SBI Crypto, the digital asset subsidiary of Japan’s SBI Group, has reportedly suffered a $21 million hack, with investigators pointing to North Korean-linked actors as the likely culprits.
On Oct. 1, blockchain sleuth ZachXBT, working alongside security firm Cyvers, revealed that the platform was drained on Sept. 24. The stolen funds included Bitcoin (BTC), Ethereum (ETH), Litecoin (LTC), Dogecoin (DOGE), and Bitcoin Cash (BCH). According to the investigation, the attackers routed the funds through five instant exchanges before depositing them into Tornado Cash, a crypto mixer already sanctioned for its role in laundering illicit funds.
Suspicions of DPRK involvement
While SBI Crypto has not issued a statement, the laundering methods used strongly resemble those tied to previous North Korean campaigns. Investigators noted multiple similarities with the laundering strategies of the Lazarus Group, a state-sponsored hacking collective accused of siphoning billions from the global crypto industry.
SBI Crypto operates under SBI VC Trade Co., Ltd., part of the publicly traded SBI Group, one of Japan’s largest financial conglomerates. Its established reputation in both traditional and digital finance highlights the growing vulnerability of regulated institutions against sophisticated, state-level cyberattacks.
Part of a larger DPRK campaign
This incident echoes a broader pattern. Chainalysis data shows North Korean hackers stole $1.34 billion in 2024 alone, accounting for more than 60% of total funds stolen from crypto exchanges worldwide. In 2025, the Lazarus Group has already been linked to major breaches, including the $1.5 billion Bybit hack earlier this year.
Western intelligence agencies warn that these stolen assets are used to finance North Korea’s nuclear and weapons programs, making such cyberheists not just financial crimes but international security threats.
With SBI Crypto yet to acknowledge the breach, questions remain about the scope of the theft, client exposure, and potential regulatory fallout. For now, all evidence suggests another high-profile strike in Pyongyang’s ongoing digital offensive.
