Phemex hack
In January 2025, the Singapore-based exchange Phemex had its hot wallets drained across 16 blockchains, with losses estimated at $73–85M. On-chain investigators (ZachXBT, Arkham) tied it to North Korea's Lazarus Group, later linking it directly to the Bybit and BingX hacks via commingled funds.
Also known as: Phemex, Phemex hack
On attribution: The North Korea / Lazarus attribution comes from on-chain analysts (ZachXBT, Arkham) and security firms based on shared infrastructure and laundering patterns; Phemex did not publicly attribute the attack. Cyber-attribution is rarely 100% certain.
Summary
On January 23, 2025, Phemex — a centralized exchange based in Singapore — suffered an access-control breach that let attackers manually drain its hot wallets across roughly 16 blockchains. Initial estimates of ~$29M rose to $73–85M as more transactions were identified. [1][2]
Tactics and attribution
The attackers swapped freezable assets for non-freezable ones and routed funds through mixers (e.g. Tornado Cash), starting with the most valuable tokens — a pattern security firms associate with North Korea. In February 2025, ZachXBT showed the Phemex theft address commingled funds directly with the $1.4B Bybit hack (and later the BingX hack), tying all three to the Lazarus Group. [2][3]
Bracketed numbers refer to the numbered sources listed below.
People & entities involved
Sources (2)
- Hackers steal $85 million worth of cryptocurrency from Phemex — BleepingComputer
- Lazarus Group consolidates Bybit funds into Phemex hacker wallet — Cointelegraph
See also
- CluCoin (CLU)TokensA Miami-based crypto token (CLU) that ran a 2021 ICO and pivoted to NFTs and a metaverse game. Founder Austin Michael Taylor ('DNPthree') secretly siphoned ~$1.14M of investor funds into online casinos; he pleaded guilty to wire fraud and was sentenced in 2025 to 27 months.
- Gotbit (crypto market manipulation)OtherA prominent crypto 'market maker' that the U.S. DOJ says ran wash-trading/market-manipulation services (2018–2024) to fake trading volume for token clients (including Saitama and Robo Inu) and win exchange listings. Charged in the FBI's 'Operation Token Mirrors'; founder Aleksei Andriunin pleaded guilty in 2025 and Gotbit forfeited $23M.
- Wolf (WOLF) memecoin
This page was last updated on Jun 8, 2026. View revision history.