Is Phemex Safe? Security Measures Explained

Phemex has strengthened its security measures following a significant hack, implementing Proof-of-Reserves and multi-tier storage to protect user assets.

On January 23, 2025, Phemex lost over $70 million due to an attack by the Lazarus Group on its hot wallets. A month later, the same hackers hacked Bybit, resulting in losses of $1.5 billion.

The increasing activity of cybercriminals is prompting traders to reassess the balance between centralized and decentralized services. The Phemex team shared with ForkLog how the exchange has strengthened its security following the breach.

Back to CEX from DeFi?

Any centralized exchange (CEX) involves delegated storage of private keys. Users trade control for convenience and accept the risks associated with potential misconduct by the exchange's management and possible external attacks on hot wallets.

DeFi services serve as an alternative to CEX, including not only DEX or perp-DEX, but also lending protocols and liquid staking, as most centralized exchanges have long expanded beyond trading to offer a wide range of financial products.

April 2026 became the worst month for DeFi protocols in recent years. On April 1, hackers attacked Drift Protocol, causing $280 million in damages. The incident was linked to the TraderTraitor group, a subdivision of the Lazarus Group responsible for the hacks on Bybit and Phemex.

Two weeks later, the attackers struck the Kelp protocol, stealing $293 million in rsETH tokens, which were then used as collateral for loans in Aave. This triggered a mass withdrawal of deposits from the largest lending protocol: according to Standard Chartered, users withdrew $17 billion, and the number of active loans decreased by $5.5 billion.

The attacks did not stop there. On April 22, hackers compromised the Volo liquid staking platform on Sui, stealing $3.5 million. On April 27, they attacked the Scallop lending platform on the same blockchain. On April 28, three projects were affected: the cross-chain network ZetaChain ($334,000), the Ethereum infrastructure project Syndicate ($330,000), and the Aftermath Finance exchange on Sui ($900,000). On April 30, hackers hacked the Wasabi protocol, causing damages exceeding $5 million.

Many investors holding stablecoins and Ethereum in "trusted" protocols like Aave and Lido began withdrawing their capital. However, not all were willing to forgo additional yield: some users switched to Earn products and returned to trading on centralized exchanges.

In recent years, CEXs have strengthened their security in three key areas:

Proof-of-Reserves (PoR) — cryptographic proof that the exchange holds assets covering its obligations to clients. This became the de facto standard after the collapse of FTX in November 2022;
multi-tier storage — separating funds into cold, warm, and hot wallets using multi-signature;
compensation mechanisms — exchanges have started creating insurance funds for unforeseen circumstances.

Phemex builds trust at the intersection of these three elements. Let's break down what each entails.

Proof-of-Reserves

Phemex was one of the first centralized exchanges to launch Proof-of-Reserves based on Merkle trees on November 21, 2022 — just ten days after the FTX collapse. Initially, the mechanism covered reserves in Bitcoin, Ethereum, USDT, and USDC. By May 2026, the list expanded to 11 assets, including TRX, BNB, XRP, SOL, SUI, and AVAX.

Reports are published monthly. As of May 2026, the overall coverage ratio was 129.75% — reserves exceeded the exchange's obligations to clients. This creates a buffer for extreme market scenarios or operational failures.

Source: Phemex.

"Reserve data should be regularly updated and easily verifiable by users. Monthly publication of Proof-of-Reserves turns this principle into an operational standard. For us, 'user first' means that traders receive information for independent assessment of the platform, rather than having to take our word for it," said Phemex CEO Federico Variola.

The Merkle tree allows users to verify the inclusion of their balance in the overall snapshot without revealing the data of other clients.

"Client balances are hashed in pairs, then the hashes are hashed in pairs again — and so on until a single value (the Merkle root) is obtained. Changing any balance by even 1 satoshi completely alters the root. To ensure that their own funds are accounted for, a user copies the Hashed Client ID from their personal account and verifies it on the Proof-of-Reserves page," Phemex explains.

Some addresses of the exchange's cold wallets are public. Any user can check balances through the explorers of the respective networks.

Where User Assets Are Held

Phemex uses a three-tier storage system:

cold wallets — over 70% of client funds. Private keys are completely isolated from the internet. Each transaction requires approval from multiple independent signers, who are physically distanced from each other. All transfers are processed manually after multiple verifications;
warm wallets — about 20% of assets. A secure bridge between cold and hot storage. Limited volume for liquidity management without direct internet access;
hot wallets — less than 8% of funds. Responsible for operational deposits and withdrawals. Even in the event of a complete compromise of hot wallets, over 90% of capital remains untouched in cold and warm storage.

The private keys of hot wallets are protected by Shamir's secret sharing scheme: the key is mathematically divided into N encrypted fragments, and K out of N (for example, 3 out of 5) are needed for recovery. The fragments are stored in different locations, and compromising one is useless without the others. The fragments themselves are processed within AWS Nitro Enclaves — isolated computing environments inaccessible to the operating system and administrators.

The custodial infrastructure is enhanced through a partnership with Fireblocks — an institutional provider using an MPC storage model. This technology distributes cryptographic shares of the key among several secure environments. No single device or employee holds the complete private key.

"Additionally, there is 24/7 wallet monitoring: automatic analysis of activity across all three levels, tracking transaction frequency and size, recipient addresses, and deviations from behavioral patterns. Suspicious transactions are automatically paused and sent for manual review," Phemex adds.

What Protects the Account

Phemex's account protection measures are activated by the user. Only two-factor authentication is mandatory for logging in, withdrawing funds, creating API keys, and changing account settings.

Additionally, users can enable:

an anti-phishing code — a string of text displayed in all legitimate email notifications from the exchange. If the code is missing or does not match, it indicates phishing;
a withdrawal address whitelist. This protects against situations where an attacker gains access to the account and attempts to quickly transfer funds to a new address.

At the infrastructure level, Phemex utilizes corporate firewalls from Palo Alto Networks, network segmentation (trading engines are separated from web servers, wallet infrastructure from public APIs), and globally distributed DDoS protection. According to the exchange's data, uptime for 2025 was 99.999%.

What the Stress Test Revealed

A hack is the main argument against any claim of "complete security." In January 2025, Phemex's internal monitoring detected abnormal activity in hot wallets. Within hours, Cyvers Alerts and PeckShield publicly reported suspicious transactions. Phemex completely suspended deposits and withdrawals across all networks.

The exchange compensated users for their losses from corporate reserves. Unlike Binance, which has a separate insurance fund, Phemex does not maintain a dedicated insurance pool — payouts come from the corporate balance.

After the incident, the exchange restructured its storage system: it implemented a three-tier architecture with a warm intermediate layer, reduced the share of hot wallets to less than 8%, added Fireblocks MPC and AWS Nitro Enclaves, and expanded address monitoring.

What to Consider Before Registering

Phemex remains a centralized exchange. No storage architecture or PoR makes a CEX functionally equivalent to self-custody of assets in a cold wallet.

The exchange is registered as an MSB with FinCEN and holds a VASP license in Poland. For users from Russia, Belarus, and Ukraine, there are restrictions on fiat operations — deposits and withdrawals through partner Legend Trading are unavailable.

The KYC procedure is mandatory for trading and withdrawals. Without verification, access is limited to Phemex Academy materials. Verification is conducted by Jumio and takes between two to five minutes.

For more details on the platform's functionality, read the Phemex review on ForkLog.

So, Is Phemex Safe?

The short answer is yes, if you understand "safety" in the applicable CEX sense. Phemex compensated users for losses after the hack, restructured its storage system, and made transparency a core aspect of public communication.

By spring 2026, this looks like: around 130% total PoR with monthly publication, public addresses for on-chain verification, over 70% of assets in cold wallets, and multi-signature for critical operations.

Custodial risk is an inherent feature of any CEX. The minimum account protection includes two-factor authentication, anti-phishing codes, and withdrawal address whitelists. Regardless of the exchange's reputation, it is advisable to store large sums outside on a hardware wallet.

Is Phemex Safe? Analyzing Reserve Transparency and Asset Protection