A new OPSEC alert is putting Exolix partner swaps under scrutiny after a May 28 RasterSec-linked disclosure alleged that a broken-access-control flaw in the Exolix partner API exposed nearly
A new OPSEC alert is putting Exolix partner swaps under scrutiny after a May 28 RasterSec-linked disclosure alleged that a broken-access-control flaw in the Exolix partner API exposed nearly 356,000 historical swap records.
The incident has not been reported as a private-key theft or a direct asset drain. The risk is metadata. The disclosed dataset reportedly included deposit addresses, withdrawal addresses, transaction hashes, timestamps, partner user IDs and routing details tied to swaps between January 2025 and May 2026. Researchers placed the exposed activity near $39.5 million, with records allegedly pulled through partner integrations rather than the standard public swap interface.
For users who relied on instant swaps to keep wallet activity separated, the damage comes from linkage. A normal swap can already leave visible onchain traces at the deposit and payout ends. A partner-level record tying those ends together can make cross-chain flows easier to reconstruct, especially when the data includes timestamps and partner identifiers. For privacy-focused users, merchants and wallet users, that turns a convenience feature into a long-tail address-linking problem.
Exolix runs a registration-free instant exchange model with fixed and floating-rate swaps, while its official API allows third-party platforms to integrate Exolix services directly into their products. That partner reach is exactly why the disclosure is sensitive. The affected list cited by researchers included Edge, Exodus, Monerujo, BTCPay Server, Temple Wallet and EGToken.io.
Several integrations are publicly visible. Edge lists Exolix among its in-app exchange partners, Monerujo advertises Exolix-powered KYC-free swaps for moving in and out of Monero, and BTCPay Server’s plugin directory includes an Exolix plugin for accepting altcoins and converting payments. Those integrations do not automatically mean every user was exposed, but they show why partner-side API controls matter when swap records pass through embedded wallet and merchant flows.
The alleged failure path centered on JWT credentials found in public partner repositories and Android APKs, combined with an authorization model that reportedly allowed broader access than a partner should have had. A valid partner token allegedly became a window into records beyond that partner’s own users.
A web application firewall rule reportedly now blocks additional bulk dumps. That may limit new scraping, but it does not erase records already copied. The more important technical question is whether Exolix has replaced the access-control path itself, revoked exposed credentials, restricted partner-level queries by tenant, and notified affected integrations with a precise scope.
For past users, the practical risk is address linkage rather than stolen balances. Anyone who swapped through Exolix or the named partner integrations during the January 2025 to May 2026 window should assume the relevant deposit and withdrawal addresses may no longer be private. That means future sensitive activity should move to fresh addresses, and old swap-linked wallets should not be mixed casually with new operational wallets.
Address rotation does not delete historical data, but it can stop one leaked trail from becoming a live tracking map. Users should avoid consolidating old and new wallets in the same transaction, avoid reusing deposit addresses, and treat older Exolix-linked swap paths as already mapped by outside parties.
The timing lands during a heavy stretch for crypto infrastructure risk. Bridge and wallet security stories have already included the Alephium TokenBridge forged VAA exploit, the suspected Gravity Bridge key compromise, and a separate Ethereum wallet-drain alert involving dormant addresses. The Exolix case is different because it is not about an attacker draining funds. It is about the data layer around swaps and whether “no account” actually protects users when partner metadata can still connect addresses.
The next concrete update should be a full incident report covering the exposed endpoints, credential rotation, affected partner counts, data retention, user notification and whether the WAF patch has been backed by code-level authorization changes. Until then, the working risk to manage is simple: old swap trails may still be spendable, but they should no longer be treated as private.
The post Exolix Partner API Leak Raises OPSEC Alarm After Swap Metadata Exposure appeared first on Crypto Adventure.
