A major Japanese cryptocurrency company, SBI Crypto, has suffered a $21 million cyberattack. Blockchain experts believe North Korean hackers, likely from the well-known Lazarus Group, are behind the theft. This group has been linked to several high-profile crypto hacks over the past few years.

The breach was first spotted on September 24, 2025, by blockchain investigator ZachXBT. He noticed unusual transactions from SBI Crypto’s wallets. These wallets, holding various cryptocurrencies like Bitcoin, Ethereum, Litecoin, Dogecoin, and Bitcoin Cash, were emptied in a systematic way.

The stolen funds were quickly moved through five instant crypto exchanges and then sent to Tornado Cash—a crypto mixer often used to hide the origin of stolen coins. Tornado Cash was previously sanctioned by the U.S. government in 2022 for helping launder money, including funds tied to North Korea. Although legal restrictions were lifted earlier this year, concerns remain that hackers will continue to exploit the platform.

SBI Crypto is a mining pool and is fully owned by SBI Group, one of Japan’s biggest financial companies. Despite the large sum involved, SBI Crypto has not made any public statement about the hack so far.

The techniques used in this attack match patterns seen in other operations linked to North Korea’s cyber units. On-chain data shows that wallet addresses like “0x40d7” and “bc1qx0a2k” were drained and funneled through laundering tools.

This incident is part of a larger trend. In 2024 alone, North Korean hackers stole over $1.3 billion across 47 separate incidents. By the first half of 2025, that number jumped to $2.2 billion. These hackers are getting more skilled and their attacks are becoming more frequent.

Beyond hacking wallets and exchanges, North Korea has also been caught running fake job scams. In August 2025, ZachXBT exposed a North Korean operation where five individuals posed as blockchain developers using fake identities. They used forged documents, purchased Social Security numbers, and created fake profiles on job platforms like Upwork and LinkedIn.

Evidence found included fake meeting schedules, Telegram chats, and spreadsheets showing purchases of VPNs, AI tools, and other digital services. One wallet tied to this group was linked to a $680,000 hack of a crypto project called Favrr in June 2025.

These tactics have raised serious concerns in the crypto community. Some companies discovered too late that supposed team members were actually North Korean agents using fake profiles. While firms like Kraken have successfully blocked some of these applicants, others have lost large amounts of money through these fake hiring schemes and phishing attacks disguised as job offers.

North Korea is also known for advanced malware attacks. In June 2025, cybersecurity firm Cisco Talos revealed the “PylangGhost” campaign. This malware targeted crypto developers using fake coding tests and interview links. The malicious software infected over 80 browser extensions, including popular crypto wallets like MetaMask and Phantom.

U.S. authorities have started fighting back. In June, they seized $7.7 million in crypto linked to North Korean IT worker networks. They also shut down fake companies like Blocknovas LLC in South Carolina and Softglide LLC in New York, which were used as fronts for these cyber operations.

In September 2025, former Binance CEO Changpeng Zhao warned that North Korean hackers are sneaking into crypto firms through fake job applications, bribing insiders, and hiding malware in interview files.

As of now, the stolen $21 million remains missing, and SBI Crypto has yet to comment publicly on the incident. The attack adds to growing fears over North Korea’s continued targeting of the cryptocurrency world with increasingly advanced tactics.