Phemex Hot Wallet Access Control Vulnerability
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Phemex is a crypto trading platform offering a variety of services to users, including spot trading, contract trading, and margin trading. The platform suffered a major hack on January 23, 2025, resulting in a $69m+ loss due to a security breach in their hot wallets. The attacker exploited vulnerabilities across 16 different blockchains, draining wallets from Ethereum to Solana, Avalanche, and others. Despite quick responses to suspend withdrawals and reassure users about cold wallet security, the attack revealed serious flaws in Phemex’s multi-chain strategy and access control. PeckShield and Cyvers detected suspicious transfers, but the attack was too swift, with funds being drained across multiple chains simultaneously. The breach exposed the risks of not properly securing hot wallets and highlighted the potential dangers of multi-chain support without robust security measures. The exchange promised a compensation plan but faces significant criticism for its handling of wallet management and multi-chain custody.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18]
About Phemex
Phemex is a crypto trading platform offering a variety of services to users, including spot trading, contract trading, and margin trading. The platform supports multiple methods for buying crypto, such as P2P trading, bank transfers (SWIFT, ACH, SEPA), and credit/debit cards with low fees. Phemex offers users up to $4,800 in welcome rewards and provides access to over 372 contract pairs and 454 spot pairs, with leverage up to 100x and minimal fees. Additionally, users can earn passive income through Phemex Earn, with up to 18.8% APY on crypto savings and staking options in the Launchpool.
The platform is recognized for its user-friendly experience, and is trusted by prominent individuals and media outlets. It also has partnerships with institutions like Dauphine University for DeFi research. Phemex prioritizes security, transparency, and a smooth trading experience, offering a mobile app for trading on the go.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
Phemex, a crypto exchange, suffered a major hack on January 23, 2025, resulting in over $69 million being drained from its hot wallets across multiple blockchains due to an access control breach.
| Date | Event | Description |
|---|---|---|
| January 23rd, 2025 4:49:47 AM MST | USDC Withdrawal Transaction | The USDC withdrawal on ethereum blockchain, the first of many withdrawal transactions from the hot wallet. |
| January 23rd, 2025 5:18:00 AM MST | PeckShield Alert Tweet Posted | PeckShield posts an alert on Twitter/X about suspicious withdrawals from Phemex. |
| January 23rd, 2025 5:52:00 AM MST | Proof Of Reserves Announcement | Phemex's CEO Federico Variola rushes to Twitter/X to announce that the cold wallets remain secure. They "can be checked by everyone here" just as long as you already have an account and identify your interest by logging in. |
| January 23rd, 2025 6:12:00 AM MST | Hacken Shares Initial Details | In a post tweet, Hacken starts sharing an analysis of the attack, with some of the notbale transfers and the exploiter address. |
| January 23rd, 2025 11:16:00 AM MST | Currently Testing Withdrawal System | The CEO reports that they are currently testing out their withdrawal system. However, due "to the sophistication of the threat actor we cannot rush this stage". |
| January 24th, 2025 1:00:00 AM MST | Withdrawals Resuming Shortly | The CEO announces that they "estimate to resume USDT and USDC withdrawals in approximately 6 hours from now". |
| January 24th, 2025 5:58:00 AM MST | PeckShield Loss Estimate Published | PeckShield publishes a list of hacked assets, with a total loss estimate of $69.1m USD. |
| January 24th, 2025 6:58:00 AM MST | Reports Of Progressive Withdrawals | The CEO reports that the platform is "progressively restoring USDT and USDC withdrawals" and that all requests "will be manually reviewed by [their] security team, so please be patient with the queue time". |
| January 26th, 2025 5:52:00 AM MST | Have Patience For Transactions | The CEO posts an update that they are "processing all failed txs and have added support for several chains, you can follow up with customer support via live chat if any tx has not been credited yet". |
Technical Details
"Early security analysis by Hacken points to an access control breach that handed the attacker complete control over Phemex's hot wallets."
Total Amount Lost
Hacken reports they were "hacked for ~$30M" in an early tweet.
PeckShield reports $69.1m.
$73 million according to Rekt.
The total amount lost has been estimated at $69,089,000 USD.
Immediate Reactions
"PeckShield rang the first alarm bell early on January 23rd, spotting suspicious outflows that would make a bank robber blush.
Within minutes, Cyvers' systems were lighting up like a Christmas tree, detecting over $29 million in suspicious transfers across multiple chains, but this was just the preview.
The protocol's response followed the familiar centralized exchange playbook - suspend withdrawals first, ask questions later.
Phemex's CEO Federico Variola rushed to Twitter with the standard "our cold wallets are safe" reassurance, as if that somehow made the hot wallet massacre any less painful."
"Hello everyone, as we look into a report on one of our cold wallets rest assured our cold wallets remain safe and can be checked by everyone here, will post more updates shortly"
Ultimate Outcome
"Hello all, we are currently carefully testing our system to reprise withdrawals as soon as possible. Due to the sophistication of the threat actor we cannot rush this stage. The estimated timeline to reprise full operations is within 24h, thank you for your support."
"Hello all, we are progressively restoring USDT and USDC withdrawals, all reqs will be manually reviewed by our security team, so please be patient with the queue time. We have also taken a snapshot of all users' balances as of 12pm UTC for a reward for your support and loyalty, more on this soon. BTC withdrawals will be enabled soon, BTC wallets were unaffected"
"Hello all, we are processing all failed txs and have added support for several chains, you can follow up with customer support via live chat if any tx has not been credited yet. All operations are thoroughly checked by our team, so please be patient, all txs will be credited. Next we will work with several third parties to certify that our systems are secure, thank you all for your support."
Total Amount Recovered
The total amount recovered is unknown.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Rekt - Phemex - Rekt (Accessed Jan 27, 2025)
- ↑ Phemex: Buy, Sell, & Secure Your Crypto | Trade BTC & Derivatives (Accessed Jan 27, 2025)
- ↑ @Federico0x Twitter (Accessed Jan 27, 2025)
- ↑ @Federico0x Twitter (Accessed Jan 27, 2025)
- ↑ @Federico0x Twitter (Accessed Jan 27, 2025)
- ↑ @Federico0x Twitter (Accessed Jan 27, 2025)
- ↑ @Federico0x Twitter (Accessed Jan 27, 2025)
- ↑ @peckshield Twitter (Accessed Jan 27, 2025)
- ↑ @PeckShieldAlert Twitter (Accessed Jan 27, 2025)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Jan 27, 2025)
- ↑ Token Transfer | Etherscan (Accessed Jan 27, 2025)
- ↑ Token Transfer | Etherscan (Accessed Jan 27, 2025)
- ↑ [https://etherscan.io/address/0x50be13b54f3eebbe415d20250598d81280e56772 Phemex (0x50be13b54f3eebbe415d20250598d81280e56772) | Address 0x50be13b54f3eebbe415d20250598d81280e56772 | Etherscan] (Accessed Jan 27, 2025)
- ↑ @Phemex_official Twitter (Accessed Jan 27, 2025)
- ↑ @hackenclub Twitter (Accessed Jan 27, 2025)
- ↑ @CyversAlerts Twitter (Accessed Jan 27, 2025)
- ↑ @CryptooAdy Twitter (Accessed Jan 27, 2025)
- ↑ https://www.theblock.co/post/336754/north-korea-hack-group-possibly-behind-70-million-phemex-exploit-experts-say (Accessed Jan 27, 2025)