the swap isn't as private as the ad says. Every swap leaves on-chain traces, and every service stores data a breach can expose. If privacy is the whole point, minimize what any one service can tie together: fresh addresses, smaller amounts, no reused wallets.

Frequently Asked Questions

Where is the safest place to swap crypto?

There’s no perfectly safe swapper. Safety is mostly about how you swap, not which logo you pick. Lower your risk by going through an aggregator with a dispute process, checking a reputation directory like KYCnot.me before you commit, and avoiding services with a pattern of frozen-fund complaints.

How do I swap crypto safely?

Test with a tiny amount first, prefer a fixed rate over floating so the payout can’t shrink, use a fresh receiving address, and save your order ID and transaction hashes. Read the terms of service for freeze and seizure clauses before sending anything.

How do I swap Monero (XMR) safely and privately?

Remember that a swap only hides so much: the transparent side (BTC, ETH, USDT) still leaves on-chain traces, and the service stores records that a breach can expose. Use fresh addresses, split large swaps into smaller ones, don’t reuse wallets, and assume any single swapper can link your two coins. Coin Wallet helps you to swap Monero without long synchronization and with a good price.

How do I avoid crypto swap scams and smart-contract scams?

Never approve a smart contract or token you didn’t initiate. Ignore address-poisoning dust. Verify addresses character by character, use hardware wallets for large sums, and check the AML reputation of coins you receive.