A sophisticated threat actor drained more than $85 million in cryptocurrency last week from crypto exchange Phemex, according to multiple sources.
While initial loss estimates for the January 23 breach were $29 million, by the end of the weekend those estimates grew to just over $85 million.
While a suspected threat actor hasn’t been named in the Phemex hack, there has been speculation that the sophisticated hack could be the work of North Korea-linked hackers, who by one estimate accounted for 61% of the $2.2 billion in crypto funds stolen last year. North Korea-linked threat actors were allegedly behind such massive attacks as the May 2024 $308 million DMM breach, among other crypto heists.
Phemex Provides Account of Crypto Hack
Phemex published an account of the security incident on January 26, noting that after the hot wallet attack, “”we immediately took emergency measures, temporarily suspended deposits and withdrawals, and formulated a follow-up plan.”
Affected devices were identified and isolated, and the exchange reported the incident to third-party security firms and law enforcement.
The Singapore-based exchange said it “has sufficient asset reserves, and user funds are always safe.” The company released a Proof of Reserves (POR) “to ensure full transparency of our financial status.”
After security updates, “Our new system is now live and routinely monitored by our cybersecurity partner, with significant improvements in security and reliability. All operations have been gradually restored, and we ensure the absolute safety of user assets. … We will continue to optimize our system to prevent such incidents from happening in the future.”
‘Sophistication of Threat Actor’
In a January 23 post on X (formerly Twitter), Phemex CEO Federico Variola said the company was restoring its systems slowly because of the “the sophistication of the threat actor.”
“[W]e are currently carefully testing our system to reprise withdrawals as soon as possible,” Variola wrote. “Due to the sophistication of the threat actor we cannot rush this stage.”
Taylor Monahan of crypto wallet firm MetaMask told The Block that the heist appeared to be carried out by “a group of threat actors who have done this many times before.”
“In this case, we see a massive amount of distinct assets drained simultaneously across a multitude of chains,” Monahan was quoted as saying. “The tokens are then immediately swapped for the native asset, starting with the freezable stablecoins and then working down the list by value.”
The attack has raised interest in “offchain transaction validation,” an emerging blockchain simulation and validation security solution from Web3 security firm Cyvers, reports Cointelegraph. The technology could prevent 99% of crypto hacks, the company claims – including last year’s $230 million WazirX hack.
