Stolen Millions from Phemex Redirected to New Addresses

On February 19th, a portion of the funds stolen during the January breach of the Singapore-based cryptocurrency exchange Phemex was moved. Analysts at Global Ledger noted this activity.

More than 2080 ETH (~$6 million) were transferred to 14 new addresses. Less than 4000 ETH remain in the main Ethereum wallet associated with the attack.

Experts pointed to a complex series of transactions and interactions with numerous platforms and protocols, suggesting the cybercriminals possess significant blockchain expertise.

Notably, one recently created wallet received 601.34 ETH through five separate transfers before the funds were consolidated at another new address via the Across Protocol cross-chain bridge. They were then further obfuscated when sent to a second address of the service.

In addition to direct transfers to mixers like Tornado Cash and eXch for anonymizing funds, the hackers utilized the Wintermute platform, DLN Trade, and THORChain protocols for asset exchanges.

Some funds reached custodial platforms, including OKX and CoinEx, but most movements were conducted using on-chain tools such as cross-chain services Bitget and the ChangeNOW wallet.

According to Global Ledger, prior to this series of transactions, the hackers had been transferring stolen assets over the past few weeks, including the liquidation of 50 BTC and 4 million XRP.

Currently, Phemex has resumed trading activities and warned clients against using old deposit addresses. CEO Federico Variola stated that part of the exchange’s funds will be moved to cold storage as part of a “comprehensive security update.”

Back in January, analysts at Cyvers Alerts identified “multiple suspicious transactions” involving Phemex’s hot wallets. It was later revealed that the attack included more than 275 transactions using EVM chains alone.

The latest estimates put the damage at $85 million. Experts suggested the involvement of hackers linked to North Korea in the incident.