On September 24, 2025, withdrawals of around $21 mln were recorded from addresses linked to the SBI Crypto mining pool. The funds passed through five instant exchanges before ending up in Tornado Cash. Blockchain analysis revealed similarities with previously known attacks attributed to North Korea.
ZachXBT reported that the outflow affected Bitcoin, Ethereum, Litecoin, Dogecoin, and Bitcoin Cash. The funds were distributed across several addresses.
Visualization of the transactions shows that the assets were consolidated and then directed to Tornado Cash, making it difficult to trace their further movement.
ZachXBT thanked the company Cyvers for assisting in transaction analysis. The researcher continues to identify attack patterns, confirming the systematic nature of North Korean hacker groups’ activities.
North Korea Again?
The researcher noted that the nature of the transactions and the routing of funds match methods previously used by groups from North Korea. Such attacks are often accompanied by the use of mixing services to hide the sources.
The Role of Tornado Cash
Since U.S. sanctions were imposed by the Office of Foreign Assets Control (OFAC) in August 2022, Tornado Cash has been under close scrutiny. In 2023, one of its developers, Roman Storm, faced criminal charges related to sanctions violations and money laundering. Although some restrictions were lifted by courts in 2025, the protocol remains actively used for moving stolen assets.
SBI Crypto is a subsidiary of Japan’s publicly traded SBI Group and the largest mining pool in the country. At the time of publication, the company had not released any official statement regarding the incident.
Read also:
- ZachXBT Uncovered 25+ Attacks Involving North Korean Hackers Masquerading as Crypto Employees
- Attack on Shibarium Leads to $2.4 Million Loss and Network Function Suspension
This post is for informational purposes only and is not advertising or investment advice. Please do your own research before making any decisions.