1
Phemex Hack update: 19.02
23.01.2025
19.02 update
On 19th February hacker transferred 2,080.66 ETH to 14 new addresses, while leaving 4,027 ETH remain sitting on the wallet (see Img. 3).
2
© Global Ledger 2025
Email: support@glprotocol.com | Website: globalledger.io
Information in this document is for internal use only and can be disclosed only under Global Ledger written permission
Img 3. Visualization of the ETH movement on 19.02
19.02 update
Hacker Wallet 1 received a total of 601.34 ETH, which were instantly directed towards Across Protocol (see Img. 4).
3
© Global Ledger 2025
Email: support@glprotocol.com | Website: globalledger.io
Information in this document is for internal use only and can be disclosed only under Global Ledger written permission
Img 4. Visualization of the ETH movement from Hacker Wallet 1 to Across Protocol
19.02 update
Hacker used this cross-chain bridge in order to transfer all wrapped ETH onto his address on Arbitrum Network, then exchanged them on Wintermute to USDT and sent to Bitget Wallet (see Img. 5).
4
© Global Ledger 2025
Email: support@glprotocol.com | Website: globalledger.io
Information in this document is for internal use only and can be disclosed only under Global Ledger written permission
Img 5. Visualization of the WETH movement from Across Protocol to Hacker Wallet on ARB
19.02 update
Hacker Wallet 2 received a total of 167.84 ETH, which in turn were transferred to 6 other addresses.
Shortly after all ETH except for 2.843 ETH remaining on wallet 0x5c908b9721a5653c0dde2b80d125c66ffee99da1 were transferred to eXch mixing service (see Img. 6).
5
© Global Ledger 2025
Email: support@glprotocol.com | Website: globalledger.io
Information in this document is for internal use only and can be disclosed only under Global Ledger written permission
Img 6. Visualization of the ETH movement from Hacker Wallet 2 to eXch
19.02 update
Hacker Wallet 3 received 161.62 ETH and same way directed them to 6 intermediary wallets and then to eXch, this time in full (see Img. 7).
6
© Global Ledger 2025
Email: support@glprotocol.com | Website: globalledger.io
Information in this document is for internal use only and can be disclosed only under Global Ledger written permission
Img 7. Visualization of the ETH movement from Hacker Wallet 3 to eXch
19.02 update
Hacker Wallet 4 received 167.73 ETH, and this time using only 5 intermediary wallets, used the same eXch platform for money laundering (see Img. 8).
7
© Global Ledger 2025
Email: support@glprotocol.com | Website: globalledger.io
Information in this document is for internal use only and can be disclosed only under Global Ledger written permission
Img 8. Visualization of the ETH movement from Hacker Wallet 4 to eXch
19.02 update
Hacker Wallet 5 received a total of 196.79 ETH, joined them with other funds on another address, swapped all to 629,591 USDC on OKX Web3 platform and sent to DLN Trade protocol for further laundering (see Img. 9).
These funds were bridged to hacker’s Solana address and eventually via a series of intermediate addresses to deBridge Finance.
8
© Global Ledger 2025
Email: support@glprotocol.com | Website: globalledger.io
Information in this document is for internal use only and can be disclosed only under Global Ledger written permission
Img 9. Visualization of the ETH movement from Hacker Wallet 5 to eXch
19.02 update
Hacker Wallet 6 received a total of 195.08 ETH and quickly sent all to Tornado Cash privacy protocol via two intermediate wallets (see Img. 10).
A small portion of ETH was aggregated on another wallet, where they remain unspent.
9
© Global Ledger 2025
Email: support@glprotocol.com | Website: globalledger.io
Information in this document is for internal use only and can be disclosed only under Global Ledger written permission
Img 10. Visualization of the ETH movement from Hacker Wallet 6 to Tornado Cash
19.02 update
Hacker Wallet 7 received 166.54 ETH and via 6 intermediate wallets sent all funds to eXch. (see Img. 11).
10
© Global Ledger 2025
Email: support@glprotocol.com | Website: globalledger.io
Information in this document is for internal use only and can be disclosed only under Global Ledger written permission
Img 11. Visualization of the ETH movement from Hacker Wallet 7 to eXch
19.02 update
Hacker Wallet 8 received 89.36 ETH and Hacker Wallet 9 received 151.73 ETH, 73.82 ETH of which they funneled via shared address to eXch, while 102.77 ETH remain unspent on three other wallets.
A small portion of funds went to ChangeNOW wallet. (see Img. 12).
11
© Global Ledger 2025
Email: support@glprotocol.com | Website: globalledger.io
Information in this document is for internal use only and can be disclosed only under Global Ledger written permission
Img 12. Visualization of the ETH movement from Hacker Wallet 8 and 9
19.02 update
Hacker Wallet 10 received 214.26 ETH, which were all swapped to 60,716,757.51 SPX6900 tokens and currently remain unspent on the same wallet (see Img. 13).
12
© Global Ledger 2025
Email: support@glprotocol.com | Website: globalledger.io
Information in this document is for internal use only and can be disclosed only under Global Ledger written permission
Img 13. Visualization of the ETH movement from Hacker Wallet 7 to eXch
19.02 update
Hacker Wallet 11 received 108.5 ETH with the majority directed towards OKX Bridge and Mayan Finance, and were bridged to Solana address and same way as with Hacker Wallet 5 via a series of intermediate addresses to deBridge Finance. The small portion was sent to CoinEx deposit (see Img. 14).
13
© Global Ledger 2025
Email: support@glprotocol.com | Website: globalledger.io
Information in this document is for internal use only and can be disclosed only under Global Ledger written permission
Img 14. Visualization of the ETH movement from Hacker Wallet 11 to OKX Bridge and CoinEx
19.02 update
Hacker Wallet 12 received 53.77 ETH.
32.41 ETH went to eXch, while 21.36 ETH went to THORchain (see Img. 15).
Bridged to Bitcoin, 0.6043 BTC were then sent to OKX deposit address.
14
© Global Ledger 2025
Email: support@glprotocol.com | Website: globalledger.io
Information in this document is for internal use only and can be disclosed only under Global Ledger written permission
Img 15. Visualization of the ETH movement from Hacker Wallet 12 to THORchain and eXch
19.02 update
Hacker Wallet 13 received 26.8 ETH, which all went to eXch via one intermediate address (see Img. 16).
15
© Global Ledger 2025
Email: support@glprotocol.com | Website: globalledger.io
Information in this document is for internal use only and can be disclosed only under Global Ledger written permission
Img 16. Visualization of the ETH movement from Hacker Wallet 13 to eXch
19.02 update
Hacker Wallet 14 received 445.43 ETH, of which ~200 ETH went to eXch via 4 intermediate address, while the rest three wallets keep funds unspent (see Img. 16).
16
© Global Ledger 2025
Email: support@glprotocol.com | Website: globalledger.io
Information in this document is for internal use only and can be disclosed only under Global Ledger written permission
Img 16. Visualization of the ETH movement from Hacker Wallet 14 to eXch
Tornado Cash counterparty report results for 2025
Since the beginning of 2025, Tornado Cash has received 34,020.8600 ETH or around $91,5M
Around 40% of those funds (13 608 ETH or around $36,6M)have come from hacks between Jan 1 and Feb 18 2025.