A suspected North Korean cyberattack has drained $21 million from SBI Crypto, raising serious concerns about the cybersecurity standards of Japan’s financial institutions.
Quick Summary – TLDR:
- $21 million in crypto assets stolen from SBI Crypto, a subsidiary of Japan’s SBI Group
- North Korean Lazarus Group suspected of orchestrating the attack
- Stolen funds laundered via instant exchanges and Tornado Cash
- Breach highlights major vulnerabilities in institutional crypto security
What Happened?
In late September 2025, SBI Crypto, a mining subsidiary of Japanese financial giant SBI Group, fell victim to a sophisticated cyberattack that drained around $21 million worth of cryptocurrencies. Investigators, including blockchain sleuth ZachXBT, believe the Lazarus Group, a North Korea-linked hacking collective, is behind the exploit.
The stolen funds including Bitcoin, Ethereum, Litecoin, Dogecoin, and Bitcoin Cash were moved through five instant-exchange platforms and then funneled into Tornado Cash, a crypto mixing service known for obfuscating digital asset origins.
According to ZachXBT, approximately $21 million in cryptocurrency was suspiciously transferred from wallet addresses associated with SBI Crypto, ultimately deposited into Tornado Cash. North Korean hackers are suspected to be behind the attack. SBI is Japan’s largest…
— Wu Blockchain (@WuBlockchain) October 1, 2025
Inside the Breach
SBI Crypto’s compromised wallets showed a series of suspicious outflows beginning around September 24, 2025. On-chain analysis revealed that attackers rapidly converted and transferred the assets through platforms that don’t require user accounts, making it easy to mask their tracks. These included ChangeNow and SimpleSwap, both commonly used in past laundering schemes.
The final destination of the funds was Tornado Cash, a decentralized mixing tool that remains a preferred laundering service for cybercriminals, especially North Korean state-sponsored groups. Despite being sanctioned by the U.S. Treasury in 2022 and delisted earlier in 2025, Tornado Cash remains operational in some decentralized channels.
Blockchain analyst ZachXBT flagged the incident shortly after the transfers occurred, noting that the tactics resembled earlier attacks attributed to North Korea. He pointed out that the multi-asset conversion and swift laundering process is consistent with Lazarus Group operations seen in previous breaches.
Institutional Fallout in Japan
This breach isn’t just another crypto heist, it’s a wake-up call for Japan’s tightly regulated financial institutions. While Japan is known for its robust crypto oversight, repeated intrusions including the $308 million DMM Bitcoin hack in 2024 suggest ongoing problems with how banks and institutions handle digital assets.
SBI Group has been one of Japan’s most prominent investors in blockchain through SBI VC Trade and SBI Crypto, but the incident casts doubt on their internal security and risk management practices. Key areas under scrutiny include:
- Use and exposure of hot wallets.
- Segregation of duties within internal systems.
- Real-time transaction monitoring capabilities.
For a major institution with deep roots in both traditional finance and digital innovation, the breach is a stark reminder that centralized systems are not immune to cyberattacks and may even be more vulnerable due to their size and complexity.
Geopolitical Implications
The alleged involvement of North Korea’s Lazarus Group ties this incident into a broader geopolitical trend. According to Chainalysis, North Korean hackers have stolen over $2 billion in crypto in 2025 alone, using it to circumvent sanctions and fund weapons programs.
Unlike typical crypto exploits that target code vulnerabilities, Lazarus attacks focus on centralized institutions and often rely on social engineering, phishing, and insider weaknesses. These tactics make them especially dangerous for traditional financial institutions now expanding into crypto.
The SBI Crypto attack is part of a growing wave of DPRK activity across Asia, following:
- The $1.5 billion Bybit hack in February 2025
- Attacks on Singaporean and South Korean exchanges
This trend underscores a strategic push by North Korea to target Asia’s financial hubs as they increasingly adopt blockchain-based solutions.
Policy Pressure and Regulatory Response
Japan’s Financial Services Agency (FSA) is expected to respond with increased scrutiny. Potential regulatory actions may include:
- Stricter reporting and transparency requirements.
- Mandatory adoption of travel-rule-compliant monitoring tools.
- Enhanced anti-money laundering (AML) and counter-terrorist financing (CTF) protocols.
If such attacks can strike regulated entities like SBI Crypto, regulators may no longer treat crypto divisions as experimental projects but rather as systemically important infrastructure requiring robust, bank-grade protections.
SQ Magazine Takeaway
This breach is not just another crypto story. I see it as a brutal reminder that institutional-grade involvement in crypto needs institutional-grade defense. The fact that a regulated, publicly traded company like SBI can be hit so hard means no one is truly safe. If centralized institutions cannot protect their own hot wallets and internal systems, how can they be trusted with client assets? The future of crypto might still be bright, but it will be paved with stricter compliance and smarter cybersecurity. And honestly, it’s about time.
