A suspected North Korean cyberattack hit the crypto arm of Japan’s SBI Group, draining around $21 million in Bitcoin and Ethereum.
$21 million breach with familiar fingerprints
Reports have emerged that the crypto arm of Japanese financial giant SBI Group has been targeted by state-sponsored hackers from North Korea. Blockchain Investigators detected suspicious activity of SBI Crypto wallets, with approximately $21 million worth of digital assets – including Bitcoin (BTC) And Ethereum (ETH) – flowing from the company’s portfolios at the end of September 2025.
While SBI has yet to release an official statement, on-chain forensics indicates that the stolen funds were routed through five instant exchanges before being deposited into tornado cash, a crypto-mixing service long associated with stolen funds through obfuscation.
Instant trading platforms such as ChangeNow or SimplesWap allow users to exchange one crypto asset for another without creating an account. This feature makes them useful for privacy, but also a tool of choice for laundering stolen crypto
Blockchain investigator Zachxbt was the first to suggest that the tactic mirrored previous RPRC-related cyberattacks, noting that the rapid multi-asset conversion and subsequent routing into the cash torad follows the same pattern as known Lazarus Group operations.
Why it matters for Japan’s financial sector
This isn’t just another crypto hack – it’s a test case for how traditional banks can secure their digital-asset arms. Japan prides itself on strict oversight of exchanges and gatekeepers, but repeated intrusions – including the $308 million Bitcoin DMM theft in 2024 – suggest systemic weaknesses in wallet management, internal segregation and real-time monitoring.
For the SBI Group, which has invested heavily in blockchain through its SBI VC and SBI Crypto units, this breach raises uncomfortable questions about intra-group risk.
If a bank-linked institutional miner can be compromised, it calls into question the assumption that regulated infrastructure is inherently more secure than defi-native operations.
From a geopolitical perspective, the alleged North Korean link also highlights how state-backed actors target financial infrastructure as part of a broader strategy to evade sanctions and fund weapons programs. According to Chainalysis, hackers linked to RPRC have already stolen over $2 billion in crypto in 2025marking a record year for blockchain-enabled flights.
How the funds were laundered
The post-attack fund movement paints a familiar picture. On-chain analysts traced multiple transfers through five instant exchange platforms – likely chosen for their non-custodial, accountless nature – before the funds were sent to Tornado Cash for mixing.
The cash torad, sanctioned by OFAC in 2022 and was later implemented in 2025 after legal challenges, remains a lightning rod in debates about privacy and security. Although technically neutral software, its continued use by DPRK-affiliated hackers demonstrates how mixers remain essential to laundering operations, even after enforcement actions.
A model across Asia
Japan is not alone. The $1.5 billion hack in February 2025, attributed to the same unit of DPRC TraderTraitor, and previous attacks on Korean and Singaporean exchanges show that North Korea is increasing its focus on Asia-based liquidity centers.
Unlike decentralized hacks that exploit smart contract bugs, Lazarus operations rely on targeting centralized custody systems and insider tricks – the weakest human and procedural links inside otherwise secure institutions.
Looking Ahead: The Politics and Fallout of Compliance
If the award to North Korea is confirmed, the Financial Services Agency (FSA) may push for stricter reporting standards and mandatory adoption of travel region-compliant surveillance tools for crypto subsidiaries of regulated banks.
Meanwhile, the reintegration of Tornado Cash into legal circulation after its delisting in 2025 could reignite the debate over how governments balance open source neutrality with sanctions enforcement.
More broadly, the SBI case will likely accelerate efforts to treat crypto divisions as systemic banking components, not experimental side projects – requiring the same resilience, disclosure and contingency frameworks as other financial operations.
Conclusion: a warning from the future
The SBI crypto breach serves as a cautionary tale for traditional finance. As institutions expand into mining, custody, and tokenization, they inherit the full threat landscape of crypto – including theft, laundering, and state-sponsored regulatory blowback.
That this attack is definitively linked to North Korea is a clear signal: institutional participation in crypto now requires institutional-grade defenses.
