Phemex, a cryptocurrency exchange based in Singapore, suffered a significant cyberattack that resulted in the theft of $85 million worth of digital assets.
The platform’s hot wallets, which are linked to the internet for real-time transactions, were the primary target of the hack. These wallets are more susceptible to intrusions than cold wallets, which stay offline.
Phemex has since implemented emergency measures to safeguard user funds and initiated a comprehensive investigation into the incident.
Hackers Stealing $85 Million Worth of Digital Assets
The attack was detected at 11:30 UTC when unusual activity was observed in Phemex’s hot wallets. The attackers exploited vulnerabilities to drain assets across multiple blockchains, including Ethereum, Solana, Bitcoin, and Binance Smart Chain.
Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free
Initially estimated at $29 million by blockchain security firm Cyvers, the stolen amount was later revised to $85 million by MetaMask’s Taylor Monahan.
PeckShield also confirmed significant losses across various chains: $20 million from Ethereum, $17 million from Solana, $13 million from XRP, and $5.3 million from Bitcoin. Other affected chains included Arbitrum, Optimism, and Base.
Phemex promptly suspended all deposit and withdrawal services following the breach. A Proof of Reserves (PoR) was released to assure users of the platform’s financial stability.
Phemex CEO Federico Variola emphasized that user funds held in cold wallets remained secure. The exchange has collaborated with third-party security firms and law enforcement agencies to investigate the breach.
“Phemex has sufficient asset reserves, and user funds are always safe,” reads the announcement.
Ethereum-based withdrawals for ETH, USDT, USDC, and Bitcoin withdrawals were resumed. Also, withdrawals for Solana-based tokens and other chains like Binance Smart Chain and Polygon were resumed.
The breach likely involved compromised private keys that allowed attackers to access multiple hot wallets simultaneously. This type of vulnerability is common in centralized exchanges (CEXs) when private keys are stored insecurely or lack multi-signature protection.
Experts have speculated that the attack may be linked to North Korea hacking groups like Lazarus, known for their sophisticated tactics in targeting cryptocurrency platforms.
The attackers systematically drained high-value tokens first and swapped freezable assets like USDT and USDC into Ethereum to evade blacklisting measures. Over 125 suspicious transactions were identified across 11 blockchains.
Phemex has upgraded its security protocols with assistance from cybersecurity partners. The new system includes enhanced wallet security measures and continuous monitoring to prevent future breaches.
Users have been advised to discontinue using old deposit addresses as they now require manual review for processing.
The incident highlights critical vulnerabilities in cryptocurrency exchanges and underscores the importance of robust security measures.
It is recommended to adopt multi-signature wallets and decentralized finance (DeFi) protocols with stringent security audits as preventive measures.
While Phemex’s response demonstrates transparency and commitment to user protection, the incident reinforces the need for continuous vigilance in securing cryptocurrency ecosystems.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar