Japan’s SBI Crypto Hack Signals Institutional Vulnerabilities

A suspected North Korean cyberattack has struck the crypto subsidiary of Japan’s SBI Group, draining roughly $21 million in Bitcoin and Ethereum.

A $21 Million Breach With Familiar Fingerprints

Reports have emerged that the crypto subsidiary of Japanese financial giant SBI Group has been targeted by state-sponsored hackers from North Korea. Blockchain investigators detected suspicious activity from SBI Crypto wallets, with roughly US$21 million worth of digital assets — including Bitcoin (BTC) and Ethereum (ETH) — flowing out of the company’s wallets in late September 2025.

While SBI has yet to issue an official statement, on-chain forensics indicate the stolen funds were routed through five instant exchanges before being deposited into Tornado Cash, a crypto mixing service long associated with obfuscating stolen funds.

Instant-exchange platforms such as ChangeNow or SimpleSwap allow users to swap one crypto asset for another without creating an account.  This feature that makes them useful for privacy, but also a prime tool for laundering stolen crypto

Blockchain investigator ZachXBT was the first to suggest that the tactics mirrored previous DPRK-linked cyberattacks, noting that the rapid multi-asset conversion and subsequent routing into Tornado Cash follow the same pattern as known Lazarus Group operations.

Why This Matters for Japan’s Financial Sector

This isn’t just another crypto hack — it’s a test case for how well traditional banks can secure their digital-asset arms. Japan prides itself on strict oversight of exchanges and custodians, but repeated intrusions — including the $308 million DMM Bitcoin theft in 2024 — suggest systemic weaknesses in hot-wallet management, internal segregation, and real-time monitoring.

For SBI Group, which has invested heavily in blockchain through its SBI VC Trade and SBI Crypto units, this breach raises uncomfortable questions about intra-group risk.
If an institutional miner tied to a bank can be compromised, it challenges the assumption that regulated infrastructure is inherently safer than DeFi-native operations.

From a geopolitical standpoint, the alleged North Korean link also underscores how state-backed actors are targeting financial infrastructure as part of a broader strategy to evade sanctions and fund weapons programs. According to Chainalysis, DPRK-linked hackers have already stolen over US$2 billion in crypto in 2025, marking a record year for blockchain-enabled thefts.

How the Funds Were Laundered

The post-attack movement of funds paints a familiar picture. On-chain analysts traced multiple transfers through five instant-exchange platforms — likely chosen for their non-custodial and account-less nature — before funds were sent to Tornado Cash for mixing.

Tornado Cash, sanctioned by OFAC in 2022 and later delisted in 2025 after legal challenges, remains a lightning rod in debates over privacy and security. While technically neutral software, its continued use by DPRK-affiliated hackers shows how mixers remain essential to laundering operations, even after enforcement actions..

A Pattern Across Asia

Japan is not alone. The Bybit $1.5 billion hack in February 2025, attributed to the same TraderTraitor DPRK unit, and previous attacks on Korean and Singaporean exchanges show that North Korea is escalating its focus on Asia-based liquidity hubs.

Unlike decentralized hacks that exploit smart-contract bugs, Lazarus operations rely on targeting centralized custody systems and insider lapses — the weakest human and procedural links inside otherwise secure institutions.

Looking Ahead: The Policy and Compliance Fallout

If attribution to North Korea is confirmed, Japan’s Financial Services Agency (FSA) may push for tighter reporting standards and mandatory adoption of travel-rule-compliant monitoring tools for crypto subsidiaries of regulated banks.

Meanwhile, Tornado Cash’s re-entry into legal circulation after its 2025 delisting could reignite debate over how governments balance open-source neutrality with sanction enforcement.

More broadly, the SBI case will likely accelerate efforts to treat crypto divisions as systemic banking components, not experimental side projects — demanding the same resilience, disclosure, and contingency frameworks as other financial operations.

Conclusion: A Warning From the Future

The SBI Crypto breach serves as a cautionary tale for traditional finance. As institutions expand into mining, custody, and tokenization, they inherit the full threat landscape of crypto — including state-sponsored theft, laundering, and regulatory blowback.

Whether or not this attack is definitively linked to North Korea, it’s a clear signal: institutional participation in crypto now requires institutional-grade defenses.