The Phemex Heist: $85M Vanished Across 16 Chains

Summary

On January 24, 2025, Singapore-based centralized exchange Phemex suffered the largest crypto heist of the year, losing between $69M and $85M across 16 blockchains, as per various sources. The attacker exploited vulnerabilities in Phemex’s hot wallets, siphoning assets like ETH, BTC, SOL, USDC and USDT. This breach underscores the dangers of multi-chain operations—where a single security lapse can trigger catastrophic losses across multiple networks.

Phemex, a major player in both spot and derivatives trading, is known for its deep liquidity and seamless cross-chain transactions via bridges like Synapse. These bridges function as automated market makers (AMMs), facilitating asset swaps across different blockchains using stable swap algorithms. However, their reliance on centralized liquidity pools creates an attractive attack surface for sophisticated adversaries.

The exploit was first detected by blockchain security firms like PeckShield and Cyvers, which flagged unusual transaction patterns originating from Phemex’s hot wallets. Security logs later revealed that attackers had infiltrated these internet-connected wallets on multiple chains, including Ethereum, BNB Chain, Optimism, Polygon, Base, and Arbitrum.

Notably, the attackers prioritized freeze-prone assets, swiftly converting stablecoins into ETH to evade blacklisting. MetaMask security researcher Taylor Monahan said to The Block," In this case, we see a massive amount of distinct assets drained simultaneously across a multitude of chains. The tokens are then immediately swapped for the native asset, starting with the freezable stablecoins and then working down the list by value."

In response, Phemex suspended withdrawals and reassured users that cold wallets remained untouched. CEO Federico Variola attempted to restore trust by publishing proof of reserves. However, the damage was already done—Ethereum alone saw $20.41M drained, followed by $17.01M on Solana.

How did the Exploit happen?

The root cause likely stems from a compromised private key or a breach in access controls—both common patterns in CEX-related exploits. However, what made Phemex’s case uniquely devastating was its multi-chain footprint, which allowed the exploit to escalate rapidly. Given the synchronized nature of the attack across 16 networks, it’s plausible that a single point of failure, such as a compromised signing mechanism or an internal key management leak, provided attackers with unrestricted access.

The attack began on January 23, 2025, at 11:48 UTC on Solana, and within minutes, Ethereum wallets were also drained. Over the following hours, assets were systematically siphoned from hot wallets across BNB Chain, Optimism, Polygon, Base, XRP, TRON, and Arbitrum. The attackers methodically withdrew high-value, easily blacklisted assets like USDT and USDC first, before moving on to less liquid tokens. Unlike automated flash loan exploits, this attack was manually orchestrated, with funds being funneled through fresh wallets before being consolidated for laundering.

Given the precision and operational scale, this heist exhibits hallmarks of state-sponsored threat actors, with speculation pointing toward North Korean hacker groups. Historically, similar CEX breaches have been shrouded in secrecy, making it difficult to determine the full extent of the compromise.

Blockscope’s Investigation

Utilizing Blockscope’s Tracer tool, we meticulously tracked the flow of assets across six different EVM chains, including Ethereum, compromised by the exploit. Through our address group functionality, we created custom address groups, simplifying the complex on-chain movements for clearer analysis.

This not only underscores Blockscope's capabilities in unraveling intricate exploits but also highlights our role in empowering security operations with actionable insights.

Below is a breakdown of the major networks breached, along with the compromised hot wallets, attacker addresses, and the amounts lost during this exploit.

Source: Blockscope's Wallet Profiler, Rekt, PeckSheild, and Chaincather

In the following sections, we will delve into the mechanics of the hack on Ethereum and some major Layer 2 networks, offering a comprehensive look at this multi-million breach.