# The Phemex Heist: $85M Vanished Across 16 Chains
## Summary On January 24, 2025, Singapore-based centralized exchange [**Phemex**](https://phemex.com/register?group=\&referralCode=BLB8M8\&gad_source=1\&gclid=CjwKCAiAh6y9BhBREiwApBLHC2WHyREHoCLTuNXQBxhsC0dwiho4J76V06ox1NcJ4JgwaXpZXoklTxoCTJQQAvD_BwE) suffered the largest crypto heist of the year, losing between **$69M and $85M** across **16 blockchains,** as per various sources. The attacker exploited vulnerabilities in Phemex’s hot wallets, siphoning assets like **ETH, BTC, SOL, USDC and USDT**. This breach underscores the dangers of multi-chain operations—where a single security lapse can trigger catastrophic losses across multiple networks. Phemex, a major player in both spot and derivatives trading, is known for its deep liquidity and seamless cross-chain transactions via bridges like [**Synapse**](https://phemex.com/academy/what-is-synapse-protocol-syn-crypto). These bridges function as automated market makers (AMMs), facilitating asset swaps across different blockchains using stable swap algorithms. However, their reliance on centralized liquidity pools creates an attractive attack surface for sophisticated adversaries. The exploit was first detected by blockchain security firms like [**PeckShield**](https://x.com/peckshield/status/1882402547744534675?t=V6YRuhotHzO2t9WsSryncQ\&s=19) and [**Cyvers**](https://x.com/CyversAlerts/status/1882407857447997803), which flagged unusual transaction patterns originating from Phemex’s hot wallets. Security logs later revealed that attackers had infiltrated these internet-connected wallets on multiple chains, including **Ethereum, BNB Chain, Optimism, Polygon, Base, and Arbitrum**.
Notably, the attackers prioritized **freeze-prone assets**, swiftly converting stablecoins into ETH to evade blacklisting.[ MetaMask security researcher **Taylor Monahan** said to The Block](https://www.theblock.co/post/336754/north-korea-hack-group-possibly-behind-70-million-phemex-exploit-experts-say)," In this case, we see a massive amount of distinct assets drained simultaneously across a multitude of chains. The tokens are then immediately swapped for the native asset, starting with the freezable stablecoins and then working down the list by value." In response,[ Phemex suspended withdrawals and reassured users that cold wallets remained untouched.](https://x.com/Phemex_official/status/1882417902038749317) CEO [**Federico Variola** attempted to restore trust by publishing proof of reserves](https://x.com/Federico0x/status/1882411493280649237). However, the damage was already done—Ethereum alone saw $20.41M drained, followed by $17.01M on Solana.
## How did the Exploit happen? The root cause likely stems from **a compromised private key or a breach in access controls—both common patterns in CEX-related exploits**. However, what made Phemex’s case uniquely devastating was its **multi-chain footprint**, which allowed the exploit to escalate rapidly. Given the synchronized nature of the attack across 16 networks, it’s plausible that a single point of failure, such as a compromised signing mechanism or an internal key management leak, provided attackers with unrestricted access. The attack began on **January 23, 2025, at 11:48 UTC on Solana**, and within minutes, Ethereum wallets were also drained. Over the following hours, assets were systematically siphoned from hot wallets across BNB Chain, Optimism, Polygon, Base, XRP, TRON, and Arbitrum. The attackers methodically withdrew high-value, easily blacklisted assets like USDT and USDC first, before moving on to less liquid tokens. Unlike automated flash loan exploits, this attack was manually orchestrated, with funds being funneled through fresh wallets before being consolidated for laundering. Given the precision and operational scale, this heist exhibits hallmarks of state-sponsored threat actors, with [speculation pointing toward **North Korean hacker groups**](https://www.theblock.co/post/336754/north-korea-hack-group-possibly-behind-70-million-phemex-exploit-experts-say). Historically, similar CEX breaches have been shrouded in secrecy, making it difficult to determine the full extent of the compromise. ## Blockscope’s Investigation Utilizing **Blockscope’s Tracer tool**, we meticulously tracked the flow of assets across six different EVM chains, including Ethereum, compromised by the exploit. Through our address group functionality, we created custom address groups, simplifying the complex on-chain movements for clearer analysis. This not only underscores Blockscope's capabilities in unraveling intricate exploits but also highlights our role in empowering security operations with actionable insights.
Below is a breakdown of the major networks breached, along with the compromised hot wallets, attacker addresses, and the amounts lost during this exploit.
Assets Hot Wallet Attacker AddressAmount Lost
ETHEREUM0x50be13b54f3eebbe415d20250598d81280e567720x5B34414e95a8b8D0B16a39BAf5b97CEc1d517E22$20 M
SOLANAEWSHJzKpzjpwz9GuNKkXWMHXAiwtB7obSGhdFKu5QZku3q38w9HpZcVGrKp43WSJa6KQpEfSDSoAyaebuARwbU8B$17 M
BITCOIN bc1q32sxnq5hecdurfzgzp5x0zh8du86v9x84wdqdx bc1q7v5se5aq37g3lw8ccgre2laktpt6qrjvxqcz4p$5.06 M
XRPrQKKvBvEfXbTThkqrtqaY3sAKuW6iqcMzXrGSu6JJ9dLZ3mpfGhtFczNjZjgoHEJcHgf$13.48 M
ARBITRUM0x50be13b54f3eebbe415d20250598d81280e56772 0x069987773b3DeE7AC4afFb9f06A4a90f9984AB10$988.22 K
OPTIMISM0x50be13b54f3eebbe415d20250598d81280e567720xE9AA4a999ca1D9093054CF4f5dc221a06D433650$497.46 K
AVALANCHE0x50be13b54f3eebbe415d20250598d81280e567720x17BCC630B1409637D42dFb278f8E2ea9fc862631$1.08 M
TRONTHAABzWrhp84Nr7gxss7qhtzA5mp3d1qUoTBz3DH6GUpg4cEGrcKzs8gSTvLQCGaYk5F$1.7 M
BSC0x50be13b54f3eebbe415d20250598d81280e567720x6C42F03d730b7643939fA1D00416cB2985eD9cF3$3.33 M
BASE0x50be13b54f3eebbe415d20250598d81280e567720x392d99Ec0348172C046cd64b85C21Df0927ab946$2.42M
POLYGON0x50be13b54f3eebbe415d20250598d81280e567720xf493033B14cE39CBC6a283921eA50919C5D43Dfe$685.42 K
ZKSYNC ERA0x50be13b54f3eebbe415d20250598d81280e567720xEba89b66C132E7fAd2a238BF416Fb9d45dcAd1FF$256 K
SUI0x51fc8f63faf7b22d401623f9c3ae5183e564d701741770f12ad1851c6c45a0c80x4eff816c3fe9bd163d223546ef60020f0162ab4206339a0f14bdb60b639f0794$2.97 M
Source: Blockscope's Wallet Profiler,[ Rekt](https://rekt.news/phemex-rekt/), [PeckSheild](https://x.com/peckshield/status/1882781762411176037), and [Chaincather](https://www.chaincatcher.com/en/article/2164582) In the following sections, we will delve into the **mechanics of the hack on Ethereum** and some major **Layer 2 networks**, offering a comprehensive look at this multi-million breach. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://research.blockscope.co/the-phemex-heist-multichain-innovation-or-securit/the-phemex-heist-usd85m-vanished-across-16-chains.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.