Phemex Shares Key Takeaways from Unprecedented Cyber-Attack

Even industry leaders aren’t immune to the risks of running an online business. Phemex, a hybrid exchange combining the best features of centralized and decentralized platforms, was targeted by a sophisticated threat actor in late January.

Instead of hiding from the situation, Phemex chose transparency, offering valuable lessons to other companies in the process. “We want to discuss the incident openly, explain how we managed it, and outline the steps we’ve taken to prevent future occurrences,” said Phemex CEO Federico Variola.

Although the attack came from an advanced threat actor, Variola assured that most user funds were never at risk, and the exchange covered all losses. “We resumed operations swiftly and took immediate action to enhance our hot wallet security infrastructure to significantly reduce these risks in the future,” he added.

The Attack and Response

The attacker, known for executing high-profile crypto hacks, deployed a complex and difficult-to-anticipate attack. Though the perpetrator remains unidentified by law enforcement, they are believed to be operating from a jurisdiction that supports such activities and is likely shielded from legal action.

Variola noted that Phemex’s hack appeared to be linked to Bybit’s recent breach, although the two incidents differ. “Our hot wallet was targeted, whereas Bybit’s incident involved their main ETH cold wallet,” he explained.

To minimize potential losses, Phemex employs separate hot and cold wallets. “The loss was limited to the funds in our hot wallet, which was precisely why we implemented this separation,” Variola stated. “While the attack was undoubtedly negative, it fell within manageable limits for our exchange.”

The breach occurred through social engineering tactics targeting Phemex employees via Telegram. The stolen funds are estimated at $85 million, and during the attack, maintaining user trust and transparency was paramount.

“We immediately informed users about the situation and assured them their funds were secure, directing them to our Merkle Tree Proof-of-Reserves Tool to verify this,” said Variola.

Recovery and Mitigation

Once Phemex contained the attack, efforts shifted toward minimizing the damage. Some stolen assets were recovered, and funds found on other exchanges were quickly frozen. “We are actively recovering funds and hope to reclaim a significant portion,” Variola shared. “Despite this setback, we still have the resources to operate at full capacity.”

Phemex is collaborating with law enforcement, cybersecurity firms, and other crypto platforms to aid in the recovery process. Remarkably, core functionality was restored within 24 hours—potentially one of the fastest recoveries by any major crypto exchange. Following this, Phemex implemented a manual review process for all deposits and withdrawals to ensure no further malicious activity.

Lessons Learned and New Measures

The breach highlighted a key lesson for Phemex. “Our rapid growth during the latest bull market outpaced some of our internal processes,” Variola admitted. “This attack revealed that the security measures we had in place were no longer adequate for our current scale.”

In response, Phemex revamped its hot-wallet security system, adopting a zero-trust architecture powered by advanced Enclave technology and AWS Nitro for robust, chip-level security.

To stay ahead of future threats, Phemex plans to implement a tiered-wallet system. This will limit the proportion of funds stored in hot wallets and enhance security across all wallet types, including cold and warm wallets, which combine the advantages of both hot and cold storage.

Phemex is also expanding its security workforce and implementing strict access controls. With dedicated teams overseeing different aspects of infrastructure security, access to critical systems will be more limited, and all actions will undergo thorough third-party reviews.

Although these changes might slow down service delivery slightly, Variola emphasized that security is the top priority. “The new system will make our operations more complex, but it’s a necessary step to ensure the highest level of security. We’re confident in the new setup and are seeking third-party certifications for our security standards.”