Phemex Exchange $73.54 Million Exploit - Post-Mortem
Overview
Phemex, a centralized cryptocurrency exchange, suffered a catastrophic security breach on January 23-24, 2025, resulting in the theft of approximately $73.54 million across nearly 30 blockchain networks.
What Happened
An attacker gained unauthorized access to Phemex's hot wallets and systematically drained cryptocurrency holdings simultaneously across multiple chains. As security researchers noted, the incident unfolded with "synchronized swimming routine choreographed by hackers," with the attacker compromising wallets on Ethereum, Solana, XRP, Bitcoin, BSC, Sui, Base, Tron, Litecoin, Avalanche, Arbitrum, Polkadot, Stellar, Polygon, Optimism, ZkSync Era, Dogecoin, Cardano, Hedera, Algorand, TON, Filecoin, XDC, Zcash, Cosmos, Ethereum Classic, Bitcoin Cash, Tezos, and Dash.
Technical Root Cause
The exploit stemmed from access control vulnerabilities affecting Phemex's hot wallet infrastructure. According to Hacken's analysis, "an access control breach that handed the attacker complete control over Phemex's hot wallets" enabled the compromise.
The fundamental issue: Phemex reused identical wallet addresses across multiple blockchain networks, creating a single point of failure. When access controls were compromised on one chain, the vulnerability extended across all chains sharing the same security model.
Attack Vector
The attacker employed a multi-pronged approach:
• Simultaneous exploitation across nearly 30 chains within minutes
• Methodical token prioritization, focusing on less-freezable assets first
• Manual execution rather than automated scripts, suggesting sophisticated operational security
• Rapid asset movement to secondary addresses, complicating fund recovery
Theft occurred between January 23 at 10:03 AM UTC and January 24 at 6:49 PM UTC.
Financial Impact
| Chain | Amount | Top Losses |
|---|---|---|
| Ethereum | $17,449,663 | Largest single loss |
| Solana | $14,542,375 | Second largest |
| XRP | $11,438,331 | Third largest |
| Bitcoin | $5,068,305 | |
| Dogecoin | $3,633,968 | |
| BSC | $2,880,371 | |
| Hedera | $2,073,385 | |
| Cardano | $1,965,385 | |
| Sui | $2,452,725 | |
| Base | $2,420,000 | |
| Total | $73,540,297 |
Key Transaction Data
Ethereum
• Phemex Hot Wallet:
0x50be13b54f3eebbe415d20250598d81280e56772• Attacker Address:
0x5B34414e95a8b8D0B16a39BAf5b97CEc1d517E22• Theft Time: 1/23/2025 11:49 AM UTC
Solana
• Phemex Hot Wallet:
EWSHJzKpzjpwz9GuNKkXWMHXAiwtB7obSGhdFKu5QZku• Attacker Address:
3q38w9HpZcVGrKp43WSJa6KQpEfSDSoAyaebuARwbU8B• Theft Time: 1/23/2025 11:48 AM UTC
(Complete transaction hashes for all 30+ chains documented in source article)
Remediation & Response
Exchange Actions:
• Suspended withdrawals immediately upon detection
• Announced compensation plan "soon" (details not finalized at publication)
• Reassured users that cold storage wallets remained secure
Detection Timeline:
• PeckShield initially flagged suspicious outflows on January 23
• Cyvers detected $29+ million in transfers within minutes
• Early security warnings from Hacken identified the access control breach
Fund Recovery Status
No recovery has been confirmed. The attacker systematically moved stolen assets to secondary addresses across multiple chains, complicating tracing efforts. Blockchain analysis firms tracked movements but recovery prospects appear limited given the rapid distribution across so many networks.
Critical Takeaway
The incident exposed a fundamental flaw in Phemex's multi-chain strategy: "when every chain becomes a potential point of failure, is multi-chain support really a feature - or just over a dozen ways to get rekt?" Reusing identical wallet addresses across disparate blockchains created cascading vulnerabilities where a single compromised access control system compromised the entire infrastructure.