SBI Crypto - Rekt
Six months after positioning itself as the white knight rescuing DMM Bitcoin's customers after a $308 million North Korean hack, SBI Crypto discovered that playing savior doesn't grant immunity from the same attackers.
September 24th turned into a $24 million disappearing act across five blockchains while Japan's "safe and secure" mining giant marketed its stability to institutional clients.
By the time ZachXBT flagged the bleeding on October 1st, the funds had already hopscotched through instant exchanges and vanished into Tornado Cash's digital fog.
SBI's response? A corporate haiku of non-information two days later, confirming an "unauthorized outflow" while promising only a "minor impact" on consolidated results.
No explanation of how. No details of when they noticed. No acknowledgment that their mining subsidiary's treasury was drained using an attack pattern reminiscent of the DMM Bitcoin compromise they'd recently absorbed.
Meanwhile, those DMM Bitcoin customers transferring to SBI's platform in March 2025 must be wondering: when you escape one sinking ship for another that's already taking on water, who's really getting rescued?
September 24th, 2025: Addresses linked to SBI Crypto started hemorrhaging across five blockchains - Bitcoin, Ethereum, Litecoin, Dogecoin, and Bitcoin Cash.
Nobody noticed.
For a solid week, roughly $24 million sat in laundering limbo while SBI Crypto's mining operations hummed along undisturbed, producing blocks as if nothing had happened.
October 1st brought the reckoning when blockchain detective ZachXBT dropped his findings on Telegram: coordinated outflows, instant exchange routing, final destination Tornado Cash.
SBI Crypto operates as a mining pool subsidiary under SBI Holdings, Japan's publicly traded financial giant with Prime Market listing and institutional ambitions to match.
Despite their almost 20 EH/S Hashrate - ranking them 12th globally among mining pools - and over 21% of Bitcoin Cash's computing share, the company had maintained complete radio silence.
Hours stretched into days while the crypto community watched funds that had already been laundered.
ZachXBT's Telegram post noted several indicators sharing similarities with known DPRK attacks - the instant exchange routing, the Tornado Cash endpoint, the multi-chain coordination.
Zach credited Cyvers with helping the investigation, confirming what the blockchain was screaming: this wasn't amateur hour.
Seven days after the theft, with the evidence already public and the money already gone, how long does it take a publicly traded financial giant to acknowledge they've been robbed?
Corporate Non-Answers
October 2nd finally brought SBI Holdings' response: "Notice Regarding the Unauthorized Outflow of Crypto Assets at SBI Crypto Co., Ltd."
The headline promised information. The content delivered corporate fog.
SBI Holdings confirmed an "unauthorized outflow of crypto assets owned as its own assets" at their mining subsidiary.
They were "conducting a thorough investigation into the cause of the incident and the amount of assets that were lost."
Translation: we got drained, we're not sure how, and we're still counting the damage.
The statement assured customers the impact on consolidated financial results would be "minor" - a curious claim for a company that hadn't finished tallying what disappeared.
More importantly, SBI VC Trade and BITPoint Japan, the domestic exchange arms, remained untouched. Customer funds safe, no unauthorized outflows, business as usual.
That last part mattered because just ten months earlier, SBI VC Trade had positioned itself as the new home for DMM Bitcoin's customers after their $308 million North Korean hack.
Now SBI's mining subsidiary was bleeding funds through what looked suspiciously like the same attack pattern.
The statement closed with a vague mention of "possible business restructuring going forward" for SBI Crypto's operations.
Restructuring? The mining pool that just got gutted might need more than a corporate reorganization chart.
What SBI's statement didn't mention proved more interesting than what it did: no explanation of the attack vector, no timeline of detection, no acknowledgment that their "thorough investigation" was seven days late to a party blockchain sleuths had already documented.
When your “disclosure” consists of confirming what everyone already knew, skipping the questions that actually matter, what is SBI even investigating?
Five Chains, One Heist
September 24th's coordinated drain spread across Bitcoin, Ethereum, Litecoin, Dogecoin, and Bitcoin Cash - a multi-chain operation that required either extensive preparation or intimate knowledge of SBI Crypto's wallet infrastructure.
Maybe both.
The theft addresses tell the story of a systematic extraction:
Ethereum:
0x40d76a78ddba2ea81fb0f9fba147a08bcfc2b866
Bitcoin:
bc1qx0a2kfjd7eweczv8xqjm6rggm40v0nkhfss78l
Bitcoin Cash:
qpv9nh5ktagsmtkqle8z2w4dd3mksskpmy499z7c9k
Litecoin:
ltc1qjyrn9p803efj3p8a0g3fmlevs45kq704ns363t
Dogecoin:
DRiEQuJ9pt3GgNraQmHVTjNg4B7uv1XuGb
Roughly $24 million vanished across these five wallets in movements timed close enough to suggest coordination, distant enough to avoid triggering automated security alerts that might have been watching for simultaneous drains.
Mining pools may hold cryptocurrency in hot wallets for operational needs - collected block rewards, accumulated earnings, liquidity for transactions.
SBI Crypto's pool-level wallets became the target.
Every day, millions flow through hot wallets kept online for operational needs.
Predictable money, accessible wallets, multiple external touchpoints.
Attackers don't usually guess which wallets hold the treasury across five different blockchains.
Someone knew exactly where SBI Crypto kept their funds, which chains to hit, and which addresses controlled the liquidity.
Reconnaissance that thorough takes time. Or they already had the map.
Did someone spend weeks mapping SBI's wallet architecture, or did they already have the blueprint?
Laundry Time
September 24th: Five blockchains drained simultaneously, funds moving before anyone noticed the breach.
Starting with Ethereum.
Attacker’s Wallet on Ethereum:
0x40d76a78ddba2ea81fb0f9fba147a08bcfc2b866
$6.4 million stolen from SBI Crypto's pool address (labeled on Arkham): 0x9f25779098c5632da2ec55d161c4e5f2afc4e0ec
The systematic splits started immediately.
1,443 ETH moved to the following laundering address: 0xd2C8EDe41fb84d18353A7ABBcf6448f2E6B664e0
From there: 924 ETH to Tornado Cash across 15 separate transactions. 30 ETH to SideShift instant exchange in two 15 ETH batches.
Then came the audacious move: 246 ETH cycled back through SBI Crypto's own address before routing to OpenOcean DEX using Rabby wallet. Using the victim's infrastructure to launder their own stolen funds.
Total Stolen on Ethereum: $6.4 million
But most of the damage was done on Bitcoin.
Attacker’s Address on Bitcoin:
bc1qx0a2kfjd7eweczv8xqjm6rggm40v0nkhfss78l
$17.45 million drained from multiple SBI wallets (labeled by Arkham):
bc1qte0s6pz7gsdlqq2cf6hv5mxcfksykyyyjkdfd5
bc1qrpp7g75sx3ejclvsfdw2uahzchtyu7vumkuadu
bc1q8uyg2xpp6vjlmn0g5c9kujr7scm4hry5g67uqe
bc1qe2esaxek04jx7vn2eelu4u7fee90cd6nh09dhn
143.2 BTC is sitting there as of October 3rd. Visible. Untouched. Waiting.
Either the attackers are playing the long game, waiting for heat to die down, or moving that much Bitcoin draws attention they're not ready for yet.
Things got a little more tricky for the other 3 chains.
Starting with Bitcoin Cash.
Attacker's Wallet on Bitcoin Cash:
qpv9nh5ktagsmtkqle8z2w4dd3mksskpmy499z7c9k
126.56 BCH stolen from SBI Crypto's wallet (not labeled by Arkham): qqzxuj5qvglktpq49v2wrg790a935z3cyssnfg4n4x
Immediately split between two addresses - 25.56 BCH to one, 101 BCH to another.
Then the money hopped. And hopped. And hopped again.
The 101 BCH batch fractured through endless two-way splits - a little to one address, most to another, repeat. Each hop whittled down the amount through trading fees and obfuscation costs.
As of October 3rd, the funds were still being transferred every few hours.
Total Stolen on Bitcoin Cash: $67,874
On to Litecoin…
Attacker's Wallet on Litecoin:
ltc1qjyrn9p803efj3p8a0g3fmlevs45kq704ns363t
719 LTC stolen from two SBI Crypto wallets (not labeled on Arkham): ltc1qczll7dppteakes3drx004e86um85pwvzzwwpyq ltc1qn9hdc32jakpyavtnujvr7k08acwh8sg8qywjcy
The theft came in two waves: 504 LTC from the first wallet. 214 LTC from the second, assembled from multiple smaller batches.
Then the splits began: 119 LTC to one address, 385 LTC to another.
Multiple hops followed, each designed to fragment the trail.
Total Stolen on Litecoin: $76,343
Finally on to Dogecoin.
Attacker's Wallet on Dogecoin:
DRiEQuJ9pt3GgNraQmHVTjNg4B7uv1XuGb
~180K DOGE drained from SBI Crypto's wallet (as labeled by Arkham): DJJ9Rdcuama5GEjJo2oYfeKdvQEXA54BVL
The theft happened in two separate waves:
First: 92,115 DOGE Second: 87,893 DOGE
The funds then routed through a cluster of FixedFloat exchange addresses - each transfer splitting the amount further, each hop making the money harder to follow.
Total Stolen on Dogecoin: $42,718
Total Stolen across all 5 chains: ~ $24 million
While some of these wallets lack Arkham labels (Bitcoin Cash and Litecoin), blockchain forensics confirm they were drained in the September 24th attack.
Someone calculated exactly how to split the haul - large enough to be worth moving, small enough to slip past automated monitoring thresholds.
Every swap used sophisticated routing. Every split followed a pattern. Every move suggested experience with exactly this kind of operation.
The attackers understood DeFi infrastructure well enough to extract maximum value while minimizing on-chain exposure.
They knew which aggregators offered the best rates. They knew which protocols provided privacy features. They knew how to break large sums into pieces that wouldn't trigger automated monitoring.
By the time the funds hit instant exchanges - those sketch platforms that swap crypto for crypto with minimal KYC - the trail had been sufficiently obscured through multiple wallets and protocol hops.
The entire laundering operation took hours for some chains, days for others. Different strategies per asset - speed and sophistication for Ethereum, patience for Bitcoin, maximum fragmentation for the rest.
Professional execution - enough crumbs for sleuths to follow, none for anyone to get the money back.
When your attackers demonstrate better operational discipline than your security infrastructure, what does that say about whose operation runs more professionally?
The forensics showed what happened. The blockchain recorded every move.
But one key element is missing from this story. How did they get in?
The Mystery SBI Has Yet to Explain
SBI Holdings confirmed the unauthorized outflow but skipped the most important part: how did attackers drain wallets across five different blockchains?
Two possibilities emerge from their silence, both embarrassing for a company marketing institutional-grade security.
Someone got the keys. Hot wallet private keys mean total control - no approvals needed, no exploit chains required. You have the key, you own the wallet.
Private key compromises grabbed 43.8% of stolen crypto in 2024 for a reason: simplicity wins.
Keys leak a hundred different ways. Phishing emails. Malware. Keyloggers recording every keystroke. Plaintext files saved to cloud storage. Vendors with too much access.
One weak link anywhere in the chain, and $24 million walks out the door.
Even Tayvano was sending out warning signs, “begging you to stop updating your zoom sdk it doesn’t update your sdk it’s just malware."
SBI Crypto knows vendor problems.
They filed a lawsuit against Whinstone US back in 2023 for fraud and negligence after the Texas facility delivered corroded, dusty mining equipment missing basic filters.
That lawsuit showed SBI's appetite for trusting partners who fail to deliver.
Trust the wrong vendor with wallet infrastructure, security becomes their problem to lose.
Or maybe attackers never needed the keys.
Supply chain attacks target the infrastructure itself - production servers, account logic, security controls.
BigONE got hit this way in July when hackers modified their risk control servers.
SwissBorg watched their staking partner Kiln's API get compromised in September, burying authorization instructions inside routine transactions before draining $41.5 million.
Suspicious timing: September 2025 saw SBI's Zodia Custody joint venture collapse the same month as the mining pool hack.
Custody venture folds, mining operation bleeds millions, thirty days apart.
Whinstone lawsuit. DMM Bitcoin absorption. Zodia dissolution. And now this theft.
SBI's track record keeps circling back to partnerships that explode.
ZachXBT spotted the tell-tale signs - instant exchanges, Tornado Cash, multi-chain coordination.
Classic DPRK moves. Lazarus Group wrote the playbook for both attack types.
They've social engineered their way to private keys, which often involves targeting developers and employees with lucrative job opportunities to plant malicious scripts disguised as employment tests.
DMM Bitcoin died that way in May 2024.
North Korean operative posed as a recruiter, targeted a Ginco employee managing DMM's wallets, posing as a recruiter and sending them a URL to a malicious Python script hosted on GitHub as part of a supposed pre-employment test.
The script was uploaded to GitHub, exploited later, then poof….$308 million gone.
Six months after SBI absorbed those DMM victims, their mining arm gets drained using similar tactics.
Either DPRK recognized another soft target or they never left town after the first job.
SBI won't say which scenario played out. Private keys or infrastructure?
Inside job or external breach?
Their silence suggests either active law enforcement cooperation or embarrassment too deep to acknowledge publicly.
Mining pools manage predictable flows with known patterns.
Hitting five blockchains simultaneously requires either extensive reconnaissance or inside knowledge.
Someone spent time studying SBI's architecture or already had the map.
We're guessing because SBI decided "unauthorized outflow" constituted sufficient disclosure for a publicly traded company managing institutional infrastructure.
When your corporate transparency falls below the public blockchain recording your theft, whose investigation deserves trust?
SBI Crypto joined an expensive club nobody wants membership in: Japanese crypto companies that marketed security while hemorrhaging funds to North Korean hackers.
$24 million vanished through operational failures SBI refuses to explain, using attack patterns matching the same threat actors who destroyed the exchange they'd just absorbed.
The company that positioned itself as DMM Bitcoin's savior got owned by what looks suspiciously like DMM's executioners, then responded with corporate statements so vague they could've been auto-generated.
September's Zodia Custody collapse, followed immediately by the mining pool drain, suggests problems deeper than a single breach.
SBI's pattern reads consistent: trust partners, get burned, litigate or acquire the wreckage, repeat.
Whether attackers stole private keys or compromised infrastructure remains SBI's secret.
Their silence protects either an ongoing investigation or reputational damage too severe to acknowledge.
Mining pools managing institutional flows across five blockchains don't usually get systematically drained without inside knowledge or extensive reconnaissance - someone either studied SBI's architecture for months or already had the blueprint.
Those DMM Bitcoin customers who transferred to SBI's "secure" platform in March now occupy the uncomfortable position of trusting a company that couldn't protect its own treasury six months after marketing itself on security credentials.
When the white knight's armor turns out to be rented, and the castle they're defending has unguarded backdoors, who exactly got rescued?
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
disclaimer:
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.