Cyber Incident Victim: Phemex
Date:
Jan 2025
Location:
Singapore
Summary
A Singapore-based cryptocurrency exchange, Phemex, suffered a cyberattack resulting in the theft of over $69 million in digital assets, forcing the platform to temporarily halt operations and implement manual withdrawal reviews. Blockchain security firms identified suspicious transactions siphoning funds, with experts attributing the technically sophisticated attack to North Korean state-sponsored hackers, aligning with broader patterns of such groups targeting crypto platforms to fund illicit weapons programs. The incident caused significant financial losses and operational disruptions, requiring the exchange to develop a compensation plan while assuring users of ongoing business continuity for trading services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 23, 2025, Singapore-based cryptocurrency exchange Phemex suspended portions of its operations following the detection of suspicious outflows totaling at least $69 million in digital assets. Blockchain security firms Cyvers and PeckShield identified anomalous transactions beginning on January 22, with Cyvers initially flagging $29 million in cryptocurrency movements before PeckShield confirmed total losses exceeding $69 million across Ethereum, Bitcoin, Binance Coin, and other cryptocurrencies. Phemex CEO Federico Variola announced platform withdrawals would remain paused during system restoration efforts, citing the threat actor’s sophistication as necessitating extended testing and manual review of future withdrawal requests. The company implemented a snapshot of all user balances as of 12pm UTC on January 23 to facilitate compensation planning while assuring customers that trading services remained operational despite the security breach.
Investigative analysis by blockchain experts cited in media reports highlighted the technical complexity of the fund exfiltration, with multiple sources attributing the attack to experienced threat actors. Two independent experts referenced North Korea’s involvement, aligning with U.S., Japanese, and South Korean government advisories warning of continued targeting of crypto platforms by DPRK-affiliated groups in 2025. Phemex acknowledged the incident through social media apologies and commitments to a forthcoming compensation plan but did not disclose technical details of the breach or confirm attribution. The theft formed part of a broader pattern targeting Singapore-based exchanges, including prior attacks on Penpie ($30 million) and BingX ($44 million) within the preceding six months. Chainalysis later included the Phemex incident in its 2025 cryptocurrency theft total of $2.7 billion, with North Korean operatives allegedly responsible for $2 billion of that year’s global crypto thefts, continuing a trend that saw $2.2 billion stolen in 2024. United Nations investigators were concurrently examining 58 DPRK-linked cyberattacks on cryptocurrency firms spanning 2019–2025, cumulatively valued at approximately $3 billion.