# Ethereum Ethereum suffered the biggest loss in the Phemex exploit, with approximately $20 million drained across multiple transactions over 1.5 hours. The attacker systematically emptied Phemex’s hot wallets on Ethereum, siphoning native ETH, wBTC, and stablecoins such as USDC, USDT, DAI, USDP, GUSD, and BUSD. In addition to these high-value assets, a wide range of ERC-20 tokens and meme coins, including PEPE, AAVE, and GALA, were also stolen—along with countless others. **Hot Wallet:** 0x50be13b54f3eebbe415d20250598d81280e56772 **Exploiter:** 0x5b34414e95a8b8d0b16a39baf5b97cec1d517e22 **Time of Breach:** 11:49 UTC **Amount lost**: $20 M approx. ## On-chain Activity The exploit on Ethereum was highly complex, involving dozens of tokens. However, Blockscope's tools streamlined the investigation, making it manageable. Our Tracer tool efficiently visualized the movement of assets, consolidating major tokens into a single, comprehensive analysis. The tracer below illustrates the interaction between Phemex’s hot wallet and the attacker’s address, with USDC—the largest stolen asset on Ethereum (\~$1.77M)—used as the primary example.

Tracer showing Exploiter draining 1.76 M USDC from Phemex Hot Wallet

Once the exploiter drained funds from Phemex’s hot wallet, the "funnel and tunnel" phase began. To highlight the complexity of the exploit, we created a focused tracer using only five tokens—ETH, AAVE, USDT, USDC, and PEPE—depicting just the first and second stages of tunneling into side wallets and exchanges, which we have grouped as "Side Wallets" and "DeFi Platforms".

Ethereum Tracer for Phemex Exploit showing movement of top 5 assets

The tracer above reveals that the exploiter funneled stolen assets through various DeFi platforms like [**Uniswap**](https://app.uniswap.org/)**,** [**SushiSwap**](https://www.sushi.com/ethereum/swap)**,** [**DODO**](https://dodoex.io/en)**,** and [**1inch**](https://1inch.io/), swapping and redistributing funds across multiple addresses. To map out the exploiter's broader network of side wallets and linked addresses, we leveraged Blockscope’s **Cohort Analyzer tool**—filtering out DeFi protocol contracts to isolate only the exploiter’s activity.

Cohort Analysis

## Breakdown and Timeline ### January 23, 2024 - 11:49 UTC The Phemex Exploiter (0x5b34..) initiated the exploit on Ethereum, first draining funds from Phemex’s Hot Wallet (0x50be..). The first asset drained was USDC (\~$1,767,958 USDC). Tx. hash: 0xcf345cddde4286f7e2d37e9783f5e8c33f47a125a23370423596f92f3b884b62

USDC being stolen from Phemex Hot Wallet

### January 23, 2024 - Between 11:50 - 13:31 UTC The exploiter (0x5b34..) continued draining assets from Phemex’s hot wallet (0x50be..) and our investigation revealed that over 150+ tokens, including stablecoins, protocol tokens, and meme coins, were siphoned. Tx. hash for Major asset drains: USDT: 0xe7ce7b050242d99f673a76792596d1f47f76eec73d229e4b35bf2d3be9ec9722 AAVE: 0xf63b542f23fd150659e66c34700dc584c7bb12afcef1e7cf2109abf077dafdd7 SHIBA INU: 0xcb5d4a99cb121396d11b407529f18f6659c0656921f32bd35be9ee9022d719d7 ETH: 0x87755934af576784b6c31f583c270981e867f018d5760ff1a64f652be1303cc1

First transactions of Exploit on Ethereum shown using Transcation Decoder

**One highlight here will be all high-value, freezable assets like USDC, USDT, and other stablecoins were drained first between 11:49 - 11:55 UTC, while meme coins and protocol-native tokens were targeted later, highlighting a deliberate and structured attack strategy focused on maximizing liquidity and minimizing intervention risks.**

Last Transactions of Exploit on Ethereum

### January 23rd, 2025 Between 12:00 - 15:00 UTC As the exploiter drained assets, they simultaneously transferred funds from the main wallet to four key side wallets, as shown in the tracer below. Within minutes, these assets were further tunneled into additional side wallets, creating multiple layers of obfuscation. Side wallets: 1. 0x140dea3b704d724ddff41597b35a10ce0189661f 2. 0x069987773b3dee7ac4affb9f06a4a90f9984ab10 3. 0x6c42f03d730b7643939fa1d00416cb2985ed9cf3 4. 0x17bcc630b1409637d42dfb278f8e2ea9fc862631

Tracer showing top 5 stolen assets being send to side wallet by the exploiter

### January 23rd, 2025 Around 14:00 UTC With the valuable assets fully drained, the exploiter shifted focus to tunneling and swapping tokens through DeFi services like Uniswap, SushiSwap, DODO, and 1inch.
**The tracer below provides a clear example of this strategy—one of the exploiter's side wallets, 0x0699..., sends AAVE and PEPE, receiving ETH in return.** This pattern was repeated across multiple side wallets, allowing the exploiter to convert a variety of stolen assets into ETH and other liquid tokens, ensuring easier laundering and reducing exposure to asset freezes. At present, the exploiter still holds funds across several side wallets and is actively working to launder them.

Tracer showing Swapping of AAVE and PEPE by the Exploiter

This highly orchestrated exploit enabled the exploiter to drain approximately $20M from Phemex’s Ethereum hot wallet alone. However, this was only part of a broader operation. A parallel attack took place on Solana at 11:49 UTC—one minute earlier than Ethereum—resulting in the theft of $17M from one of the largest Layer 1 networks today. ## **Beyond Ethereum: The Multichain Expansion** While Ethereum suffered significant losses, the exploit was not confined to a single chain. The exploiter leveraged a multichain strategy, expanding their operations across Layer-2 networks to further obscure and diversify stolen funds. In the next section, we’ll investigate how this coordinated heist unfolded across multiple Layer-2 ecosystems, examining potential synergies between Mainnet and Layer-2 addresses and uncovering the deeper cross-chain laundering tactics employed. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://research.blockscope.co/the-phemex-heist-multichain-innovation-or-securit/ethereum.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.