Stolen crypto from North Korean hackers linked to Asian payment firm

 A major Cambodian payments firm received crypto worth over $150,000 from a digital wallet used by North Korean hacking outfit Lazarus, blockchain data shows, a glimpse of how the criminal collective has laundered funds in Southeast Asia.

Huione Pay, which is based in Phnom Penh and offers currency exchange, payments and remittance services, received the crypto between June 2023 and February this year, according to the previously unreported blockchain data reviewed by Reuters.

The crypto was sent to Huione Pay from an anonymous digital wallet that, according to two blockchain analysts, was used by Lazarus hackers to deposit funds stolen from three crypto companies in June and July last year, mostly via phishing attacks.

The FBI said in August 2023, tab that Lazarus plundered about $160 million from the crypto firms: Estonia-based Atomic Wallet and CoinsPaid; and Alphapo, registered in Saint Vincent and the Grenadines. The agency didn't disclose specifics. They were the latest in a series of heists by Lazarus that the United States has said is funding Pyongyang's weapons programmes.

Cryptocurrency allows North Korea to circumvent international sanctions, the United Nations has said. That may in turn help it to pay for banned goods and services, according to the Royal United Services Institute, a London-based defence and security think tank.

Huione Pay's board said in a statement the company had not known it "received funds indirectly" from the hacks and cited the multiple transactions between its wallet and the source of the hack as the reason it was unaware. The wallet that sent the funds was not under its management, Huione said.

Third parties cannot control transactions to and from wallets that aren't under their management. However, blockchain analysis tools enable companies to identify high-risk wallets, and to seek to prevent interaction with them, crypto security experts say.

Huione Pay - whose three directors include Hun To, a cousin of Prime Minister Hun Manet - declined to specify why it had received funds from the wallet or to provide details of its compliance policies. The company said Hun To's directorship does not include day-to-day oversight of its operations.

Reuters was unable to reach Hun for comment. The news agency has no evidence that Hun To or Cambodia's ruling family had any knowledge of the crypto transactions.

The National Bank of Cambodia (NBC) said in a statement to Reuters that payments firms such as Huione weren't allowed to deal or trade any cryptocurrencies and digital assets. In 2018, it said the ban sought to avoid investment losses due to crypto's volatility, cybercrime and the anonymity of the technology "which may cause risks of money laundering and financing of terrorism."

The NBC told Reuters it "would not hesitate to impose any corrective measures" against Huione, without saying if such action was planned. The North Korean mission to the United Nations in New York did not respond to a request for comment. A person at its mission to the United Nations in Geneva told Reuters in January that previous reporting on Lazarus was "all speculation and misinformation."

Atomic Wallet and Alphapo didn't respond to requests for comment. CoinsPaid told Reuters that its own data showed crypto stolen from it worth $3,700 reached the Huione Pay wallet.

While cryptocurrency is anonymous and flows outside the conventional banking system, its movements are traceable on the blockchain - a public, immutable ledger that records the amount of crypto sent from wallet to wallet, and when the transactions occurred.

US blockchain analysis firm TRM Labs told Reuters in a statement that Huione Pay was one of a number of payment platforms and over-the-counter (OTC) brokers that received a majority of the crypto stolen in the Atomic Wallet hack. Brokers connect buyers and sellers of crypto, offering traders a greater degree of privacy than crypto exchanges.

In its statement, TRM also said that the hackers, to hide their tracks, had converted the stolen crypto via a complex laundering operation into different cryptocurrencies, including tether (USDT) - a so-called ‘stablecoin’ that retains a steady value in dollars. For tether transactions, they used the Tron blockchain, a fast-growing register that is popular for its speed and low cost, TRM added.

“This majority of funds were converted to USDT on the Tron blockchain, and appeared to be sent to exchanges, services, and OTC - one of which, was Huione Pay," TRM Labs told Reuters, referring to the actions of the hackers. It did not provide further details.

A spokesperson for the British Virgin Islands-registered Tron said: "Tron condemns the abuse of blockchain technologies and is dedicated to combating these, and other malicious actors, in all forms, and wherever they may be found." The spokesperson did not comment directly on the Atomic Wallet hack.

Estonia's investigation into the 2023 hacks of Atomic Wallet and Coinspaid remains open, said Ago Ambur, the head of Estonia's cybercrime bureau. Cybercrime police in Saint Vincent and the Grenadines did not respond to requests for comment on the Alphapo hack.

Red flag

US blockchain analysis firm Merkle Science, which counts as clients law enforcement agencies in the United States and Britain and has previously examined Lazarus heists, examined the movement of coin from the 2023 hacks for Reuters.

Its CEO, Mriganka Pattnaik, said tracing funds from the Lazarus attacks was difficult due to the complex methods used to conceal the money trail.

Merkle Science said its investigation showed that there were three "hops" – or transfers – from the Atomic Wallet hackers to the anonymous wallet that later transferred funds to Huione. Transfers between multiple crypto wallets are typically a red flag for organisations seeking to launder funds, financial crime experts and blockchain analysts say.

Between June and September 2023, the Lazarus hacker who targeted Atomic Wallet sent tether worth around $87,000 to the anonymous wallet, according to the data uncovered by Merkle Science. The wallet also received tether worth around $15,000 stolen from CoinsPaid and Alphapo, Merkle Science said.

In January, the United Nations said Lazarus had shared money-laundering networks with criminals in Southeast Asia, without naming any platforms involved.

Jeremy Douglas, the UN Office of Drugs and Crime's former regional director for Southeast Asia, said the region was awash with unregulated crypto service providers and online casinos acting as "underground banks." He did not comment on Huione.

Groups such as Lazarus strive to stay ahead of law enforcement, he added, with technology and infrastructure that has spread across Southeast Asia now a critical part of their ability to do so.

"Southeast Asia has in many ways become the global ground zero, the primary testing ground, for high-tech money laundering and cybercrime operations," he said.

The G7's illicit finance body, the Financial Action Task Force (FATF), last year removed Cambodia from its "grey list" of countries with flawed anti-money laundering policies, citing improvements to its regime.

However, a FATF spokesperson referred Reuters to a 2021 report that highlighted "major gaps" in Cambodia's illicit finance rules for crypto firms, adding that the assessment still stood.

Cambodia’s central bank said it was drafting regulations to identify and punish use of crypto for illegal activities including fraud, money laundering and cybersecurity threats.