On January 23, 2025, Federico Variola, the CEO of Phemex, a crypto exchange headquartered out of Singapore, announced that they were looking into a report pertaining to one of the organization's hot wallets. The company then stated that it would be pausing withdrawals, but allow trading activity to continue. In a subsequent message, Variola emphasized that they cannot rush the resumption of withdrawals due to the “sophistication of the threat.”
Variola continued to direct concerned users to Phemex’s proof of reserves (log-in required, though it is also visible on DefiLlama, which lists its assets at $461.2M) to show that there were no issues with its cold wallets. Third-party organizations reported unusual movement of funds: Crypto security firm Cyvers reported that $29 million were drained from Phemex’s hot wallets and converted into ETH. Another news outlet reported a figure of $37 million after accounting for BTC and TRON losses. Blockchain security company PeckShield reported that the final tally was $69 million and included ETH, BTC, and BSC.
The discrepancy between the two figures may not only reflect the amounts increasing (the hack was ongoing during the alerts), but also conflation between the original attack and Phemex’s subsequent efforts to safeguard user funds by moving them to secure wallets, especially because the exchange has been relatively quiet about the incident.
Although Phemex stated that they are “working on a compensation plan” for any affected assets, there was a market panic in the immediate aftermath. According to Phemex’s own data, BTC/USDT trading pair reached 15,000 BTC in hourly trading volume, representing a 300% increase, and ETH/USDT reached 50,000, representing a 400% increase. Both spikes likely represent efforts from users to convert assets away from the tokens publicly affected in the Phemex breach. There have been many instances where attacked exchanges do not have sufficient liquidity to honor user balances in crypto. Eventually, Phemex also halted trading despite its original promise not to.
Merkle Science’s own analysis corroborates that this incident is likely a hack and not an unusual activity as Phemex suggests in some of its communications. Below is our analysis of what happened:
Following the attack, there were 14 blockchains involved as part of the initial laundering layer. The hackers moved $1.038M across ARB, $20.9M across ETH, $1.2M across LTC, 3.8M across DOGE, $5.3M across BTC, $1.09 across AVAX, $2.5M across ADA, $13.6M across SOL, $1.6M across SOL, $13.4M across XRP, $500K across OP, $2.4M across BSC, and $680K across MATIC. Another $1.9M was bridged from BASE through Stargate Finance and routed through ETH.
After the initial laundering layer, the hackers sent either all of the funds, a portion of the original funds, or a larger amount (using funds from the balance of the wallet) to a subsequent wallet on the same chain.
Some outlets and analysts are speculating that the Phemex attack could be linked to the Lazarus Group, the cybercrime group affiliated with North Korea responsible for many of the largest heists in the space, such as the $600M attack on Ronin. If Lazarus is behind this attack, the laundering trail is only the beginning—the group typically obfuscates their illicit funds through a dizzying array of chain hopping, peel chains upon peel chains, and other tactics. The May 2024 hack of Japanese crypto exchange DMM is an example of a laundering trail characteristic with the Lazarus Group.
As of January 2024, Variola stated that the company was working on restoring USDT and USDC withdrawals, though all requests would be manually verified by the security team. The company has also not yet conducted a post-mortem analysis.
Key takeaways
There is still no telling on the exact cause of the breach. Previous attacks by the Lazarus Group, which is a suspect in this Phemex hack, often revolved around social engineering. Its attack on Ronin involved duping an engineer with a fake recruitment process (Lazarus gained access after the employee downloaded a job description containing a payload). Crypto companies need to emphasize training as much as technology. To this end, Merkle Science offers Institute, which offers learning and development related to crypto investigations, security, and related matters.
While Phemex’s proof of reserves shows $461.21M in its cold wallets, the company lost around $70M, or roughly 15% of its total funds. Because a loss of this magnitude can be potentially crippling to any business, it is financially prudent to invest in blockchain analytics. With a compliance tool, crypto businesses can detect suspicious transactions in real-time, preventing bad actors from operating on their platform. With an investigation tool like Merkle Science’s Tracker, crypto businesses can follow the illicit trail and potentially recover some of the funds. Investing in blockchain analytics is the most financially savvy investment any crypto exchange can make.
Phemex operates out of Singapore, which is vying to be a crypto hub in Asia Pacific with a regime designed by the Monetary Authority of Singapore. The retail investors who lost $70M in assets will likely receive the bulk of the attention from the Phemex hack. But it is just as important for crypto exchanges to prioritize conducting business with other licensed entities in respected crypto regimes. To this end, Merkle Science offers Know Your Blockchain Business (KYBB), which enables exchanges to conduct due diligence on prospective enterprise partners.
The Phemex hack underscores the importance of proactive measures in crypto security. While the exact cause of the breach remains uncertain, the Lazarus Group—suspected in this attack—has a history of exploiting social engineering tactics, such as fake recruitment schemes. Phemex, which lost approximately $70M or 15% of its funds, highlights how even financially robust exchanges can suffer crippling losses. To prevent such incidents, crypto businesses should invest in blockchain analytics, especially investigative tools like Tracker. Contact us today for a free demo.
