North Korean Hackers Steal $21M From SBI Crypto, Laundered via Tornado Cash

Japanese cryptocurrency company SBI Crypto has fallen victim to a $21 million hack that blockchain investigators have traced to suspected North Korean hackers.

The incident adds to a growing list of high-profile cyberattacks attributed to North Korea’s state-backed cyber units, which have stolen billions of dollars from the digital asset sector in recent years.

The breach was first flagged by blockchain analyst ZachXBT, who identified suspicious outflows from SBI Crypto wallet addresses on September 24, 2025.

SBI Crypto Theft Adds to $2.2B Stolen by North Korean Hackers in 2025

According to his analysis, approximately $21 million worth of cryptocurrency, including Bitcoin, Ethereum, Litecoin, Dogecoin, and Bitcoin Cash, was drained from company-linked addresses.

The funds were routed through five instant exchanges before being deposited into Tornado Cash, a crypto mixer frequently associated with laundering operations.

On-chain records show that the compromised wallets, including addresses beginning with “0x40d7” and “bc1qx0a2k,” were systematically emptied and funneled through laundering channels.

ZachXBT noted that the tactics and digital fingerprints used in the SBI Crypto theft closely resemble other intrusions carried out by the Democratic People’s Republic of Korea (DPRK) cyber units, commonly known as the Lazarus Group.

SBI Crypto is a mining pool and wholly owned subsidiary of SBI Group, one of Japan’s largest financial services conglomerates. Despite the scale of the theft, SBI has not yet publicly disclosed the incident.

The use of Tornado Cash in the laundering process has drawn renewed scrutiny. The mixer was sanctioned by the U.S. Treasury in 2022 due to its role in processing illicit funds, including those linked to North Korea.

Earlier this year, however, a U.S. court lifted restrictions on the platform, sparking concerns that state-backed hackers would once again exploit the service to conceal stolen assets.

The SBI incident is the latest in a string of North Korea-linked cyberattacks targeting cryptocurrency exchanges, projects, and users. Data compiled by blockchain forensics firms show that North Korean hackers stole over $1.3 billion across 47 incidents in 2024 alone.

In the first half of 2025, they stole an estimated $2.2 billion, showing the growing sophistication and frequency of these operations.

North Korean Crypto Campaigns Expand From Hacks to Fraudulent Employment Schemes

Investigations into DPRK cyber campaigns have revealed that they extend far beyond hacking wallets and exchanges.

On August 13, ZachXBT published evidence of a covert North Korean employment scheme involving five operatives who posed as blockchain developers.

These operatives allegedly created more than 30 fake identities using government-issued identification, purchased Social Security numbers, and set up accounts on professional networks such as Upwork and LinkedIn.

Files obtained included meeting schedules with targeted projects, Google Drive exports, Telegram conversations, and expense spreadsheets listing purchases of VPNs, AI tools, and fake professional accounts.

One of the wallets linked to the fake developer ring was tied to the $680,000 exploit of the crypto project Favrr in June 2025, further connecting the group’s activities to financial crimes.

The exposure of these tactics has triggered heightened concern in the cryptocurrency sector. In several cases, projects discovered that developers and decision-makers in their teams were, in fact, North Korean operatives using false identities.

While some companies, such as Kraken, have successfully identified and blocked suspected North Korean applicants, others have been less successful, with millions lost to fraudulent employment schemes and phishing attacks disguised as job offers.

Beyond employment fraud, North Korea has been linked to highly sophisticated malware campaigns. In June, cybersecurity firm Cisco Talos documented the “PylangGhost” campaign, in which Lazarus Group operatives created fake coding tests and video interview platforms designed to infect blockchain developers’ devices.

The malware targeted over 80 browser extensions, including popular crypto wallets like MetaMask and Phantom.

U.S. law enforcement has responded with seizures and arrests tied to DPRK-linked operations. In June, authorities confiscated $7.7 million in cryptocurrency allegedly earned through covert North Korean IT worker networks.

Earlier, the FBI dismantled fake companies such as Blocknovas LLC in South Carolina and Softglide LLC in New York, which had been set up to create legitimate corporate fronts for infiltration campaigns.

Former Binance CEO Changpeng Zhao also issued a warning in September, stating that North Korean hackers were increasingly infiltrating crypto firms through fake job applications, bribery of contractors, and malware hidden in interview links.

As of press time, the stolen funds remain unaccounted for, and SBI Crypto has yet to issue a formal statement addressing the breach.

The post North Korean Hackers Steal $21M From SBI Crypto, Laundered via Tornado Cash appeared first on Cryptonews.