{"id":21336,"date":"2025-02-20T11:57:45","date_gmt":"2025-02-20T09:57:45","guid":{"rendered":"https:\/\/forklog.com\/en\/stolen-millions-from-phemex-redirected-to-new-addresses\/"},"modified":"2025-02-20T11:57:45","modified_gmt":"2025-02-20T09:57:45","slug":"stolen-millions-from-phemex-redirected-to-new-addresses","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/stolen-millions-from-phemex-redirected-to-new-addresses\/","title":{"rendered":"Stolen Millions from Phemex Redirected to New Addresses"},"content":{"rendered":"<p>On February 19th, a portion of the funds stolen during the January breach of the Singapore-based cryptocurrency exchange Phemex was moved. Analysts at <a href=\"https:\/\/docs.google.com\/presentation\/d\/1srLATBma37rNnwIQfIo3yE6SwNvjvm12RsgTrbwte4E\/edit#slide=id.g337a0343797_0_0\">Global Ledger<\/a> noted this activity.<\/p>\n<p>More than 2080 ETH (~$6 million) were transferred to 14 new addresses. Less than 4000 ETH remain in the <a href=\"https:\/\/etherscan.io\/address\/0x140dea3b704d724ddff41597b35a10ce0189661f\">main Ethereum wallet<\/a> associated with the attack.<\/p>\n<p>Experts pointed to a complex series of transactions and interactions with numerous platforms and protocols, suggesting the cybercriminals possess significant blockchain expertise.<\/p>\n<p>Notably, one recently created wallet received 601.34 ETH through five separate transfers before the funds were consolidated at another new address via the Across Protocol cross-chain bridge. They were then further obfuscated when sent to a second address of the service.<\/p>\n<p>In addition to direct transfers to mixers like Tornado Cash and eXch for anonymizing funds, the hackers utilized the Wintermute platform, DLN Trade, and THORChain protocols for asset exchanges.<\/p>\n<p>Some funds reached custodial platforms, including <a href=\"https:\/\/www.blockchain.com\/ru\/explorer\/addresses\/btc\/bc1qe997gqzmslhr93322vfcuqzj6varm8ddnmhcnp3fmfaqkl2tkenqnql70v\">OKX<\/a> and CoinEx, but most movements were conducted using on-chain tools such as <a href=\"https:\/\/arbiscan.io\/address\/0x11235534a66a33c366b84933d5202c841539d1c9\">cross-chain services<\/a> Bitget and the ChangeNOW wallet.<\/p>\n<p>According to Global Ledger, prior to this series of transactions, the hackers had been transferring stolen assets over the past few weeks, including the liquidation of <a href=\"https:\/\/www.blockchain.com\/explorer\/addresses\/btc\/bc1q7v5se5aq37g3lw8ccgre2laktpt6qrjvxqcz4p\">50 BTC<\/a> and <a href=\"https:\/\/xrpscan.com\/tx\/2B04881718F8E3979C252CB38F2335FCF4A606AEF7A7705DFA7280EF46541A85\">4 million XRP<\/a>.<\/p>\n<p>Currently, Phemex has resumed trading activities and warned clients against using old deposit addresses. CEO Federico Variola stated that part of the exchange&#8217;s funds will be moved to cold storage as part of a &#8220;comprehensive security update.&#8221;<\/p>\n<p>Back in January, analysts at Cyvers Alerts <a href=\"https:\/\/forklog.com\/en\/news\/suspicious-37-million-crypto-withdrawal-detected-from-phemex-exchange\">identified<\/a> &#8220;multiple suspicious transactions&#8221; involving Phemex&#8217;s hot wallets. It was later revealed that the attack included more than 275 transactions using EVM chains alone.<\/p>\n<p>The latest estimates put the damage at $85 million. Experts <a href=\"https:\/\/forklog.com\/en\/news\/phemex-exchange-hack-losses-exceed-70-million-north-korean-hackers-suspected\">suggested<\/a> the involvement of hackers linked to North Korea in the incident.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On February 19th, a portion of the funds stolen during the January breach of the Singapore-based cryptocurrency exchange Phemex was moved. Analysts at Global Ledger noted this activity. More than 2080 ETH (~$6 million) were transferred to 14 new addresses. Less than 4000 ETH remain in the main Ethereum wallet associated with the attack. Experts [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":21335,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1166,44,1742,1314],"class_list":["post-21336","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-centralized-exchanges-cex","tag-cybercrime","tag-phemex","tag-tornado-cash"],"aioseo_notices":[],"amp_enabled":true,"views":"29","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/21336","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=21336"}],"version-history":[{"count":0,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/21336\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/21335"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=21336"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=21336"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=21336"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}