Bybit Hot Wallet Exploit for Malicious Transaction – Technical Analysis Released

Researchers uncovered one of the most technically sophisticated attacks in cryptocurrency history, exploiting Bybit’s Ethereum hot wallet infrastructure through a malicious proxy contract upgrade. 

The breach, attributed to North Korea’s Lazarus Group via blockchain fingerprinting, resulted in the theft of 401,346.76 ETH (valued at $1.12 billion) through meticulously engineered delegatecall operations targeting Gnosis Safe’s multisig architecture.

Compromised Transaction Mechanics

Verichains reported that the attack vector centered on transaction hash 0x46dee, which manipulated Bybit’s hot wallet proxy contract (0x1db92e2eebc8e0c075a02bea49a2935bcd2dfcf4). 

Attackers initiated the exploit through a malicious implementation contract (0x96221423681a6d52e184d440a8efcebb105c7242), deploying a nested delegatecall structure.

This payload executed a seemingly benign transfer() function that overwrote slot0 storage – the critical memory location storing the proxy’s implementation address. The malicious contract’s decompiled code reveals the attack logic:

By modifying stor0, attackers replaced the legitimate GnosisSafe implementation (0x34cfac646f301356faa8b21e94227e3583fe3f5f) with their backdoored contract (0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516), gaining full control of the wallet.

On-Chain Attack Sequence

Initial Infiltration

Hacker EOA 0x0fa09c3a328792253f8dee7116848723b72a6d2e triggered the proxy upgrade via a 3-layer call stack:

• Layer 1: Legitimate execTransaction to GnosisSafe
• Layer 2: delegatecall to Safe’s standard implementation
• Layer 3: Malicious delegatecall injecting new contract logic

Validation Bypass

Attackers exploited Safe{Wallet}’s AWS-compromised UI to display legitimate transaction details while masking the proxy upgrade.

Signers approved what appeared as routine ETH transfers, unaware of the embedded SSTORE operation modifying slot0.

Asset Exfiltration

Post-hijack, attackers executed:

Test Transaction: 90 USDT transfer to 0xbdd0…9516 (02/21 14:14:12 UTC)

Main Drain: 401k ETH transferred across 39 addresses in 15 minutes via optimized gas pricing.

Blockchain forensic firms, including TRM Labs and Ellipti,c confirmed the attack’s signature matches Lazarus Group’s operational patterns:

• Infrastructure Overlap: 23% of intermediary wallets linked to 2024’s $800M DPRK hacks.
• Laundering Velocity: $160M processed within 48 hours via cross-chain bridges (Chainflip, THORChain) and privacy pools.
• Code Reuse: 68% match between this attack’s malicious contract and 2024’s Atomic Wallet exploit codebase.

Mitigations

Bybit’s LazarusBounty program has frozen $42.89M through coordinated efforts with Tether, Circle, and Avalanche. Technical recommendations include:

• Real-time alerts for slot0 modifications in proxy contracts
• EIP-712 typed data verification for all delegatecall operations
• S3 bucket integrity checks via SHA-256 hashing of frontend assets

As of March 6, 2025, $1.23B has been recovered through OTC settlements and bridge loan facilities.

The incident underscores critical vulnerabilities in multisig wallet implementations, prompting Safe{Wallet} to mandate EIP-1271 signature validations for all contract upgrades.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free