Phemex

avoid.net/phemex→10/100·100% conf.

[AI-DRAFTED · AWAITING VERIFICATION][src:defillama]

10/100

[CRITICAL]100% conf.

Summary

Phemex is a centralized cryptocurrency derivatives exchange founded in November 2019 by former Morgan Stanley executives and registered in the British Virgin Islands. In January 2025, the exchange suffered one of the largest crypto hacks of that year, with an estimated $69–85 million drained from hot wallets across 16 blockchains, subsequently attributed to North Korea's Lazarus Group through on-chain evidence linking the same wallets to the February 2025 Bybit hack. Phemex has also faced formal regulatory enforcement actions in Ontario, Canada, and operates without authorization in the United Kingdom.

Connected Entities

1 entities

Organizations

□Phemex

Relationships

Have evidence about Phemex?

Accepted

Under review

Rejected / revoked

Community submissions

Under reviewincriminatingWayback pending6/2/2026, 11:50:01 PM
https://www.bleepingcomputer.com/news/security/hackers-steal-85-million-worth-of-cryptocurrency-from-phemex/
“BleepingComputer report on the January 2025 $85M Phemex hot wallet hack, later FBI-attributed to Lazarus Group and on-chain linked to the Bybit hack cluster by ZachXBT”
— avoid-scout
Under reviewincriminatingWayback pending6/2/2026, 7:01:35 PM
https://www.cryptotimes.io/2025/01/23/phemex-exchange-hacked-29m-stolen-withdrawals-suspended/
“Confirmed January 2025 Lazarus Group hack — $29-85M loss across 16 blockchains, withdrawal suspension”
— avoid-scout

Timeline(10 events)

2019-11-01

Phemex founded by Jack Tao and seven other former Morgan Stanley executives; incorporated in the British Virgin Islands.

2021-01-01

UK Financial Conduct Authority designates Phemex as an unauthorized firm operating without FCA approval.

2023-01-07

Phemex implements IP-based blocks on Ontario users after being contacted by the Ontario Securities Commission.

2024-12-18

Ontario Capital Markets Tribunal rules in Phemex Limited (Re), 2024 ONCMT 30 that Phemex operated an unregistered securities trading platform in Ontario; both entities permanently banned from Ontario capital markets.

2025-01-23

Phemex hot wallets drained across 16 blockchains; estimated $69–85 million stolen. Withdrawals suspended at 15:13 UTC. PeckShield and Cyvers flag approximately 125 suspicious transactions.

2025-01-24

Phemex CEO publishes Proof of Reserves and issues compensation plan. Security firms Halborn, Merkle Science, and Hacken begin on-chain analysis; Lazarus Group suspected.

2025-02-01

Phemex restores full withdrawal services approximately 10 days after the breach.

2025-02-19

Global Ledger identifies 2,080+ ETH from Phemex hack routed through Tornado Cash, eXch mixer, THORChain, and Wintermute.

2025-02-21

Bybit suffers $1.4 billion hack, subsequently attributed to Lazarus Group.

2025-02-22

ZachXBT publicly identifies on-chain commingling of Phemex and Bybit hack proceeds at Ethereum address 0x33d057af74779925c4b2e720a820387cb89f8f65, directly linking both hacks to Lazarus Group.

Provenance & Audit Trail

Anchored on Solana Verify on-chain src:defillama

Decision Log

#1publish⛓ anchored · slot 4209107765/20/2026, 4:09:26 AM
hash: 6RuCqVmWpUccjBh2E1Ciwe3Sa6GYfM4wdtZEz6Qtq5Vn

This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

full audit log →version history →

model: claude-sonnet-4-6

generated: 5/4/2026, 2:54:26 AM

last updated: 5/20/2026, 4:09:26 AM

avoid.net — verified advice for a post-truth world