North Korean Hackers Steal $21M from SBI Crypto Mining Pool

On September 24, 2025, blockchain investigator ZachXBT identified approximately $21 million in suspicious outflows from wallet addresses linked to SBI Crypto, the cryptocurrency subsidiary of Japan’s largest traditional finance group, SBI Holdings. The stolen funds comprised multiple cryptocurrencies including Bitcoin (BTC), Dogecoin (DOGE), Litecoin (LTC), Bitcoin Cash (BCH), and Ethereum (ETH), indicating the hackers targeted diverse assets within the mining pool’s holdings.

The hackers employed a sophisticated laundering strategy, quickly moving the stolen funds through five instant exchanges before depositing them into Tornado Cash, a decentralized cryptocurrency mixer that has been sanctioned by US authorities for its role in obscuring illicit transactions. This rapid movement through multiple channels and final deposition into a privacy tool represents a hallmark of sophisticated crypto theft operations, designed to sever the transaction trail and prevent recovery of stolen assets.

Security firm Cyvers corroborated ZachXBT’s findings, tracing the suspicious transactions from SBI Crypto addresses through the exchange network to Tornado Cash. The coordinated investigation revealed a carefully executed operation that exploited vulnerabilities in SBI Crypto’s systems, allowing the hackers to siphon funds without immediate detection.

Blockchain investigator ZachXBT identified several technical indicators linking the SBI Crypto breach to previous attacks by North Korean hacking groups, specifically the notorious Lazarus Group. In his Telegram analysis, ZachXBT noted: ‘Interestingly, several indicators share similarities to other known DPRK attacks.’ The Lazarus Group has been responsible for cryptocurrency heists worth billions of dollars, targeting digital assets through sophisticated cyber operations.

The methodology employed in the SBI Crypto attack mirrors established Lazarus Group tactics, including the rapid movement of stolen funds through multiple exchanges and the subsequent use of decentralized mixers like Tornado Cash to launder proceeds. This pattern has become a signature approach for North Korean hackers, who have increasingly focused on cryptocurrency theft as a means of bypassing international sanctions and generating revenue for the regime.

The connection to North Korean operatives elevates the significance of this breach beyond typical cybercrime. The Lazarus Group’s involvement suggests state-sponsored hacking with geopolitical implications, particularly given SBI Holdings’ status as Japan’s largest financial group and its expanding cryptocurrency operations. This attack represents another chapter in North Korea’s ongoing campaign to fund its operations through digital asset theft.

SBI Holdings has been aggressively expanding its presence in the cryptocurrency ecosystem, recently beginning to offer Bitcoin ETFs and tokenized stocks to customers seeking crypto services. This strategic move into digital assets has positioned SBI as Japan’s largest cryptocurrency company, but has simultaneously increased its exposure to sophisticated security threats. The $21 million mining pool breach demonstrates the security challenges facing traditional financial institutions as they venture into the cryptocurrency space.

Mining pools like SBI Crypto’s operation are particularly vulnerable targets because they manage large volumes of funds and involve multiple interconnected parties, creating numerous potential entry points for hackers. As cryptocurrency and mining infrastructure become more complex, they present malicious entities with expanded opportunities to exploit system weaknesses. Investigators believe the hackers may have identified and leveraged a specific vulnerability in SBI Crypto’s systems to execute the theft undetected.

The attack on SBI Crypto is part of a growing trend where hackers are targeting less secure components of the cryptocurrency ecosystem, including mining pools, exchanges, and blockchain bridges. These entities often manage significant asset concentrations but may lack the robust security measures of more established financial institutions, making them attractive targets for sophisticated hacking groups.

The use of Tornado Cash in this heist highlights the ongoing challenge that privacy mixers pose to cryptocurrency security and regulation. Tornado Cash has been sanctioned by US authorities specifically for its role in facilitating money laundering and obscuring illicit transactions. The service allows users to break the traceability of cryptocurrency transactions by mixing funds with those of other users, effectively severing the blockchain trail that would normally enable investigators to track stolen assets.

The legal implications of Tornado Cash’s operations are already significant, with founder Roman Storm facing charges of conspiracy to commit money laundering and sanctions violations for allegedly facilitating the laundering of stolen funds. The service’s continued use by hacking groups like the Lazarus Group demonstrates the persistent challenge that decentralized privacy tools present to law enforcement and regulatory efforts to combat cryptocurrency crime.

For victims like SBI Crypto, the deposition of stolen funds into Tornado Cash typically means little chance of recovery. Once assets enter the mixer, they become effectively untraceable, leaving the impacted party with limited recourse beyond traditional investigative channels. This reality underscores the critical importance of preventive security measures for cryptocurrency operations, particularly for institutions managing significant asset pools.

The SBI Crypto breach represents a significant escalation in the targeting of traditional financial institutions’ cryptocurrency operations. As more established financial groups like SBI Holdings expand into digital assets, they become increasingly attractive targets for sophisticated hacking groups, particularly state-sponsored actors like the North Korean Lazarus Group. This incident serves as a stark warning to other financial institutions considering similar crypto expansions.

Notably, SBI Holdings has yet to officially acknowledge the breach at the time of reporting, raising questions about transparency and disclosure protocols in the cryptocurrency industry. The silence from Japan’s largest financial group contrasts with the detailed public analysis provided by independent blockchain investigators, highlighting the ongoing tension between corporate privacy concerns and industry transparency in addressing security incidents.

The $21 million heist from SBI Crypto underscores the evolving security landscape facing the cryptocurrency industry as it matures and attracts traditional financial players. With North Korean hackers demonstrating continued capability to breach major institutions, the incident emphasizes the urgent need for enhanced security protocols, international cooperation in combating state-sponsored crypto crime, and robust regulatory frameworks to protect digital assets in an increasingly interconnected financial ecosystem.