In September 2025, attackers carried out a major cyber heist that drained around $21 million from SBI Crypto, the mining-pool division of Japan’s SBI Group. At first glance, it looked like another theft in the cryptocurrency industry. But investigators revealed that this case was different. Instead of targeting a custodial exchange account, the attackers went after mining infrastructure itself.
How $21 Million Was Drained from SBI Crypto
Mining pools are essential to how cryptocurrencies like Bitcoin and Ethereum operate. Thousands of individual miners join these pools to combine their computing power and share rewards. The pool operator coordinates this process and distributes payouts. Because of this role, the pool operator holds the keys to payment systems that handle large sums of money. By attacking SBI Crypto’s mining infrastructure, the hackers gained direct control over how rewards were distributed.
Blockchain investigators observed coordinated outflows of several cryptocurrencies, including Bitcoin, Ethereum, Litecoin, Dogecoin, and Bitcoin Cash. Funds were quickly moved through instant exchanges and mixing services designed to hide their origin. This technique resembled earlier cyber operations linked to North Korea, where attackers often use rapid swaps, cross-chain bridges, and sanctioned mixers to conceal stolen assets.
Crypto mining scam worth $577 million ends with prison for Estonian duo
Why Mining Infrastructure Became the Target
Mining pools are attractive targets because they centralize both computing power and money. Instead of attacking thousands of individual miners, hackers only need to break into one pool operator’s systems to access large payouts. Once inside, they can manipulate payment tools to redirect rewards to their own wallets.
The SBI Crypto attack showed how attackers exploited these weak points. Mining pools must handle thousands of miner connections at the same time, often with low security checks to avoid slowing down operations. Many pools, including SBI Crypto, run web dashboards, servers, and automated payment systems that are constantly exposed to the internet. These systems sometimes use old software or weak authentication, creating opportunities for attackers to sneak in.
Federal authorities seize $3 million in crypto linked to ransomware that hit US hospitals
Once hackers gained access, they were able to manipulate the payout systems. Instead of miners receiving their fair share, the rewards were sent to the attackers’ wallets. Because mining pools such as SBI Crypto are responsible for distributing rewards from block creation, this redirection could be done in real time without raising immediate alarms.
Security analysts explained that mining infrastructure offers more than just financial gain. In the SBI Crypto case, attackers could also use access to disrupt mining operations by withholding blocks, censoring transactions, or slowing down parts of the network. This makes the threat not only about money but also about control over how cryptocurrency networks operate.
North Korea’s Strategic Shift in Cyber Operations
For years, North Korea has been linked to large-scale cryptocurrency thefts. Earlier attacks mostly focused on exchanges and custodial services where users store their coins. But the SBI Crypto case marks a shift. It shows that state-sponsored hackers are expanding their focus to the very infrastructure that powers cryptocurrencies.
This change in tactics follows a pattern. North Korean cyber units have developed modular teams specializing in different types of attacks. Some focus on stealing from exchanges, while others target software supply chains or mining platforms. This division of labor allows them to carry out complex, large-scale operations with high precision.
The stolen funds are believed to support the country’s economy and programs that are restricted by international sanctions. By targeting mining pools, the attackers gain both financial benefits and potential leverage over how cryptocurrencies function. This creates a dual advantage: money for funding and influence over critical digital systems.
Senator Elizabeth Warren Warns of Security Threats from Foreign Crypto Mining Operations
The SBI Crypto heist is part of a broader pattern of cyber activity tied to North Korea. In earlier cases, hackers were seen draining funds from exchanges and quickly laundering them through mixers and instant swaps. In this case, the same laundering techniques were applied, but the initial theft came from mining infrastructure instead of an exchange.
This attack demonstrates the growing risks faced by the cryptocurrency industry. Mining pools, built to provide efficiency and fairness for miners, are now being exploited as high-value targets. The incident highlights how state-sponsored actors are evolving their methods and shifting their focus from traditional exchange thefts to the deeper layers of digital infrastructure.