PHEMEX stolen millions went to new addresses

On February 19, part of the funds stolen as a result of the January breaking of the Singapore cryptocurrency exchange of PHEMEX. Global Ledger analysts drew attention to this.

More than 2080 ETH (~ $ 6 million) has received 14 new addresses. Less than 4000 ETH remain mainly an Ethereum playing-related to attack.

Experts pointed to a confusing series of transactions and interaction with many platforms and protocols, which may indicate extensive experience with cybercrime.

In particular, one recently created wallet received 601.34 ETH through five separate transfers before the funds were consolidated at the other new address of the Crosschein Across Protocol. Then they were further confused when sent to the second address of the service.

In addition to direct transfers to Tornado Cash and Exch to anonymization, hackers used the Wintermute platform, DLN Trade and Torchain protocols to exchange assets.

Some of the funds came to the caste-platform, including OKX and Coinex, but most of the movements were carried out using onchin tools such as Bitget crosses and Changenow wallet.

According to Global Ledger, the hackers have transferred stolen assets to this series of transactions over the last few weeks, including the drainage of 50 BTC and 4 million XRP.

PHEMEX has already resumed trade activities and has warned customers from the use of old deposit addresses. The CEO Federico Variola said that some of the stock exchange funds would be moved to a cold storage as part of a “comprehensive security update”.

Recall that on January 23, Cyvers Alerts analysts found “multiple suspicious transactions” using PHEMEX hot wallets. As it turned out later, the attack included more than 275 transactions using EVM chains.

According to the latest estimates, the loss was $ 85 million. Experts suggested involvement in the incident related to the DPRK hackers.

The gun