Phemex Exchange Loses Over $30M Due Access Control Attack
Less than 2 months after the XT.com incident, another crypto exchange fell victim to an Access Control exploit. On January 23, 2025, Phemex Exchange reported unauthorized withdrawals from their hot wallet, marking the first significant exchange breach this year.
Attack Details
The attacker drained multiple tokens from Phemex’s hot wallet (0x50be…6772), with major withdrawals including:
- 1,767,957 USDC
- 1,021,719 CRV
- 744,696 USDT
- 1,879 AAVE
- 110,700 LINK
- 142,462,543,475 PEPE
- 1,187,531 FET
All stolen assets were directed to a single EOA (0x5b34…7e22), following a similar pattern to the recent XT.com hack.
At the moment of writing this post hacker continuing to withdraw funds in small amounts.
Total worth of stolen virtual assets exceeds $30M.
—
Updated 14:00:
Attacker’s moves:
- 744,696 $USDT was transferred to 0x17bcc630b1409637d42dfb278f8e2ea9fc862631
- 1,767,957 $USDC was transferred to 0x6c42f03d730b7643939fa1d00416cb2985ed9cf3
Both addresses quickly swapped the stablecoins for $ETH, bypassing blacklisting risks.
Attack timeline:
Start time: 11:49 23/01/25 (UTC)
End time: 13:31 23/01/25 (UTC)
Growing Industry Concern
This breach, occurring so soon after the XT.com incident, reinforces the urgent need for enhanced security measures across centralized exchanges. Both attacks exploited Access Control vulnerabilities, suggesting a concerning pattern that attackers are actively targeting.
Exchange Security Status
According to CER.live’s security assessment, Phemex holds a D rating (24/100), indicating significant security concerns. The exchange lacks:
- Completed penetration testing
- Active bug bounty program
- CCSS certification
- ISO certification
Notably, CCSS certification is specifically designed to prevent Access Control exploits like this one. This security gap stands in stark contrast to XT.com, which, despite being hacked, maintained higher security standards including valid penetration testing certificates.
Industry Response Needed
These consecutive breaches highlight the critical importance of implementing robust security standards. As we emphasized in our analysis of the XT.com incident, Level 3 CCSS certification must become an industry standard rather than an option.
