Phemex is notable for its wide multi-chain support, offering services to users across sixteen blockchains. While this provides access to a larger user base and increased liquidity, it becomes a problem when all of these accounts are vulnerable to the same attack.

This was the case with the Phemex hack in January 2025, when attackers began draining crypto from one hot wallet after another. In total, about $73 million was stolen from the CEX across sixteen blockchains, including Ethereum, Solana, Ripple, Bitcoin, and others.

Like many other CEX hacks, the root cause of this incident was likely compromised private keys, especially if the keys for all of these hot wallets were stored in the same location. These types of hacks are also a specialty of the Lazarus Group, which was likely responsible for the majority of DeFi hacks in 2024 as well.

The potential link to the North Korean hacking group is supported by the systematic way that the hack was carried out across multiple chains. In addition to draining many accounts very quickly, the attacker also stole and swapped assets in a way that maximized the amount they could get away with. This included starting with the most valuable tokens first and swapping freezable assets for ones that can’t be frozen. Over time, the attacker worked their way down to even the smallest assets in the target wallet.

The Phemex hack is likely another example of a CEX that held assets in insecure hot wallets. Ideally, these accounts should be protected by multi-signature wallets, and one wallet being compromised shouldn’t impact the security of the others. The fact that not one or two but sixteen different accounts were impacted indicates that something went seriously wrong here.

However, while Phemex made the standard statement of “all cold wallets are safe” and promised reimbursement, they stood out from many other hack victims by actually proving their ability to do so. Shortly after the incident, the Phemex CEO tweeted a link to a Proof of Reserves (PoR) for the protocol. While this doesn’t restore the stolen $70 million, it does give users confidence that their funds aren’t lost forever.

Compromised private keys — the likely cause of this incident — are a regrettably common cause of major crypto hacks. To learn more about securing your accounts against these types of risks, check out these private key security best practices.