SBI Crypto Loses $21M in North Korea-Linked Hack

The security breach at SBI Crypto unfolded with precision timing and sophisticated laundering techniques that have become hallmarks of North Korean cyber operations. Blockchain researcher ZachXBT identified unusual outflows from the Japanese mining pool operator on October 1, revealing the theft involved multiple cryptocurrencies including Bitcoin, Ethereum, Litecoin, Dogecoin, and Bitcoin Cash. The attackers moved quickly to obscure their tracks, routing the stolen funds through five different instant exchanges before funneling them into Tornado Cash, a mixing service widely used to disguise digital asset flows and complicate forensic tracing.

The $21 million theft represents more than just another crypto hack—it demonstrates the evolving methodology of state-sponsored attackers. By utilizing instant exchanges and privacy mixers in rapid succession, the perpetrators effectively created multiple layers of obfuscation that challenge conventional blockchain analysis. Despite the scale of the breach and its clear connection to North Korean operations, SBI Crypto has maintained radio silence, failing to release any official statement about the attack or its implications for user funds and mining operations.

The SBI Crypto breach fits squarely within North Korea’s intensifying focus on cryptocurrency exploits as international sanctions continue to restrict the regime’s access to traditional financial systems. This strategic shift has yielded staggering results, with DPRK-backed attackers siphoning over $1.8 billion from crypto markets in 2024 alone—a significant increase from the $1.3 billion attributed to them the previous year. This 38% year-over-year growth underscores Pyongyang’s growing reliance on blockchain-based thefts as critical revenue streams.

North Korean hackers have targeted major crypto platforms with increasing frequency and success. Beyond the SBI Crypto incident, DPRK-backed groups have executed high-profile attacks on exchanges including Bybit, DMM Bitcoin, and WazirX, demonstrating both the breadth of their targeting and the sophistication of their techniques. The consistent pattern across these attacks—rapid fund movement through multiple channels followed by mixing services—suggests a coordinated, well-resourced operation rather than isolated criminal activity.

SBI Crypto operates as a critical component of SBI Group, Japan’s largest digital asset conglomerate, with substantial mining operations across multiple blockchain networks. According to data from MiningPoolStats, the company ranks as the 12th largest Bitcoin mining pool globally with approximately 20 EH/s in hash power. Records indicate the pool was actively producing blocks less than a day before the breach came to light, suggesting the attack did not immediately disrupt its core mining operations.

The company maintains an even more dominant position on the Bitcoin Cash network, controlling over 21% of its computing share with 900.67 PH/s. Blocks were last mined on that chain just hours before the incident was identified, indicating the attackers may have timed their operation to coincide with periods of high activity. SBI Crypto also operates smaller mining ventures on the Litecoin network with 3.92 TH/s, having most recently found a block two days prior to the breach discovery.

The timing of the attack relative to SBI Crypto’s mining activities raises questions about potential insider knowledge or sophisticated surveillance of the company’s operations. The fact that blocks were being produced across multiple chains in close proximity to the theft suggests the attackers either carefully planned their operation around the company’s activity patterns or had access to internal scheduling information. This level of operational intelligence aligns with state-sponsored capabilities rather than typical criminal hacking groups.