North Korean Hackers Steal $21M From SBI Crypto, Laundered via Tornado Cash

Japanese cryptocurrency company SBI Crypto has fallen victim to a $21 million hack that blockchain investigators have traced to suspected North Korean ￰3￱ incident adds to a growing list of high-profile cyberattacks attributed to North Korea’s state-backed cyber units, which have stolen billions of dollars from the digital asset sector in recent ￰4￱ breach was first flagged by blockchain analyst ZachXBT, who identified suspicious outflows from SBI Crypto wallet addresses on September 24, 2025.) cyber units, commonly known as the Lazarus ￰5￱ Crypto is a mining pool and wholly owned subsidiary of SBI Group, one of Japan’s largest financial services ￰6￱ the scale of the theft, SBI has not yet publicly disclosed the ￰7￱ use of Tornado Cash in the laundering process has drawn renewed ￰8￱ mixer was sanctioned by the ￰9￱ in 2022 due to its role in processing illicit funds, including those linked to North ￰10￱ this year, however, a ￰11￱ lifted restrictions on the platform , sparking concerns that state-backed hackers would once again exploit the service to conceal stolen ￰12￱ SBI incident is the latest in a string of North Korea-linked cyberattacks targeting cryptocurrency exchanges, projects, and ￰13￱ compiled by blockchain forensics firms show that North Korean hackers stole over $1.3 billion across 47 incidents in 2024 ￰14￱ the first half of 2025, they stole an estimated $2.2 billion, showing the growing sophistication and frequency of these ￰15￱ Korean Crypto Campaigns Expand From Hacks to Fraudulent Employment Schemes Investigations into DPRK cyber campaigns have revealed that they extend far beyond hacking wallets and ￰16￱ August 13, ZachXBT published evidence of a covert North Korean employment scheme involving five operatives who posed as blockchain ￰17￱ exposes 5 North Korean workers running 30+ fake identities to target crypto projects as anonymous source compromises DPRK IT worker devices, revealing $680K Favrr exploit. #NorthKorea #Lazarus ￰0￱ — ￰18￱ (@cryptonews) August 13, 2025 These operatives allegedly created more than 30 fake identities using government-issued identification, purchased Social Security numbers, and set up accounts on professional networks such as Upwork and ￰19￱ obtained included meeting schedules with targeted projects, Google Drive exports, Telegram conversations, and expense spreadsheets listing purchases of VPNs, AI tools, and fake professional ￰20￱ of the wallets linked to the fake developer ring was tied to the $680,000 exploit of the crypto project Favrr in June 2025, further connecting the group’s activities to financial ￰21￱ exposure of these tactics has triggered heightened concern in the cryptocurrency ￰22￱ several cases, projects discovered that developers and decision-makers in their teams were, in fact, North Korean operatives using false ￰23￱ links North Korean IT workers to over 25 crypto hacks and extortion schemes beyond simple employment fraud. #NorthKorean #Crypto ￰1￱ — ￰24￱ (@cryptonews) September 25, 2025 While some companies, such as Kraken, have successfully identified and blocked suspected North Korean applicants, others have been less successful, with millions lost to fraudulent employment schemes and phishing attacks disguised as job ￰25￱ employment fraud, North Korea has been linked to highly sophisticated malware ￰26￱ June, cybersecurity firm Cisco Talos documented the “PylangGhost” campaign , in which Lazarus Group operatives created fake coding tests and video interview platforms designed to infect blockchain developers’ ￰27￱ malware targeted over 80 browser extensions, including popular crypto wallets like MetaMask and ￰28￱ enforcement has responded with seizures and arrests tied to DPRK-linked ￰29￱ June, authorities confiscated $7.7 million in cryptocurrency allegedly earned through covert North Korean IT worker networks.

Earlier, the FBI dismantled fake companies such as Blocknovas LLC in South Carolina and Softglide LLC in New York, which had been set up to create legitimate corporate fronts for infiltration ￰30￱ founder @cz_binance issued urgent warnings about North Korean hackers infiltrating crypto companies through fake job applications, urging companies to 'screen candidates carefully.' #CZ #NorthKorean #Hackers ￰2￱ — ￰31￱ (@cryptonews) September 18, 2025 Former Binance CEO Changpeng Zhao also issued a warning in September, stating that North Korean hackers were increasingly infiltrating crypto firms through fake job applications, bribery of contractors, and malware hidden in interview ￰32￱ of press time, the stolen funds remain unaccounted for, and SBI Crypto has yet to issue a formal statement addressing the breach.