According to blockchain data, a significant Cambodian payment company has received cryptocurrency exceeding $150,000 from a digital wallet linked with North Korean cybercriminal group Lazarus. This demonstrates how the illicit organization launders money in Southeast Asia.
Huione Pay
A Phnom Penh-based company that provides currency exchange, payment and remittance services, was found to have received the cryptocurrency between June 2023 and February of this year based on previously undisclosed blockchain data analyzed by Reuters.
According to two blockchain analysts, an anonymous digital wallet linked to Lazarus hackers deposited stolen funds from three crypto companies using phishing attacks in June and July of last year. The cryptocurrency was then sent to Huione Pay.
August 2023
The FBI disclosed that Lazarus had stolen approximately $160 million from three separate crypto companies.
The affected firms were Atomic Wallet and CoinsPaid, both based in Estonia, as well as Alphapo which is registered in Saint Vincent and the Grenadines.
Despite being part of a string of robberies attributed to Lazarus by US authorities who claim it finances Pyongyang’s arms initiatives, specific details regarding this latest breach have not been released.
The Royal United Services Institute, a defence and security think tank based in London, has indicated that cryptocurrency enables North Korea to evade global sanctions. This can facilitate the payment for prohibited commodities and services by the country.
According to a statement from Huione Pay’s board, the company was unaware of receiving funds indirectly from the hacks due to multiple transactions between its wallet and the source of hack. The wallet that sent the money was not under their management.
Crypto security experts state that although third parties cannot manipulate transactions involving wallets outside their purview, companies can use blockchain analysis technology to detect and avoid high-risk wallet interactions.
Huione Pay, a company with three directors including Hun To – who is the cousin of Prime Minister Hun Manet – has chosen not to disclose why it received funds from the wallet or share its compliance policies.
The company clarified that although Hun To holds a directorship position, he doesn’t oversee day-to-day operations.
Hun could not be reached by Reuters for a statement. There is no proof in possession of the news agency to suggest any awareness on Hun To’s or Cambodia’s ruling family’s part concerning the crypto transactions.
National Bank of Cambodia (NBC) stated
Huione and similar payment firms were prohibited from engaging in any transactions or trading involving digital assets and cryptocurrencies.
The ban, which was implemented in 2018, aimed to prevent investment losses due to crypto’s instability as well as cybercrime concerns connected with anonymity technology “which could expose money laundering risks while promoting terrorism financing.”
NBC informed Reuters that it might take necessary corrective actions against Huione, but did not confirm if any such action was imminent. There has been no response from the North Korean mission to the United Nations in New York when asked for comments.
In January, a representative at their mission in Geneva claimed that earlier reports regarding Lazarus were unsubstantiated and based on rumors.
Requests for comment from Atomic Wallet and Alphapo remained unanswered. According to CoinsPaid’s self-proclaimed data, cryptocurrency with a value of $3,700 were transferred into the Huione Pay wallet as stolen funds
Despite being anonymous and operating outside of traditional banking systems, cryptocurrency transactions leave a traceable trail on the blockchain.
This is because the blockchain acts as an unalterable public ledger that documents when crypto was sent between wallets and how much was involved in each transaction.
According to TRM Labs
A blockchain analysis company based in the United States, Huione Pay was among several payment platforms and over-the-counter brokers that obtained most of the cryptocurrency stolen during the Atomic Wallet hack.
Over-the-counter brokers facilitate crypto transactions between buyers and sellers while providing traders with more privacy compared to exchanges. This statement has been reported by Reuters.
TRM stated that the hackers utilized a complex process to obscure their trail by transferring the pilfered crypto into several digital currencies such as tether (USDT).
Tether is classified as a “stablecoin” that maintains an unwavering value in US dollars. Using the Tron blockchain, which is known for its rapidity and affordability, they conducted transactions with tether according to TRM’s announcement.
TRM Labs
The hackers seemed to have converted most of the funds into USDT on Tron blockchain and then transferred them to exchanges, services, and OTC. One such service was Huione Pay although no additional information was provided.
Tron, registered in the British Virgin Islands, expressed its condemnation of any exploitation of blockchain technologies and committed to combatting such acts along with other malign parties. However, the spokesperson declined to provide a direct statement regarding the Atomic Wallet hack.
According to Ago Ambur, the director of Estonia’s cybercrime bureau, the investigation into the Atomic Wallet and Coinspaid hacks in 2023 remains ongoing. There has been no response from Saint Vincent and Grenadines’ cybercrime police regarding their comments on Alphapo hack.
RED FLAG
Merkle Science, a blockchain analysis firm based in the United States that serves law enforcement agencies in America and Britain, analyzed the flow of coins from 2023 hacks for Reuters.
The company has previously investigated Lazarus heists as well.
Tracing the funds from the Lazarus attacks posed a challenge for its CEO, Mriganka Pattnaik, as elaborate techniques were utilized to obscure the money trail.
According to Merkle Science’s findings, there were three transfers from the Atomic Wallet hackers to an anonymous wallet before it was used to transfer funds to Huione.
Financial crime experts and blockchain analysts warn that transferring money between multiple cryptocurrency wallets is often indicative of attempts at laundering funds.
Merkle Science uncovered
Data indicating that the Lazarus hacker, known for targeting Atomic Wallet, sent approximately $87,000 in tether to an undisclosed wallet during the period between June and September 2023. Additionally, Merkle Science reported that this same anonymous wallet also received roughly $15,000 worth of stolen tether sourced from CoinsPaid and Alphapo.
The United Nations declared in January that Lazarus had cooperated with criminals to establish networks for money laundering in Southeast Asia, but refrained from identifying the platforms involved.
“Amidst Southeast Asia’s rampant unregulated crypto service providers and online casinos functioning as secretive banks, former regional head for the UN Office of Drugs and Crime, Jeremy Douglas, spoke out on this issue. However, he refrained from commenting specifically about Huione.”
According to him, organizations like Lazarus are dedicated to outpacing law enforcement through their use of technology and infrastructure that has become vital to their operations throughout Southeast Asia.
He stated that Southeast Asia has emerged as the epicenter for high-tech money laundering and cybercrime activities, being extensively used as a primary testing site at a global level.
Cambodia was taken off the “grey list” of countries with deficient anti-money laundering policies by the Financial Action Task Force (FATF), a G7 illicit finance organization, due to enhancements made to its regime.
Nonetheless!
A spokesperson for FATF directed Reuters to a report from 2021 that emphasized the existence of “significant shortcomings” in Cambodia’s regulations concerning cryptocurrency companies engaged in illicit financial activities and verified that this evaluation remains valid.
The central bank of Cambodia is in the process of developing guidelines aimed at detecting and penalizing any illicit use of cryptocurrencies which may involve fraudulent practices, money laundering or cybersecurity risks.
