LONDON – Blockchain data shows that a major Cambodian payments company received more than $150,000 in cryptocurrency from a digital wallet used by the North Korean Lazarus hacking group, offering a glimpse into how the criminal group launders money in Southeast Asia.
Huione Pay, a Phnom Penh-based company that provides foreign currency exchange, payments and remittance services, received the cryptocurrency between June 2023 and February of this year, according to previously unreported blockchain data reviewed by Reuters.
According to two blockchain analysts, the cryptocurrency was transferred from an anonymous digital wallet to Huione Pay and was used to deposit funds stolen by the Lazarus hackers from three cryptocurrency companies in June and July of last year, primarily through phishing attacks.
The FBI said in August 2023 that Lazarus had robbed three cryptocurrency companies of roughly $160 million — Estonia-based Atomic Wallet and CoinsPaid, and St. Vincent and the Grenadines-registered Alphapo. The bureau did not provide details. These were the latest in a series of heists by Lazarus, who the U.S. says is funding North Korea’s weapons program.
The United Nations has said cryptocurrencies allow North Korea to evade international sanctions, and in turn may help it pay for prohibited goods and services, according to the Royal Institute for Security Studies, a London-based defence and security think tank.
In a statement, Huione Pay’s board of directors said it was unaware that the company had “indirectly received funds” from the hack, citing multiple transactions between its wallet and the hacker as the reason it was unaware. The wallet to which the funds were transferred was not under the company’s control, Huione said.
Third parties have no control over transactions between wallets outside their control, but blockchain analysis tools could enable companies to identify high-risk wallets and block transactions from them, cryptocurrency security experts say.
Huong Pay, which has three directors including Hun Tho, a cousin of Prime Minister Hun Manet, declined to disclose why it received funds from the wallet or provide details about its compliance policies. The company said Hun Tho’s duties as a director did not include day-to-day oversight of operations.
Reuters reached out to Hun Tho for comment but could not get in touch. Reuters has no evidence that Hun Tho or any member of Cambodia’s royal family had any knowledge of cryptocurrency transactions.
The National Bank of Cambodia (NBC) said in a statement to Reuters that payment companies such as Huione are not allowed to trade any cryptocurrencies or digital assets. In 2018, the bank said it imposed the ban to avoid investment losses due to cryptocurrency volatility, cybercrime and the anonymity nature of the technology, which “may pose risks for money laundering and terrorist financing.”
NBC told Reuters it would “not hesitate to take any corrective action” against Huion but did not say whether such measures were planned. North Korea’s mission to the United Nations in New York did not respond to a request for comment. An official at North Korea’s mission to the United Nations in Geneva told Reuters in January that previous reports about Lazarus were “all speculation and misinformation.”
Atomic Wallet and AlphaPo did not respond to requests for comment. CoinsPaid told Reuters its data showed that $3,700 worth of cryptocurrency stolen from the company ended up in Huion Pay wallets.
Cryptocurrencies are anonymous and trade outside of the traditional banking system, but their movement can be traced on the blockchain, a public, immutable ledger that records the amount of cryptocurrency transferred from wallet to wallet and when the transaction occurred.
Huione Pay is one of a number of payment platforms and over-the-counter (OTC) brokers that received a large portion of the cryptocurrencies stolen in the Atomic Wallet hack, U.S. blockchain analytics firm TRM Labs told Reuters in a statement. Brokers connect buyers and sellers of cryptocurrencies and offer traders a higher level of privacy than crypto exchanges.
In a statement, TRM said the hackers also used complex money laundering techniques to cover their tracks and convert the stolen crypto into various cryptocurrencies, including Tether (USDT), a so-called “stablecoin” that maintains a stable value in dollars. Tether transactions were made using the Tron blockchain, a fast-growing register popular for its speed and low cost, TRM added.
“The majority of the funds appear to have been converted to USDT on the Tron blockchain and sent to exchanges, services and OTCs, one of which was Huione Pay,” TRM Labs told Reuters of the hackers’ actions, without providing further details.
A spokesperson for Tron, which is registered in the British Virgin Islands, said, “Tron condemns the misuse of blockchain technology and is committed to fighting these and other bad actors in all forms and locations.” The spokesperson did not comment directly on the Atomic Wallet hack.
Ago Ambur, head of Estonia’s Cybercrime Bureau, said Estonia’s investigations into the Atomic Wallet and Coinspade hacks in 2023 are continuing. St. Vincent and the Grenadines Cybercrime Police did not respond to a request for comment on the Alphapo hack.
Red Flag
Merkle Science, a U.S. blockchain analytics firm that serves law enforcement agencies in the U.S. and U.K. and has previously investigated the Lazarus Heist, investigated the movement of coins from the 2023 hack for Reuters.
The company’s CEO, Mriganka Patnaik, said tracing funds from Lazarus attacks is difficult due to the complex methods used to hide the money trail.
Merkle Science said its investigation found three “hops,” or transfers, from the Atomic Wallet hackers to the anonymous wallet that later sent the funds to Huion. Transfers between multiple cryptocurrency wallets are usually a red flag for organizations attempting to launder money, according to financial crime experts and blockchain analysts.
According to data uncovered by Merkle Science, between June and September 2023, the Lazarus hackers targeting Atomic Wallet transferred approximately $87,000 worth of Tether to an anonymous wallet, which also received approximately $15,000 worth of Tether stolen from CoinsPaid and AlphaPo, Merkle Science said.
The UN said in January that Lazarus shared a money laundering network with criminals in Southeast Asia, but did not name the platforms involved.
Jeremy Douglas, former Southeast Asia regional director for the United Nations Office on Drugs and Crime, said the region is rife with unregulated cryptocurrency service providers and online casinos operating as “underground banks.” He declined to comment on Huion.
Groups like Lazarus try to stay ahead of law enforcement by using technology and infrastructure spread across Southeast Asia, which is a key capability for them, he added.
“Southeast Asia has in many ways become the global epicenter and primary testing ground for high-tech money laundering and cybercrime activity,” he said.
Last year, the Financial Action Task Force (FATF), the G7’s anti-illicit finance body, removed Cambodia from its “grey list” of countries with deficiencies in anti-money laundering measures, citing improvements to its regime.
However, a FATF spokesman pointed to Reuters a 2021 report which found “significant deficiencies” in Cambodia’s illicit finance regulations for cryptocurrency companies, adding that the assessment still stands.
The National Bank of Cambodia has announced that it is drafting regulations to identify and punish the use of cryptocurrencies in illegal activities such as fraud, money laundering, and cybersecurity threats.