Phemex Hackers Start Moving Stolen Funds

Event Summary

On January 23, 2025, the Singapore-based cryptocurrency exchange Phemex was hacked, resulting in losses of over $70 million. Hackers withdrew a variety of assets from multiple blockchains, converting them into each blockchain’s native tokens, prioritizing stablecoins that could be frozen, before moving on to other currencies.

The asset transfer process was carried out through multiple complex steps and using different protocols. For example, a new wallet received 601.34 ETH from five separate transactions, then merged the funds and transferred them through the Across Protocol cross-chain bridge, further transferring them to other addresses. Additionally, the hacker used coin mixing platforms such as Tornado Cash and eXch, along with protocols such as Wintermute, DLN Trade, and THORChain to transfer the assets, making it more difficult to trace.

Some of the stolen funds have been transferred to exchanges like OKX and CoinEx, suggesting that the hackers are likely trying to cash out. However, the majority of the assets are still being moved through on-chain tools like Bitget’s bridge service and the ChangeNOW wallet.

Data: Arkham Intelligence

On February 19, 2025, the hackers involved in the Phemex exchange attack began moving the stolen cryptocurrency, using sophisticated methods to hide their tracks. According to security firm Global Ledger, more than 2,080 ETH (equivalent to about $6 million) was transferred to 14 new wallets, reducing the balance of the main wallet to less than 3,600 ETH.

Previously, on January 23, 2025, Phemex, a Singapore-based exchange, was hacked, resulting in losses of over $70 million. Hackers withdrew a variety of assets from multiple blockchains, then converted them into each blockchain’s native tokens, prioritizing stablecoins that could be frozen, before moving on to other currencies.

The asset transfer process was carried out through multiple complex steps and using different protocols. For example, a new wallet received 601.34 ETH from five separate transactions, then merged the funds and transferred them through the Across Protocol cross-chain bridge, moving them further to other addresses. Additionally, the hackers used coin mixing platforms such as Tornado Cash and eXch, along with protocols such as Wintermute, DLN Trade, and THORChain to transfer the assets, making them more difficult to trace.

Data: Arkham Intelligence

While the February 19 transfer represents only a fraction of the $85 million stolen from Phemex, the hackers have been steadily withdrawing funds over the past several weeks rather than making a single large transaction. They previously withdrew 50 BTC and 4 million XRP from the exchange, in addition to the ETH already mentioned.

Blockchain security companies are closely monitoring these transactions and working with major exchanges to identify the hackers. However, with increasingly sophisticated money laundering tactics, the investigation process can be lengthy and challenging.

According to Global Ledger, at least 32,210 ETH has been sent to Tornado Cash since the beginning of 2025, of which about 40% (equivalent to $36.6 million) was related to hacks. Although Tornado Cash was sanctioned by the US government in 2023, the US Court of Appeals for the Federal Circuit recently overturned the sanction, holding that Tornado Cash's smart contracts are not the property of a foreign government or organization and therefore cannot be sanctioned under the International Emergency Economic Powers Act.