Uncovered: Mysterious $37 Million Cryptocurrency Withdrawal from Phemex by Researchers
In a significant cybersecurity incident, cryptocurrency exchange Phemex experienced a major breach in January 2025, resulting in the theft of over $85 million from its hot wallets across multiple blockchains.
Key details of the incident reveal that the attack was facilitated by malware distributed via a compromised browser plugin named AdsPower. This malware stole mnemonic phrases and private keys from users, granting full access to wallets. Five wallets were compromised during this breach.
The stolen funds spanned various blockchains, although specific blockchains involved were not individually itemized by Phemex. Major assets such as Bitcoin, Ethereum, Solana, Dogecoin, and Shiba Inu have been noted in similar hot wallet hacks around this period.
In response to the breach, Phemex suspended deposits and withdrawals, cooperated with third-party security experts and law enforcement, and has since implemented more secure systems while gradually restoring withdrawal functionality. The attack is described as "sophisticated," and large-scale breaches like this in 2025 have often been linked to North Korean hacking groups, though Phemex did not specify the perpetrators.
As a result of the incident, digital assets worth more than $29 million were transferred to questionable addresses on BNB Chain, Ethereum, Optimism, Polygon, Base, and Arbitrum. Phemex is currently conducting an emergency inspection and strengthening wallet services to prevent further losses.
Phemex aims to provide a trustworthy and user-friendly trading platform and has apologised for the inconvenience and disruption caused by the breach. The exchange is also working on a compensation plan to be announced soon. It is worth noting that funds stored in Phemex's cold wallets remain secure.
This incident underscores the importance of off-chain security measures, particularly in the context of compromised browser plugins. It reinforces the need for cold storage and multi-signature wallets for large crypto holdings.
As of July 2025, no further updates indicate recovery of stolen funds or definitive identification of attackers. The incident has not been officially confirmed by Phemex as of the time of this report. Users are encouraged to monitor their accounts and take necessary precautions to secure their digital assets.
- The stolen cryptocurrencies, including Bitcoin and Ethereum, were transferred to questionable addresses on various blockchains such as BNB Chain, Ethereum, Optimism, Polygon, Base, and Arbitrum.
- The cybersecurity incident involving Phemex in January 2025, where over $85 million was stolen from its hot wallets, has been linked to large-scale breaches often attributed to North Korean hacking groups.
- In the aftermath of the breach, Phemex is working on a compensation plan and reinforcing its wallet services to prevent further losses, emphasizing the importance of cold storage and multi-signature wallets for secure large crypto holdings.
