Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/phemexhotwalletaccesscontrolvulnerability.php}} {{Unattributed Sources}} Phemex Logo/HomepagePhemex is a crypto trading platform offering a variety of services to users, including spot trading, contract trading, and margin trading. The platform suffered a major hack on January 23, 2025, resulting in a $69m+ loss due to a security breach in their hot wallets. Th..."

2025-01-27T20:19:52Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/phemexhotwalletaccesscontrolvulnerability.php}} {{Unattributed Sources}} thumb|Phemex Logo/HomepagePhemex is a crypto trading platform offering a variety of services to users, including spot trading, contract trading, and margin trading. The platform suffered a major hack on January 23, 2025, resulting in a $69m+ loss due to a security breach in their hot wallets. Th..."

New page

{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/phemexhotwalletaccesscontrolvulnerability.php}}
{{Unattributed Sources}}

[[File:Phemex.jpg|thumb|Phemex Logo/Homepage]]Phemex is a crypto trading platform offering a variety of services to users, including spot trading, contract trading, and margin trading. The platform suffered a major hack on January 23, 2025, resulting in a $69m+ loss due to a security breach in their hot wallets. The attacker exploited vulnerabilities across 16 different blockchains, draining wallets from Ethereum to Solana, Avalanche, and others. Despite quick responses to suspend withdrawals and reassure users about cold wallet security, the attack revealed serious flaws in Phemex’s multi-chain strategy and access control. PeckShield and Cyvers detected suspicious transfers, but the attack was too swift, with funds being drained across multiple chains simultaneously. The breach exposed the risks of not properly securing hot wallets and highlighted the potential dangers of multi-chain support without robust security measures. The exchange promised a compensation plan but faces significant criticism for its handling of wallet management and multi-chain custody.<ref name="rektnews-17574" /><ref name="phemex-17575" /><ref name="federico0xtwitter-17576" /><ref name="federico0xtwitter-17577" /><ref name="federico0xtwitter-17578" /><ref name="federico0xtwitter-17579" /><ref name="federico0xtwitter-17580" /><ref name="peckshieldtwitter-17581" /><ref name="peckshieldalerttwitter-17582" /><ref name="etherscan-17583" /><ref name="etherscan-17584" /><ref name="etherscan-17585" /><ref name="etherscan-17586" /><ref name="phemexofficialtwitter-17587" /><ref name="hackenclubtwitter-17588" /><ref name="cyversalertstwitter-17589" /><ref name="cryptooadytwitter-17590" /><ref name="theblock-17591" />

== About Phemex ==
Phemex is a crypto trading platform offering a variety of services to users, including spot trading, contract trading, and margin trading. The platform supports multiple methods for buying crypto, such as P2P trading, bank transfers (SWIFT, ACH, SEPA), and credit/debit cards with low fees. Phemex offers users up to $4,800 in welcome rewards and provides access to over 372 contract pairs and 454 spot pairs, with leverage up to 100x and minimal fees. Additionally, users can earn passive income through Phemex Earn, with up to 18.8% APY on crypto savings and staking options in the Launchpool.

The platform is recognized for its user-friendly experience, and is trusted by prominent individuals and media outlets. It also has partnerships with institutions like Dauphine University for DeFi research. Phemex prioritizes security, transparency, and a smooth trading experience, offering a mobile app for trading on the go.

== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:

* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.

== What Happened ==
Phemex, a crypto exchange, suffered a major hack on January 23, 2025, resulting in over $69 million being drained from its hot wallets across multiple blockchains due to an access control breach.
{| class="wikitable"
|+Key Event Timeline - Phemex Hot Wallet Access Control Vulnerability
!Date
!Event
!Description
|-
|January 23rd, 2025 4:49:47 AM MST
|USDC Withdrawal Transaction
|The USDC withdrawal on ethereum blockchain, the first of many withdrawal transactions from the hot wallet.
|-
|January 23rd, 2025 5:18:00 AM MST
|PeckShield Alert Tweet Posted
|PeckShield posts an alert on Twitter/X about suspicious withdrawals from Phemex.
|-
|January 23rd, 2025 5:52:00 AM MST
|Proof Of Reserves Announcement
|Phemex's CEO Federico Variola rushes to Twitter/X to announce that the cold wallets remain secure. They "can be checked by everyone here" just as long as you already have an account and identify your interest by logging in.
|-
|January 23rd, 2025 6:12:00 AM MST
|Hacken Shares Initial Details
|In a post tweet, Hacken starts sharing an analysis of the attack, with some of the notbale transfers and the exploiter address.
|-
|January 23rd, 2025 11:16:00 AM MST
|Currently Testing Withdrawal System
|The CEO reports that they are currently testing out their withdrawal system. However, due "to the sophistication of the threat actor we cannot rush this stage".
|-
|January 24th, 2025 1:00:00 AM MST
|Withdrawals Resuming Shortly
|The CEO announces that they "estimate to resume USDT and USDC withdrawals in approximately 6 hours from now".
|-
|January 24th, 2025 5:58:00 AM MST
|PeckShield Loss Estimate Published
|PeckShield publishes a list of hacked assets, with a total loss estimate of $69.1m USD.
|-
|January 24th, 2025 6:58:00 AM MST
|Reports Of Progressive Withdrawals
| The CEO reports that the platform is "progressively restoring USDT and USDC withdrawals" and that all requests "will be manually reviewed by [their] security team, so please be patient with the queue time".
|-
|January 26th, 2025 5:52:00 AM MST
|Have Patience For Transactions
|The CEO posts an update that they are "processing all failed txs and have added support for several chains, you can follow up with customer support via live chat if any tx has not been credited yet".
|}

== Technical Details ==
"Early security analysis by Hacken points to an access control breach that handed the attacker complete control over Phemex's hot wallets."

== Total Amount Lost ==
Hacken reports they were "hacked for ~$30M" in an early tweet.

PeckShield reports $69.1m.

$73 million according to Rekt.

The total amount lost has been estimated at $69,089,000 USD.

== Immediate Reactions ==
"PeckShield rang the first alarm bell early on January 23rd, spotting suspicious outflows that would make a bank robber blush.

Within minutes, Cyvers' systems were lighting up like a Christmas tree, detecting over $29 million in suspicious transfers across multiple chains, but this was just the preview.

The protocol's response followed the familiar centralized exchange playbook - suspend withdrawals first, ask questions later.

Phemex's CEO Federico Variola rushed to Twitter with the standard "our cold wallets are safe" reassurance, as if that somehow made the hot wallet massacre any less painful."

"Hello everyone, as we look into a report on one of our cold wallets rest assured our cold wallets remain safe and can be checked by everyone here, will post more updates shortly"

== Ultimate Outcome ==
"Hello all, we are currently carefully testing our system to reprise withdrawals as soon as possible. Due to the sophistication of the threat actor we cannot rush this stage. The estimated timeline to reprise full operations is within 24h, thank you for your support."

"Hello all, we are progressively restoring USDT and USDC withdrawals, all reqs will be manually reviewed by our security team, so please be patient with the queue time. We have also taken a snapshot of all users' balances as of 12pm UTC for a reward for your support and loyalty, more on this soon. BTC withdrawals will be enabled soon, BTC wallets were unaffected"

"Hello all, we are processing all failed txs and have added support for several chains, you can follow up with customer support via live chat if any tx has not been credited yet.
All operations are thoroughly checked by our team, so please be patient, all txs will be credited. Next we will work with several third parties to certify that our systems are secure, thank you all for your support."

== Total Amount Recovered ==
The total amount recovered is unknown.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="rektnews-17574">[https://rekt.news/phemex-rekt/ Rekt - Phemex - Rekt] (Accessed Jan 27, 2025)</ref>

<ref name="phemex-17575">[https://phemex.com/ Phemex: Buy, Sell, & Secure Your Crypto | Trade BTC & Derivatives] (Accessed Jan 27, 2025)</ref>

<ref name="federico0xtwitter-17576">[https://twitter.com/Federico0x/status/1882411493280649237 @Federico0x Twitter] (Accessed Jan 27, 2025)</ref>

<ref name="federico0xtwitter-17577">[https://twitter.com/Federico0x/status/1882700089807765668 @Federico0x Twitter] (Accessed Jan 27, 2025)</ref>

<ref name="federico0xtwitter-17578">[https://twitter.com/Federico0x/status/1883498301275980094 @Federico0x Twitter] (Accessed Jan 27, 2025)</ref>

<ref name="federico0xtwitter-17579">[https://twitter.com/Federico0x/status/1882790130743697433 @Federico0x Twitter] (Accessed Jan 27, 2025)</ref>

<ref name="federico0xtwitter-17580">[https://twitter.com/Federico0x/status/1882492744410492947 @Federico0x Twitter] (Accessed Jan 27, 2025)</ref>

<ref name="peckshieldtwitter-17581">[https://twitter.com/peckshield/status/1882402547744534675 @peckshield Twitter] (Accessed Jan 27, 2025)</ref>

<ref name="peckshieldalerttwitter-17582">[https://twitter.com/PeckShieldAlert/status/1882775043148837332 @PeckShieldAlert Twitter] (Accessed Jan 27, 2025)</ref>

<ref name="etherscan-17583">[https://etherscan.io/tx/0xcf345cddde4286f7e2d37e9783f5e8c33f47a125a23370423596f92f3b884b62 Ethereum Transaction Hash (Txhash) Details | Etherscan] (Accessed Jan 27, 2025)</ref>

<ref name="etherscan-17584">[https://etherscan.io/tokentxns?a=0x5b34414e95a8b8d0b16a39baf5b97cec1d517e22&ps=100&p=4 Token Transfer | Etherscan] (Accessed Jan 27, 2025)</ref>

<ref name="etherscan-17585">[https://etherscan.io/tokentxns?a=0x50be13b54f3eebbe415d20250598d81280e56772 Token Transfer | Etherscan] (Accessed Jan 27, 2025)</ref>

<ref name="etherscan-17586">[https://etherscan.io/address/0x50be13b54f3eebbe415d20250598d81280e56772 Phemex
(0x50be13b54f3eebbe415d20250598d81280e56772) | Address 0x50be13b54f3eebbe415d20250598d81280e56772 | Etherscan] (Accessed Jan 27, 2025)</ref>

<ref name="phemexofficialtwitter-17587">[https://twitter.com/Phemex_official @Phemex_official Twitter] (Accessed Jan 27, 2025)</ref>

<ref name="hackenclubtwitter-17588">[https://twitter.com/hackenclub/status/1882416222274556415 @hackenclub Twitter] (Accessed Jan 27, 2025)</ref>

<ref name="cyversalertstwitter-17589">[https://twitter.com/CyversAlerts/status/1882407857447997803 @CyversAlerts Twitter] (Accessed Jan 27, 2025)</ref>

<ref name="cryptooadytwitter-17590">[https://twitter.com/CryptooAdy/status/1882754717530607909 @CryptooAdy Twitter] (Accessed Jan 27, 2025)</ref>

<ref name="theblock-17591">[https://www.theblock.co/post/336754/north-korea-hack-group-possibly-behind-70-million-phemex-exploit-experts-say https://www.theblock.co/post/336754/north-korea-hack-group-possibly-behind-70-million-phemex-exploit-experts-say] (Accessed Jan 27, 2025)</ref></references>

Phemex Hot Wallet Access Control Vulnerability - Revision history