Phemex Hot Wallet Drain

On January 23, 2025 at 11:30 UTC, Singapore-based exchange Phemex detected unusual outbound activity from its hot wallets. By the time the wallets were drained, approximately $73 million had moved across sixteen different blockchains — making it the first major exchange incident of 2025 and a preview of the year to come.

What happened

The exact compromise vector was never publicly disclosed, but the on-chain pattern was unmistakable: the attacker held simultaneous signing authority over hot wallets on at least 16 chains, including Ethereum, Solana, Bitcoin, Ripple, BNB Chain, Polygon, Avalanche and Optimism — and used it in a coordinated, time-pressured sweep before withdrawals could be paused.

Loss breakdown by chain (selected):

• Solana: ~$17M
• Ripple (XRP): ~$13M
• Ethereum: ~$10M
• Bitcoin: ~$5.3M
• 12 other chains: the remainder

The unified pattern — same operator on multiple chains, hot-wallet-only, immediate cross-chain bridging into mixers — matches TraderTraitor / Lazarus post-compromise TTPs observed at DMM Bitcoin and later at Bybit. Phemex did not publicly attribute, but security analysts noted the resemblance.

Aftermath

• Phemex paused deposits and withdrawals within hours and replenished customer balances from its own reserves.
• All withdrawal services were restored by February 2025.
• Funds were laundered through cross-chain bridges; none have been publicly recovered.

Why it matters

Phemex demonstrated that single-point compromise of a private-key management system can compromise dozens of chains at once. Many exchanges historically stored hot-wallet keys for different chains in the same vault for operational convenience; this incident pushed several competitors to per-chain HSM partitioning and withdrawal velocity limits with auto-suspension as table-stakes hot-wallet hygiene.