Phemex Hackers Begin Dispersing Stolen Funds

On-chain data analysis shows that on 19/02, the Phemex hacker group began distributing the stolen cryptocurrency to various wallets, using platforms like Tornado Cash to obfuscate the money trail. According to findings by Swiss company Global Ledger, the hacker has transferred over 2,080 ETH (around $6 million) to 14 new wallets. The main wallet involved in the attack now only holds less than 3,600 ETH. As Coin68 previously reported, on the evening of 23/01/2025, the Singapore-based Phemex exchange was "visited" by hackers, resulting in over $70 million in total damages. The hackers simultaneously withdrew multiple asset types across the blockchains supported by Phemex. The tokens were then swapped for the native tokens of each blockchain, prioritizing stablecoins that could be frozen, before moving to other cryptocurrencies. The Phemex hack involved over 275 transactions on Ethereum Virtual Machine (EVM)-compatible blockchains alone, demonstrating the complexity of the attack. Similar to the initial hack, the process of dispersing the stolen assets today has been meticulously calculated, involving multiple intermediate steps, various protocols, and different platforms. For example, a new wallet received 601.34 ETH through 5 separate transactions, then consolidated the funds into a new address on the cross-chain bridge Across Protocol, before further distributing to another address. In addition to Tornado Cash, the hackers have utilized other mixing services like eXch. They have also leveraged Wintermute, the DLN Trade protocol, and THORChain to convert the assets into other cryptocurrencies, making the money laundering process more difficult to trace. A portion of the stolen funds has been transferred to the OKX and CoinEx exchanges, suggesting the hackers may be attempting to cash out. However, the majority of the assets are still being moved through on-chain tools like Bitget's bridge service and the ChangeNOW wallet. Although the funds transferred on 19/02 only represent a small fraction of the total $85 million stolen from Phemex, the hackers have been withdrawing the money in a "drip-feed" manner over several weeks, rather than in a single large transaction. Previous withdrawals include 50 BTC and 4 million XRP from the exchange, in addition to ETH. Blockchain security companies are closely monitoring these transactions and collaborating with major exchanges to identify the hackers' identities. However, with the increasingly sophisticated money laundering tactics, the investigation process may be prolonged and face significant challenges. According to Global Ledger, at least 32,210 ETH have been sent to Tornado Cash since the beginning of 2025, with around 40% (worth $36.6 million) linked to various hacking incidents. Tornado Cash was previously sanctioned by the U.S. government in 2023. However, the U.S. Federal Appeals Court has recently overturned the Treasury Department's sanctions on Tornado Cash, arguing that the platform's smart contracts "are not the property of a foreign organization or government, and therefore cannot be sanctioned under the International Emergency Economic Powers Act."