Stolen funds from last month’s Phemex exploit are on the move, according to blockchain data.
On Feb. 19, the hacker — or, more likely, group of hackers — have begun splitting up some of their ill-gotten gains into new addresses and transferring tokens to crypto mixer Tornado Cash.
The hacker(s) began by transferring over 2,080 ETH (worth about $6 million) to 14 new addresses, according to a report published Wednesday from Global Ledger, a Swiss blockchain analytics company. Less than 4,000 ETH remain in the main Ethereum wallet associated with the attack.
Like the initial hack of the Singapore-based exchange, the transfers on Wednesday appear to be performed by a coordinated group of individuals with significant onchain experience. The transfers involve multiple hops and interactions with a number of different protocols and platforms.
For example, one newly created wallet received 601.34 ETH across five separate transactions before consolidating those funds in another new address on the cross-chain token bridge, Across Protocol. Those funds were then obfuscated further when sent to a second Across address.
In addition to direct transfers to the Tornado Cash and eXch mixers to anonymize their funds, the hackers also, at times, used platforms like Wintermute, DLN Trade protocol and THORChain to exchange assets.
Global Legder notes that while a small portion of funds also went to custodial platforms like OKX and CoinEx, which are likely to be cashed out, most of the movements used onchain tools like Bitget’s bridging services and ChangeNOW wallet.
Hackers often break up funds across different blockchains using multiple services to minimize the risk that any one entity is able to freeze their movements. The initial attack, for instance, involved over 275 transactions just using EVM-compatible chains.
The amount moved on Wednesday represents a small fraction of the approximately $85 million worth of crypto stolen in January. However, it appears the hackers have been transferring funds over the past several weeks, including draining 50 BTC and 4 million XRP from Phemex.
Phemex has since resumed trading activities and cautions customers about using the old deposit addresses. Earlier this week, CEO Federico Variola noted that the exchange was moving some of its funds into cold storage as part of an “overarching security upgrade.”
Pseudonymous security researcher SomaXBT.eth previously told The Block the exploit had all the telltale signs of being perpetrated by North Korean hackers, partly due to its sophistication.
Global Ledger notes that at least 32,210 ETH has been sent to Tornado Cash since the start of 2025, with approximately 40% (about $36.6 million) tied to hacks. Tornado Cash was sanctioned by the U.S. government in 2023. However, the Fifth Circuit Court of Appeal srecently overturned the Treasury’s sanctions against its decentralized smart contracts.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
