On January 23, 2025, attackers drained over $85 million in digital assets from cryptocurrency exchange Phemex by targeting its hot wallet infrastructure. Initial on-chain analysis by PeckShield estimated losses at $29 million; a subsequent investigation by MetaMask’s Taylor Monahan revised the figure to $85 million across multiple blockchain networks. Cold storage systems, holding the majority of user funds, were not compromised.
Attack Vector: Hot Wallet Compromise
Hot wallets — the exchange’s internet-connected signing infrastructure used for processing daily withdrawals — were the exclusive target. Phemex has not publicly attributed the attack to a specific threat actor or disclosed the initial access method. PeckShield’s on-chain tracing identified suspicious outflows from Phemex addresses on Ethereum, Solana, Arbitrum, Optimism, BSC, Polygon, and Base simultaneously, consistent with a coordinated multi-chain withdrawal using compromised private keys rather than a smart contract exploit. The Lazarus Group has historically executed similar multi-chain hot wallet drains against exchanges, though no formal attribution has been made for this incident. The CISA advisory on cryptocurrency platform security provides baseline guidance for exchange operators.
Phemex’s Immediate Response
Upon detecting the suspicious activity, Phemex suspended all deposit and withdrawal functions, applied system-wide isolation protocols, engaged law enforcement and external cybersecurity specialists, and published a proof-of-reserves to demonstrate that user funds in cold storage remained intact. ETH, USDT, and USDC withdrawals across the affected networks were restored in a phased sequence as security reviews for each network were completed.
What Phemex Users Should Do
- Verify your account’s withdrawal whitelist — confirm no unfamiliar addresses were added during or after the incident window (January 23, 2025).
- Enable 2FA using a hardware token or authenticator app if not already active; SMS-based 2FA does not protect against exchange-side key compromise but reduces account-level attack surface.
- For holdings exceeding your short-term trading needs, transfer assets to a self-custody wallet (hardware wallet) where you control the private key — no exchange compromise can affect funds held outside the exchange.
- Monitor official Phemex announcements at phemex.com for updates on compensation and service restoration timelines.
- Report any unauthorized account activity directly to Phemex support and retain transaction IDs for any dispute process.
Phemex’s hot wallet architecture at the time of the incident kept a larger fraction of liquid assets online than industry best practice recommends, contributing to the loss magnitude. Exchanges that minimize hot wallet balances to the minimum needed for 24-hour settlement reduce their exposure in exactly this scenario.
