Phemex - Rekt
When your hot wallets become sixteen points of failure, $73 million makes for an expensive lesson in access control.
Phemex exchange just learned this lesson the hard way, watching helplessly as an attacker drained their hot wallets across over a dozen different chains in a masterclass of multi-chain mayhem.
From Solana to Ethereum, Base to Avalanche, no chain was safe as the attacker systematically emptied wallets faster than Phemex could say "access control."
The largest centralized exchange hack of 2025 unfolded like a game of blockchain whack-a-mole - as soon as Phemex spotted suspicious activity on one chain, another wallet was already being drained.
Their cold wallets may have stayed safe in cold storage, but their hot wallets just got a $73 million lesson in thermodynamics.
When sixteen chains share the same security flaws, does multi-chain really mean multi-risk?
Sixteen chains, one vulnerability, zero time to react - watching Phemex's hot wallets get drained was like witnessing a synchronized swimming routine choreographed by hackers.
PeckShield rang the first alarm bell early on January 23rd, spotting suspicious outflows that would make a bank robber blush.
Within minutes, Cyvers' systems were lighting up like a Christmas tree, detecting over $29 million in suspicious transfers across multiple chains, but this was just the preview.
The protocol's response followed the familiar centralized exchange playbook - suspend withdrawals first, ask questions later.
Phemex's CEO Federico Variola rushed to Twitter with the standard "our cold wallets are safe" reassurance, as if that somehow made the hot wallet massacre any less painful.
But, unlike some exchanges that go dark after a hack, Phemex's CEO moved swiftly, publishing proof of reserves.
At least some exchanges are learning that transparency matters as much as security.
Early security analysis by Hacken points to an access control breach that handed the attacker complete control over Phemex's hot wallets.
Like a digital tsunami, the attack swept through blockchain after blockchain, carving out wallets in its wake.
Ethereum bore the heaviest blow at $20.41M, while Solana wasn't far behind, losing $17.01M.
XRP rounded out the podium finishes with $13.48M vanishing faster than a trader's leverage.
The attacker carved through Bitcoin ($5.3M), BSC ($3.29M), Sui ($2.97M), and Base ($2.42M).
The rampage continued through Tron ($1.7M), Litecoin ($1.2M), Avalanche ($1.05M), and Arbitrum ($1.007M), while Polkadot ($975K), XLM ($863K), Polygon ($555K), Optimism ($531K), and ZkSync Era ($264K) provided the spare change.
When you lose control access across twelve chains, you don't just misplace over $73 million - you write yourself into the history books of how not to handle private key management.
"Sixteen chains, sixteen doors, zero locks.
This is going to be a cute post-mortem.
Here's how over $73 million evaporated chain by chain...
Ethereum
Phemex Hot Wallet: 0x50be13b54f3eebbe415d20250598d81280e56772
Attacker's Address: 0x5B34414e95a8b8D0B16a39BAf5b97CEc1d517E22
Stolen funds sent to: 0x140dEA3B704D724ddfF41597b35A10Ce0189661f
Amount: $20.41M
Solana
Phemex Hot Wallet: EWSHJzKpzjpwz9GuNKkXWMHXAiwtB7obSGhdFKu5QZku
Attacker's Address: 3q38w9HpZcVGrKp43WSJa6KQpEfSDSoAyaebuARwbU8B
Stolen funds sent to: CSERJWB57xayQte4xyngoUVPDcWwJgXX9V4NjPS19F66
Amount: $17.01M
XRP
Phemex Hot Wallet: rQKKvBvEfXbTThkqrtqaY3sAKuW6iqcMzX
Attacker's Address: rGSu6JJ9dLZ3mpfGhtFczNjZjgoHEJcHgf
Amount: $13.48M
BTC
Phemex Hot Wallet: bc1q32sxnq5hecdurfzgzp5x0zh8du86v9x84wdqdx
Attacker's Address: bc1q7v5se5aq37g3lw8ccgre2laktpt6qrjvxqcz4p
Amount: $5.3M
BSC
Phemex Hot Wallet: 0x50be13b54f3eebbe415d20250598d81280e56772
Attacker's Address:
0x6C42F03d730b7643939fA1D00416cB2985eD9cF3
Stolen funds sent to: 0xd760CC6F2D41E43309912D54a0955dbC8A77890f
Amount: $3.29M
Sui
Phemex Hot Wallet: 0x51fc8f63faf7b22d401623f9c3ae5183e564d701741770f12ad1851c6c45a0c8
Attacker's Address: 0x4eff816c3fe9bd163d223546ef60020f0162ab4206339a0f14bdb60b639f0794
Stolen funds sent to: 0xcfcefe62850aabe2c2ed2f22078ad092e1f79575f42b997dee5d161dfb21ea9c
Amount: $2.97M
Base
Phemex Hot Wallet: 0x50be13b54f3eebbe415d20250598d81280e56772
Attacker's Address: 0x392d99Ec0348172C046cd64b85C21Df0927ab946
Stolen Funds sent to multiple locations: Tracked on Metasleuth
Amount: $2.42M
Tron
Phemex Hot Wallet: THAABzWrhp84Nr7gxss7qhtzA5mp3d1qUo
Attacker's Address: TBz3DH6GUpg4cEGrcKzs8gSTvLQCGaYk5F
Stolen funds sent to: TLz7tV8B4hAwYZ54ES1HQfRrdi8SFfxbA1
Amount: $1.7M
LTC
Phemex Hot Wallet: ltc1qqxaw8550zsyurqe6p8v9lyn3t883x27u7q4m89
Attacker's Address: LU6ddXsXxwmojJkU29wu5AS67tpD3GQiXc
Amount: $1.2M
Avalanche
Phemex Hot Wallet: 0x50be13b54f3eebbe415d20250598d81280e56772
Attacker's Address: 0x17BCC630B1409637D42dFb278f8E2ea9fc862631
Stolen funds sent to: 0x7288CA84AB40Be3435dd33D0ceaC57Fe75eccD1D
Amount: $1.05M
Arbitrum
Phemex Hot Wallet: 0x50be13b54f3eebbe415d20250598d81280e56772
Attacker's Address: 0x069987773b3DeE7AC4afFb9f06A4a90f9984AB10
Stolen funds sent to: 0xAE2F4172f3665c0AA332e871B32314D26D47f465
Amount: $1.007M
Polkadot
Phemex Hot Wallet: 15hTaSogYFyGyRJhXdpQWRR1J9oya5nj4nFppi4XgUVMCvmP
Attacker's Address: 1xjLtr1PTVi4hkSkG81HEf4mVpq9FRyEAQunGiBjQJ2VvLq
Stolen funds sent to: 139PZAjWoAHxjh6gAzrqnoQN9bniSELHXh3xzabXqho6eciP
Amount: $975K
XLM
Phemex Hot Wallet: GDPKBXKNPZYU3TH2WCM7DFA2LBX76MJMRYT6BAIO7ZL6KYD2WVBXCYE6
Attacker's Address: GCX7AQYXMNNDC4YRR4MPMSJ23KU7ZJ3EOBS2QJDPALQHJDJGYRTFK432
Amount: $863k
Polygon
Phemex Hot Wallet: 0x50be13b54f3eebbe415d20250598d81280e56772
Attacker's Address: 0xf493033B14cE39CBC6a283921eA50919C5D43Dfe
Stolen funds sent to: 0xc590175E458b83680867AFD273527Ff58f74c02b
Stolen Funds also sent here: 0x9B52594bFe50c51A75a8775ea03aD687E25E6A58
Amount: $555K
Optimism
Phemex Hot Wallet:
0x50be13b54f3eebbe415d20250598d81280e56772
Attacker's Address: 0xE9AA4a999ca1D9093054CF4f5dc221a06D433650
Stolen Funds sent to multiple locations: Tracked on Metasleuth
Amount: $531K
ZkSync Era
Phemex Hot Wallet:
0x50be13b54f3eebbe415d20250598d81280e56772
Attacker's Address:
0xEba89b66C132E7fAd2a238BF416Fb9d45dcAd1FF
Stolen funds sent to:
0xB66aF6Fe0478507f2cF74F43a2bc383fdcF8d09c
Amount: $264K
As the funds trickled across blockchains, it became clear that Phemex's sprawling multi-chain approach may have been more of a bug rather than a feature.
The clinical precision of the attack revealed more than just stolen funds - it exposed the fatal flaw in Phemex's multi-chain ambitions.
As MetaMask's principal security researcher Taylor Monahan told The Block the sophistication of the attack - simultaneous drains across chains, methodical token swapping prioritizing freezable assets, and manual execution instead of scripted chaos.
While Phemex rushed to reassure users about their cold wallet security, they forgot the first rule of hot wallet management - if you can't secure one chain, maybe don't try securing over a dozen.
The team quickly promised a compensation plan would be "announced soon," as if throwing money at the problem could patch their security holes.
They might need a bigger compensation fund if they keep treating multi-chain security like a game of whack-a-mole.
When every chain becomes a potential point of failure, is multi-chain support really a feature - or just over a dozen ways to get rekt?
Whether through leaked private keys or compromised access controls, exchange security keeps failing with clockwork precision.
Multi-chain support sounds fantastic until over a dozen different doors swing open simultaneously, inviting thieves to a $73 million shopping spree.
Phemex's hot wallet massacre joins an increasingly crowded club of exchanges who've learned that wallet security isn't just a suggestion - it's an expensive lesson in the art of losing control.
Time will tell if we discover the full story behind this exploit.
Though if history is any guide, the root cause of access control and private key breaches has a tendency to remain mysteriously classified.
In other words, we don’t always find out the entire story.
The details fade but the pattern remains crystal clear
Hot wallet permissions keep failing, transparency remains optional, and exchanges keep pretending they're ready for multi-chain custody.
Which chain will leak next - or have exchanges finally mastered the art of losing money across all of them?
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
disclaimer:
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
The Idols NFT - Rekt
Some reflections are better left unseen. The Idols NFT found out the hard way - never trust a mirror. A flaw in their reward system let an attacker drain 97 stETH ($324k) by setting sender and receiver to the same address.
Moby Trade - Rekt
When your private keys become the white whale, who's really hunting whom? Moby Trade loses roughly $1 million to a compromised key, while white hats rescue $1.47M from the depths. Some lessons of the sea only need to be learned once.
Orange Finance - Rekt
First significant hack of 2025. Orange Finance got squeezed for $843.5k after their 'multi-sig' turned out to be uni-sig. Their contract is no longer Orange, their security was never golden. Another private key leaks, another protocol rots.