Reports have emerged that the crypto subsidiary of Japanese financial giant SBI Group has been targeted by state-sponsored hackers from North Korea. Blockchain investigators detected suspicious activity from SBI Crypto wallets, with roughly US$21 million worth of digital assets — including Bitcoin (BTC) and Ethereum (ETH) — flowing out of the company’s wallets in late September 2025.
While SBI has yet to issue an official statement, on-chain forensics indicate the stolen funds were routed through five instant exchanges before being deposited into Tornado Cash, a crypto mixing service long associated with obfuscating stolen funds.
Instant-exchange platforms such as ChangeNow or SimpleSwap allow users to swap one crypto asset for another without creating an account. This feature that makes them useful for privacy, but also a prime tool for laundering stolen crypto
Blockchain investigator ZachXBT was the first to suggest that the tactics mirrored previous DPRK-linked cyberattacks, noting that the rapid multi-asset conversion and subsequent routing into Tornado Cash follow the same pattern as known Lazarus Group operations.
This isn’t just another crypto hack — it’s a test case for how well traditional banks can secure their digital-asset arms. Japan prides itself on strict oversight of exchanges and custodians, but repeated intrusions — including the $308 million DMM Bitcoin theft in 2024 — suggest systemic weaknesses in hot-wallet management, internal segregation, and real-time monitoring.
For SBI Group, which has invested heavily in blockchain through its SBI VC Trade and SBI Crypto units, this breach raises uncomfortable questions about intra-group risk.
If an institutional miner tied to a bank can be compromised, it challenges the assumption that regulated infrastructure is inherently safer than DeFi-native operations.
From a geopolitical standpoint, the alleged North Korean link also underscores how state-backed actors are targeting financial infrastructure as part of a broader strategy to evade sanctions and fund weapons programs. According to Chainalysis, DPRK-linked hackers have already stolen over US$2 billion in crypto in 2025, marking a record year for blockchain-enabled thefts.
The post-attack movement of funds paints a familiar picture. On-chain analysts traced multiple transfers through five instant-exchange platforms — likely chosen for their non-custodial and account-less nature — before funds were sent to Tornado Cash for mixing.
Tornado Cash, sanctioned by OFAC in 2022 and later delisted in 2025 after legal challenges, remains a lightning rod in debates over privacy and security. While technically neutral software, its continued use by DPRK-affiliated hackers shows how mixers remain essential to laundering operations, even after enforcement actions..
Japan is not alone. The Bybit $1.5 billion hack in February 2025, attributed to the same TraderTraitor DPRK unit, and previous attacks on Korean and Singaporean exchanges show that North Korea is escalating its focus on Asia-based liquidity hubs.
Unlike decentralized hacks that exploit smart-contract bugs, Lazarus operations rely on targeting centralized custody systems and insider lapses — the weakest human and procedural links inside otherwise secure institutions.
If attribution to North Korea is confirmed, Japan’s Financial Services Agency (FSA) may push for tighter reporting standards and mandatory adoption of travel-rule-compliant monitoring tools for crypto subsidiaries of regulated banks.
Meanwhile, Tornado Cash’s re-entry into legal circulation after its 2025 delisting could reignite debate over how governments balance open-source neutrality with sanction enforcement.
More broadly, the SBI case will likely accelerate efforts to treat crypto divisions as systemic banking components, not experimental side projects — demanding the same resilience, disclosure, and contingency frameworks as other financial operations.
The SBI Crypto breach serves as a cautionary tale for traditional finance. As institutions expand into mining, custody, and tokenization, they inherit the full threat landscape of crypto — including state-sponsored theft, laundering, and regulatory blowback.
Whether or not this attack is definitively linked to North Korea, it’s a clear signal: institutional participation in crypto now requires institutional-grade defenses.
Also read: Crypto’s Retail Era Is Over: Institutions Now Set the Market’s Pace, Experts Say
