TLDR
- SBI Crypto, a subsidiary of Japanese financial giant SBI Group, lost approximately $21 million in cryptocurrency on September 24, 2025
- The stolen funds included Bitcoin, Ethereum, Litecoin, Dogecoin, and Bitcoin Cash, which were funneled through instant exchanges before being deposited into Tornado Cash
- Blockchain investigator ZachXBT identified several indicators that resemble tactics used in previous North Korean state-backed cyberattacks
- The funds were laundered through Tornado Cash, a crypto mixing service previously sanctioned by the U.S. Treasury
- SBI Group has not publicly confirmed the hack or responded to requests for comment
SBI Crypto, a subsidiary of Japan’s SBI Group, reportedly lost approximately $21 million in a suspected hack on September 24, 2025. Blockchain investigator ZachXBT identified suspicious outflows from addresses linked to the company.
JUST IN: 🇯🇵🇰🇵 $21 million stolen from SBI Crypto, Japan’s largest exchange, laundered through Tornado Cash; North Korean hackers suspected – ZachXBT. pic.twitter.com/3I8nmOS68S
— Whale Insider (@WhaleInsider) October 1, 2025
The stolen cryptocurrency included Bitcoin, Ethereum, Litecoin, Dogecoin, and Bitcoin Cash. The attackers moved the funds through five instant exchanges before depositing them into Tornado Cash, a crypto mixing service.
Tornado Cash was sanctioned by the U.S. Treasury Department’s Office of Foreign Assets Control in August 2022. The platform has been used by hackers to launder stolen funds.
ZachXBT noted several indicators that resemble tactics used in previous North Korean state-backed cyberattacks. The investigation was conducted with assistance from blockchain security firm Cyvers.
According to ZachXBT, approximately $21 million in cryptocurrency was suspiciously transferred from wallet addresses associated with SBI Crypto, ultimately deposited into Tornado Cash. North Korean hackers are suspected to be behind the attack. SBI is Japan's largest…
— Wu Blockchain (@WuBlockchain) October 1, 2025
SBI Crypto operates as a mining pool under SBI Group. SBI Group is a publicly traded financial conglomerate in Japan with exposure to both traditional and digital assets.
The company has not publicly disclosed the incident. SBI Group did not respond to media requests for comment.
Links to North Korean Hackers
North Korea-linked hacking groups, particularly Lazarus Group, have been connected to billions in stolen digital assets in recent years. These groups often use decentralized mixers like Tornado Cash to launder stolen funds.
Earlier in 2025, Arkham Intelligence reported that Lazarus Group hacked Bybit for over $1.5 billion. That information was also provided by ZachXBT.
In June, ZachXBT reported that Iranian cryptocurrency exchange Nobitex appeared to have been exploited for over $80 million. The sleuth has become known for identifying instances of illicit activity in the crypto space.
Tornado Cash Sanctions
Tornado Cash has faced scrutiny for its role in money laundering operations. In 2023, Roman Storm was charged with conspiracy to commit money laundering and sanctions violations for operating the platform.
The Treasury Department sanctioned Tornado Cash due to its use by hackers and criminals. The platform allowed users to obscure the origin and destination of cryptocurrency transactions.
Despite sanctions and regulatory crackdowns, hackers continue to use Tornado Cash. The platform remains accessible through decentralized blockchain networks.
The SBI Crypto incident occurred on September 24, 2025. The funds were traced through multiple exchanges before reaching Tornado Cash.
ZachXBT posted about the incident on October 1, 2025. The investigator highlighted similarities between this attack and previous North Korean hacks.
