North Korean state-sponsored hackers are suspected of stealing approximately $21 million in cryptocurrency from the Japanese company SBI Crypto, in an attack that came to light last week. Blockchain investigators traced a series of unauthorized transfers on September 24 from wallets linked to SBI Crypto – a Tokyo-based cryptocurrency mining pool under financial giant SBI Group – marking the latest high-profile crypto heist attributed to Pyongyang’s cybercrime apparatus[1][2]. The incident underscores growing concerns that North Korea’s hacking units, notably the Lazarus Group, are intensifying their targeting of the crypto industry to evade sanctions and fund the regime’s programs.

According to blockchain sleuth ZachXBT, the stolen assets included Bitcoin, Ethereum, Litecoin, Dogecoin, and Bitcoin Cash, which were siphoned from SBI Crypto’s wallets in a quick succession of transactions[3]. The thieves then laundered the funds through at least five “instant exchange” swap services before depositing the crypto into Tornado Cash, a decentralized mixing platform that obscures transaction trails[2]. Tornado Cash – which had been sanctioned by U.S. authorities for its frequent use in money laundering – allows users to commingle cryptocurrency deposits and withdraw them to new addresses, making it difficult for investigators to trace the money’s origin[4]. Investigators say this laundering method closely mirrors techniques used in past North Korean crypto hacks, where stolen coins are rapidly funneled through exchange hops and mixers to break any transparent blockchain links[5].

While SBI Crypto has not publicly confirmed the breach, evidence of the $21 million outflow was flagged by external analysts monitoring its on-chain wallet activity. “Several indicators share similarities to other known DPRK attacks,” ZachXBT wrote on his Telegram channel, suggesting the well-known Lazarus Group may have orchestrated the theft[6]. He noted that SBI Crypto had yet to disclose the incident as of this week[7]. SBI Group – one of Japan’s largest financial institutions – did not respond to media requests for comment on the hack[8]. Independent security outlet Protos reported no evidence that SBI informed its pool members of the missing funds, which were allegedly drained more than a week ago[9].

How the attack was carried out remains the subject of ongoing investigation. Technical details of the intrusion have not been released, but the operation’s sophistication suggests a targeted cyber-penetration rather than a simple theft. In similar cases, North Korean hackers have employed social engineering and malware to breach crypto companies’ defenses. In one notable example from May 2024, Lazarus operatives posing as recruiters on LinkedIn tricked an employee of a Japanese crypto firm into running malicious code – a ploy that allowed the hackers to hijack internal systems and steal about $308 million from the exchange DMM Bitcoin[10][11]. The FBI, in a joint investigation with Japanese authorities, said the Lazarus hackers (tracked under the codename “TraderTraitor”) used the fake job test scam to gain the employee’s credentials, then exploited a blind-signing vulnerability to execute unauthorized large withdrawals[12]. Security experts caution that Lazarus and affiliated groups are known for such spear-phishing campaigns, often targeting multiple employees to find a single weak point. Although it is not yet confirmed how SBI Crypto’s systems were breached, the attack’s timing and laundering pattern “share the hallmarks” of North Korea’s tactics, ZachXBT observed[5].

Law enforcement agencies in Japan and abroad are likely probing the SBI Crypto heist. The incident comes amid intensified international efforts to crack down on North Korea’s cyber-financed revenue streams. U.S. officials have repeatedly warned that Pyongyang’s hackers are stealing digital assets to bankroll the isolated nation’s weapons programs in defiance of sanctions. Just days ago, the FBI publicly accused North Korean-linked hackers of perpetrating a separate record-breaking $1.5 billion cryptocurrency theft from a Dubai-based exchange – one of the largest crypto heists on record[13]. The FBI said the hackers rapidly converted much of that haul into Bitcoin and other tokens across “thousands of addresses on multiple blockchains,” a laundering strategy designed to obscure the funds’ path to cash[14]. South Korea’s intelligence agency estimates that North Korea has stolen around $1.2 billion in cryptocurrency over the past five years, providing an important source of foreign currency for Pyongyang’s fragile economy and nuclear weapons development[15]. A United Nations panel of experts separately reported investigating dozens of North Korean cyberattacks between 2017 and 2023 that netted as much as $3 billion for the regime’s illicit finance efforts[16].

The SBI Crypto breach highlights how North Korea’s cyber warfare units continue to menace the cryptocurrency industry on a global scale. In recent years, Lazarus Group and its affiliates have been linked to billions of dollars in digital asset thefts, ranging from cryptocurrency exchanges and DeFi platforms to online casinos and now a mining service[17]. Typically, the stolen funds are laundered through decentralized mixers like Tornado Cash despite international sanctions and arrests aimed at curbing their use[17][18]. “TraderTraitor actors are proceeding rapidly,” the FBI said in an alert, describing how North Korean hackers convert pilfered crypto into other cryptocurrencies and ultimately into fiat currency via a complex web of wallets[14][19]. The U.S. Department of Justice has alleged that Tornado Cash was used to launder over $1 billion in illicit crypto proceeds – including funds from Lazarus hacks – before the mixer was hit with sanctions in 2022[20]. (Those U.S. sanctions were later challenged in court, and Tornado Cash usage plunged by 90% as its services came under scrutiny[20].)

SBI Crypto is a subsidiary of SBI Holdings, a major Japanese financial conglomerate known for its investments in both traditional finance and digital asset ventures. The mining unit ranks among the world’s top Bitcoin mining pools, contributing roughly 6% of Bitcoin’s total network hashrate over the past year[21]. The $21 million loss represents a mix of both customer mining rewards and corporate funds, given that the pool’s wallets handle operational reserves, miner payouts, and other services. It is not yet clear whether the theft will affect payouts to individual miners or other business operations at SBI Crypto[22]. In a statement last year, SBI Holdings affirmed that security is a top priority and that it works closely with law enforcement on cyber defense – a stance likely to be tested by this incident. Japanese regulators, including the Financial Services Agency (FSA) and National Police Agency, have been urging domestic crypto firms to bolster safeguards amid a surge in North Korean hacking activity. Earlier this year, Japan’s police and the U.S. FBI jointly issued an alert about TraderTraitor (Lazarus) targeting Japanese crypto companies via phishing emails and malware, after pinning the $308 million DMM Bitcoin hack on the North Korean group[23][24].

As investigations continue, the SBI Crypto hack adds to a growing list of audacious cyber thefts linked to Pyongyang. Western intelligence officials say North Korea has become a global leader in cryptocurrency crime, using stolen digital wealth to prop up its sanctioned economy and finance weapons development. “The FBI, [Japan’s] NPA, and international partners will continue to expose and combat North Korea’s use of illicit activities – including cybercrime and cryptocurrency theft – to generate revenue for the regime,” the FBI and Japan’s National Police Agency said in a recent joint statement[25]. Industry analysts note that the crypto sector’s decentralized, cross-border nature presents unique challenges for law enforcement, even as blockchain forensics improve. The SBI Crypto incident is likely to fuel further calls for tighter security standards at crypto platforms and renewed diplomatic pressure on Pyongyang’s enablers. For now, the stolen funds from the SBI attack remain in motion and largely unrecovered, hidden behind layers of online obfuscation – a stark reminder of the cat-and-mouse battle between cryptocurrency thieves and those seeking to bring them to justice.