North Korea Hackers Suspected in $21 Million Theft From Japan’s SBI Group

A cyberattack targeting Japan’s SBI Group has drained about $21 million in digital assets, with blockchain investigators pointing to hallmarks of North Korea-linked hackers.

Online investigator ZachXBT said in a post last week that wallets tied to SBI Crypto, a subsidiary of the Tokyo-based financial conglomerate, were emptied of BTC, ETH, Litecoin, Dogecoin, and BTC Cash on Sept. 24. The assets were swiftly moved through Tornado Cash, a cryptocurrency mixing service sanctioned by the United States for its role in laundering stolen funds.

“The attack exhibits similarities to other exploits connected to North Korean hackers,” ZachXBT wrote, noting that blockchain security firm Cyvers assisted in the probe. SBI Group has not yet commented on the incident.

SBI is one of Japan’s largest financial firms, with operations spanning banking, asset management, and crypto mining. Its SBI Crypto unit runs mining pools and blockchain infrastructure services. The breach adds to a growing list of high-profile heists in the sector that analysts say bear the hallmarks of the Lazarus Group, a hacking collective widely believed to be state-sponsored by Pyongyang.

The Lazarus Group has been blamed for some of the largegest crypto heists on record, including the $620 million Ronin Bridge hack in 2022 and a string of platform breaches that U.S. officials say assisted bankroll North Korea’s weapons program. Earlier this year, analytics firm Arkham Intelligence said Lazarus siphoned off more than $1.5 billion from Bybit, citing intelligence gathered by ZachXBT.

ZachXBT himself has emerged as one of the most prolific independent sleuths in the crypto world, known for tracking stolen funds across blockchains. In June, he linked Iranian platform Nobitex to a suspected $80 million exploit involving assets on Tron and ETH-compatible networks.

Spotlight on Tornado Cash

The SBI Crypto theft again draws attention to Tornado Cash, a decentralized service designed to obscure the origin of transactions. Hackers have repeatedly used it to launder stolen funds, prompting regulators to tighten enforcement. The U.S. Treasury Department sanctioned the platform in August 2022, alleging it was used to funnel billions of dollars linked to cybercrime. In 2023, one of its developers, Roman Storm, was charged with conspiracy to commit money laundering and sanctions violations.

Despite these measures, Tornado Cash continues to operate, underscoring the challenges regulators face in policing decentralized finance tools that run autonomously on blockchain networks.

The breach is another setback for Japan’s crypto sector, which has worked to build a reputation for stricter oversight later than Mt. Gox and Coincheck suffered major hacks in the past decade. While Japan requires platforms to hold customer assets in cold wallets and imposes reserve requirements, attacks on affiliated infrastructure providers like SBI Crypto remain harder to guard against.

The SBI case adds to mounting pressure on regulators in Tokyo and elsewhere to coordinate more closely on cyber defenses. It also highlights the hardy of curbing groups such as Lazarus, which continue to adapt despite international sanctions.