SBI Crypto Experiences $21 Million Outflow, Suspected DPRK Link to Tornado Cash Laundered Funds

Executive Summary

On September 24, 2025, addresses linked to SBI Crypto, a mining pool subsidiary of the publicly listed SBI Group in Japan, experienced suspicious outflows totaling approximately $21 million. The stolen funds, comprising Bitcoin (BTC), Ethereum (ETH), Litecoin (LTC), Dogecoin (DOGE), and Bitcoin Cash (BCH), were subsequently routed through instant exchanges and the crypto mixing service Tornado Cash. This incident has drawn attention due to observations by blockchain investigator ZachXBT, who noted similarities to previous North Korean state-backed crypto heists, prompting concerns about the broader implications for market security and regulatory enforcement. As of the article's publication, SBI Group had not publicly confirmed the hack or responded to requests for comment.

The Event in Detail

The illicit transfer involved a significant sum of digital assets, with the $21 million outflow occurring on a single day. The multi-cryptocurrency nature of the theft suggests a broad target scope. Following the initial outflow, the funds were systematically moved, first to various instant exchanges to obscure their origin, and then consolidated through Tornado Cash. This crypto mixer has a documented history of being utilized in high-profile cybercrimes to obfuscate transaction trails, as evidenced by its resurgence in activity in 2024 despite ongoing sanctions. The alleged use of Tornado Cash in this incident underscores persistent challenges in tracing stolen digital assets and the enduring appeal of such services for illicit activities.

Market Implications

This incident is expected to intensify short-term scrutiny on the security protocols and operational risks associated with cryptocurrency exchanges and mining operations, particularly in the Japanese market where SBI Group is a prominent player. The potential link to state-sponsored actors, specifically North Korea, introduces a significant layer of concern. Such high-profile hacks can erode investor trust and contribute to a bearish sentiment across the broader crypto market. In the long term, the event is likely to heighten awareness of sophisticated cyber threats targeting digital assets, potentially driving demand for more robust security measures and increased regulatory action against privacy-enhancing services like crypto mixers. The Financial Action Task Force (FATF) has previously warned that North Korea poses a severe state-based threat to the integrity of crypto markets, a sentiment likely to be reinforced by incidents of this nature.

Expert Commentary

Blockchain investigator ZachXBT publicly highlighted parallels between the SBI Crypto incident and known North Korean hacking methodologies. ZachXBT's extensive research indicates that North Korean IT workers are actively involved in over 25 crypto hacks and extortion schemes, infiltrating companies using fake identities to generate billions of dollars that are subsequently funneled into the nation's weapons programs. These operatives engage in sophisticated fraudulent activities beyond simple remote work, exploiting the open hiring practices within the blockchain industry. For example, the Lazarus Group, a North Korean state-backed hacking entity, was confirmed by the FBI to be behind the $1.5 billion Bybit hack, one of the largest crypto thefts in history. Reports from TRM Labs estimate that North Korea stole $1.6 billion in the first half of 2025, accounting for approximately 70 percent of global crypto crime, underscoring the systemic nature of these state-sponsored operations.

Broader Context of Mixing Services

The use of Tornado Cash in the SBI Crypto exploit aligns with a broader trend of its continued utilization by cybercriminals despite significant regulatory pressure and sanctions. In the first half of 2024, Tornado Cash saw approximately $1.9 billion in deposits, a 50% increase compared to the entirety of 2023, indicating its persistent popularity among individuals seeking to launder illicit funds. This includes notable incidents such as the $235 million WazirX breach, the $100 million Poloniex exploit, and substantial thefts from HECO Bridge ($166 million) and Orbit Chain ($48 million), all linked to the mixer. The US Treasury regards crypto mixers as a national security threat, a stance reinforced by legal actions such as the August 7, 2025, conviction of Tornado Cash co-founder Roman Storm for operating an unlicensed money transmission business. While the Treasury delisted Tornado Cash in March 2025, this was framed as a recalibration of enforcement strategy, emphasizing accountability for operators and interfaces rather than a blanket approval of mixers. Regulators continue to signal that enforcement will target behaviors enabling evasion and money laundering, stressing that the crypto industry must align privacy features with accountability to prevent future misuse.