On January 23, 2025, Phemex lost over $70 million in a Lazarus Group attack on its hot wallets. A month later, the same hackers struck Bybit — this time for $1.5 billion.
The surge in cybercriminal activity is forcing traders to rethink the balance between centralized and decentralized services. The Phemex team shared with ForkLog how the exchange reinforced its security framework and strengthened its defenses after the breach.
From DeFi Back to CEX?
Any centralized exchange (CEX) is, by definition, delegated custody of private keys. The user trades control for convenience and accepts the risks tied to bad-faith management of the venue and external attacks on hot wallets.
The alternative to CEXes are DeFi services — not just DEXes and perp DEXes, but also lending protocols and liquid staking, since most centralized exchanges have long moved beyond trading and offer a wide range of financial products.
April 2026 turned into the worst month for DeFi protocols in years. It started with the attack on Drift Protocol on April 1 — $280 million drained. The incident was linked to TraderTraitor, a Lazarus Group subunit behind the Bybit and Phemex breaches.
Two weeks later, the exploit of Kelp Protocol for $293 million dealt a blow to Aave, the largest lending market. The attackers stole rsETH tokens and used them as collateral to siphon real funds. That triggered a wave of withdrawals: according to data from Standard Chartered, users pulled $17 billion out of Aave, and active loans shrank by $5.5 billion.
The attacks continued through the end of the month. On April 22, hackers compromised the liquid staking platform Volo on Sui and drained $3.5 million. On April 27, the lending platform Scallop on the same blockchain was hit. On April 28, three projects were breached at once: cross-chain network ZetaChain ($334,000), Ethereum infrastructure project Syndicate ($330,000) and Sui-based exchange Aftermath Finance ($900,000). On April 30, attackers exploited the Wasabi protocol — losses topped $5 million.
Many investors who held stablecoins and Ethereum in “battle-tested” protocols like Aave and Lido began moving capital out. But not everyone wants to give up the extra yield. Some users are again considering Earn products and a return to familiar trading on centralized exchanges.
CEXes themselves have stepped up security in recent years along three key lines:
- Proof-of-Reserves (PoR) — cryptographic proof that an exchange holds assets covering its liabilities to clients. Became the de facto standard after the collapse of FTX in November 2022.
- multi-tier custody — splitting funds across cold, warm and hot wallets with multisig.
- compensation mechanisms — exchanges have started setting up insurance funds for unforeseen events.
Phemex builds trust at the intersection of these three elements. Let’s unpack what stands behind each.
Proof-of-Reserves
Phemex was one of the early centralized exchanges to release a Proof-of-Reserves system, launching its Merkle-tree version on November 21, 2022 — ten days after FTX’s collapse. At launch, the system supported bitcoin, Ethereum, USDT and USDC. By May 2026, the list had grown to 11 assets, including TRX, BNB, XRP, SOL, SUI and AVAX.
Reports come out monthly. As of May 2026, the combined reserve ratio stood at 129.75% — assets exceeded the exchange’s liabilities to clients. That creates a buffer for extreme market conditions or operational disruptions.
“Reserve transparency should be practical, repeatable, and easy for users to verify. Monthly Proof of Reserves helps turn that principle into a regular operating standard. For us, being user-first means giving traders the information they need to assess the platform for themselves, not asking them to rely only on statements of trust,” said Phemex CEO Federico Variola.
The Merkle tree lets users verify that their own balance is included in the overall snapshot without exposing other clients’ data.
“Client balances are hashed in pairs, those hashes are hashed in pairs again, and so on until a single value remains — the Merkle root. Changing any balance by even 1 satoshi changes the root entirely. To confirm their funds are accounted for, a user copies their Hashed Client ID from the personal account and verifies it on the Proof-of-Reserves page,” the Phemex team explains.
Some of the exchange’s cold wallet addresses are public. Anyone can check the balances through block explorers of the relevant networks.
Where User Assets Are Stored
Phemex uses three-tier custody:
- cold wallets — over 70% of client funds. Private keys are fully isolated from the internet. Each transaction requires sign-off from several independent signers physically separated from one another. All transfers are processed manually after multiple verifications;
- warm wallets — about 20% of assets. A secure bridge between cold and hot storage. A limited volume for liquidity management without direct internet exposure;
- hot wallets — under 8% of funds. Handle day-to-day deposits and withdrawals. Even if hot wallets are fully compromised, more than 90% of capital remains untouched in cold and warm storage.
Hot wallet private keys are protected by Shamir Secret Sharing: a key is mathematically split into N encrypted fragments, and recovery requires K of N (for example, 3 of 5). The fragments are stored in separate locations, and compromising any one of them is useless without the rest. The fragments themselves are processed inside AWS Nitro Enclaves — isolated computing environments inaccessible to the operating system and to administrators.
The custody infrastructure is reinforced by a partnership with Fireblocks, an institutional provider with a multi-party computation (MPC) custody model. MPC distributes cryptographic shares of a key across several protected environments. No single device and no single employee holds the full private key.
“On top of that, there is round-the-clock wallet monitoring: automated analysis of activity across all three tiers, tracking transaction frequency and size, recipient addresses and deviations from behavioral patterns. Suspicious transactions are paused automatically and flagged for manual review,” the team adds.
What Protects the Account
Account protection measures on Phemex are activated by the user. Only two-factor authentication is mandatory — for login, withdrawals, API key creation and security setting changes.
To raise account security further, a user can set up:
- an anti-phishing code — a text string shown in every legitimate email notification from the exchange. If the code is missing or doesn’t match, the message is a phishing attempt;
- a withdrawal address whitelist. This protects against a scenario where an attacker gains access to the account and tries to quickly send funds to a new address.
At the infrastructure layer, Phemex relies on Palo Alto Networks corporate firewalls, network segmentation (trading engines are separated from web servers, wallet infrastructure from public APIs) and globally distributed DDoS protection. According to the exchange’s data, uptime in 2025 reached 99.999%.
What the Stress Test Revealed
A breach is the strongest counterargument to any claim of “complete security.” In January 2025, Phemex’s internal monitoring detected anomalous activity in hot wallets. Within hours, Cyvers Alerts and PeckShield publicly reported suspicious transactions. Phemex fully suspended deposits and withdrawals across all networks.
The exchange covered all user losses from corporate reserves. Unlike Binance with its dedicated SAFU insurance fund, Phemex has no separate insurance pool — payouts come straight from the corporate balance sheet.
After the incident, the exchange rebuilt its custody system: introduced the three-tier architecture with the warm intermediate layer, dropped hot wallet share below 8%, added Fireblocks MPC and AWS Nitro Enclaves, and expanded address monitoring.
What to Consider Before Signing Up
Phemex remains a centralized exchange. Neither custody architecture nor a Proof-of-Reserves system makes a CEX functionally equivalent to self-custody in a cold wallet.
The exchange is registered as a Money Services Business (MSB) with FinCEN in the United States and holds a Virtual Asset Service Provider (VASP) license in Poland. For users from Russia, Belarus and Ukraine, restrictions apply on fiat operations — deposits and withdrawals through partner Legend Trading are unavailable.
Know Your Customer (KYC) verification is required for trading and withdrawals. Without it, only Phemex Academy materials are accessible. The check is run by Jumio and takes 2–5 minutes.
For more on Phemex’s functionality, see the March exchange review.
So, Is Phemex Safe?
The short answer: yes, if “safety” is understood in terms applicable to a CEX. After the breach, Phemex compensated users, rebuilt its custody system and made transparency the core of its public communication.
By spring 2026, the picture looks like this: nearly 130% combined PoR with monthly publication, public addresses for on-chain verification, over 70% of assets in cold wallets, multisig for critical operations.
Custodial risk is built into any CEX. The minimum account protection set includes two-factor authentication, anti-phishing codes and withdrawal whitelists. Regardless of an exchange’s reputation, large amounts are best stored outside it, on a hardware wallet.