Phemex Exchange Hack Losses Exceed $70 Million; North Korean Hackers Suspected

North Korean hackers are suspected to be behind the breach of the Singapore-based cryptocurrency exchange Phemex, according to several experts cited by The Block.

MetaMask’s chief security researcher, Taylor Monahan, noted that the attack involved the simultaneous withdrawal of “a huge amount of various assets” from multiple networks.

Initially, the perpetrators stole funds in Bitcoin, Ethereum, Solana, and stablecoins, then shifted to less popular coins. Millions of stolen USDC and USDT were rapidly exchanged for ETH to avoid freezing.

According to Etherscan, at least 275 transactions are linked to EVM networks, including Arbitrum, Base, Polygon, Optimism, and zkSync.

Analysts from Arkham reported that the hackers almost completely drained the exchange’s hot wallets, leaving only small amounts in lesser-known altcoins.

“All this activity occurred simultaneously, but not via scripts. Assets were manually exchanged and then transferred to a fresh address,” Monahan added.

Considering the number of transactions and the wide range of targeted blockchains, she believes the hack was carried out by “a group of perpetrators who have done this many times before.”

An anonymous crypto threat researcher, SomaXBT.eth, suggested the involvement of North Korean-linked hackers based on the attack vector. Another expert was reminded of the TraderTraitor group, responsible for the $308 million hack of the Japanese exchange DMM Bitcoin.

The main wallet of the Phemex hackers processed at least $44 million. Various blockchain researchers report that at least $16 million in SOL, $12 million in XRP, and $5 million in Bitcoin were stolen. The total damage has now exceeded $70 million.

Phemex still holds about $1.8 billion in crypto assets. The majority of this amount—$1.1 billion—is in the native token PT. The next largest balances are $355 million in Bitcoin and $209 million in USDT.

The platform’s CEO, Federico Variola, announced plans to resume USDT and USDC withdrawals in the coming hours.

Hello all, we estimate to resume USDT and USDC withdrawals in approximately 6 hours from now, securing the hot wallets architecture remains the main priority, thank you for the understanding.
Other services like MemeX will also reprise around that time, and as usual PoR is…

— Federico0x @Phemex (@Federico0x) January 24, 2025

On January 23, Phemex suspended withdrawals after receiving alerts about suspicious activity from several blockchain security firms.

The exchange continues its investigation and is “working on a compensation plan” for those affected.