Reports have disclosed that Japanese firm SBI Crypto saw about $21 million siphoned from company-linked wallets on September 24, 2025.
Blockchain sleuths flagged the movement, and on-chain traces show funds leaving addresses that start with “0x40d7” and “bc1qx0a2k.”
The assets included Bitcoin, Ethereum, Litecoin, Dogecoin, and Bitcoin Cash. As of this report, the money has not been recovered.
Suspected Lazarus Group Connections
According to blockchain analysts, the transfers followed a clear path: the stolen coins moved through five instant exchanges before being sent into Tornado Cash, the crypto mixer that US authorities sanctioned in 2022.
Source: ZachXBT
Based on reports, the same set of tactics — wallet fingerprints, timing, and routing — match other intrusions linked to the Lazarus Group, the state-linked cyber unit from the DPRK.
A US court’s decision earlier this year to lift some restrictions around mixers has raised fresh concerns that these tools can be reused to hide large thefts.
Infiltration Schemes And Fake Profiles
Investigations have shown the threat is not only technical but social. Reports have disclosed that operatives created dozens of fake identities, bought Social Security numbers, and posed as blockchain developers on platforms such as Upwork and LinkedIn.
Evidence posted on August 13 linked one such fake-developer wallet to a $680,000 exploit of the project Favrr in June 2025. The methods range from phishing and fake job offers to bribery and contractor infiltration, giving attackers ways to penetrate projects from the inside.
BTCUSD trading at $118,960 on the 24-hour chart: TradingView
A Growing Trail Of Stolen Crypto
Based on compiled forensics data, North Korean-linked groups stole more than $1.3 billion across 47 incidents in 2024. That figure jumped higher in 2025, with estimates putting thefts at about $2.2 billion in the first half of the year alone.
Malware campaigns have also been used. In June, Cisco Talos documented “PylangGhost,” a campaign that used bogus coding tests and interview sites to deliver malware.
That malware targeted over 80 browser extensions and popular wallets like MetaMask and Phantom.
Law enforcement has made some moves: US agents seized $7.7 million tied to covert networks, and the FBI dismantled front companies such as Blocknovas LLC and Softglide LLC.
The $21 million breach underscores how exposed even major firms remain to state-backed hacking campaigns. For now, the case stands as another warning: Japanese crypto firm SBI lost $21 million in suspected North Korean cyberattack.
Featured image from Gemini, chart from TradingView
Related Posts
