North Korean Hackers Send Stolen Crypto To Wallets Used By Asian Payment Companies

Huione Pay, which is based in Phnom Penh and offers currency exchange services (photo: x @HuionePay)

JAKARTA - A large payment company in Cambodia received a cryptocurrency worth more than 150,000 US dollars (Rp2.4 billion) from a digital wallet used by North Korean hacker group Lazarus. This provides an overview of how the criminal group laundered funds in Southeast Asia.

Huione Pay, based in Phnom Penh and offers currency exchange, payment, and remittance services, received the crypto between June 2023 and February this year, according to blockchain data reviewed by Reuters. The cryptocurrency was sent to Huione Pay of an anonymous digital wallet that, according to two blockchain analysts, was used by hacker Lazarus to store stolen funds from three crypto companies in June and July last year, mostly through phishing attacks.

The FBI said in August 2023 that Lazarus stole about 160 million US dollars (Rp 2.5 trillion) from the crypto company: Estonia-based Atomic Wallet, CoinsPaid, and Alphapo registered with Saint Vincent and Grenadines. The FBI did not disclose specific details. This is the latest in a series of hacks by Lazarus who according to the United States were used to fund Pyongyang's weapons program.

According to the United Nations (UN) cryptocurrency allows North Korea to avoid international sanctions. This can help them pay for prohibited goods and services, according to the Royal United Services Institute, a London-based defense and security think tank.

The Huione Pay board said in a statement that the company did not know that it "received funds indirectly" from the hack and cited several transactions between its wallet and the source of the hack as reasons for their ignorance. According to Huione, the wallet that sends the funds is not under their management.

Third parties cannot control transactions to and from wallets that are not under their management. However, blockchain analysis tools allow companies to identify high-risk wallets and try to prevent interactions with them, according to crypto security experts.

Huione Pay - whose three directors include Hun To, the cousin of Cambodian Prime Minister Hun Manet - declined to explain why they received funds from the wallet or provided details of its compliance policy. The company says Hun To's director role does not include daily supervision of its operations.

Until now there is no evidence that Hun To or the family in power in Cambodia is aware of the crypto transaction.

Cambodian National Bank (NBC) in saying payment companies like Huione are not allowed to handle or trade cryptocurrencies and digital assets. In 2018, NBC said the ban was aimed at avoiding investment losses due to crypto volatility, cybercrime, and technology anonymity that could pose a risk of money laundering and terrorism financing.

NBC said it "would not hesitate to impose corrective action" against Huione, without saying whether the action was planned. North Korea's mission to the United Nations in New York did not respond to a request for comment. Someone on their mission in Geneva said in January that the previous report on Lazarus was "all speculation and disinformation."

Atomic Wallet and Alphapo also did not respond to requests for comment. CoinsPaid said that its data showed cryptocurrencies stolen from them worth 3,700 US dollars (Rp59.8 million) reached Huione Pay's wallet.

Although cryptocurrencies are anonymous and flow outside conventional banking systems, their movements can be tracked on the blockchain - an irreversible public ledger that records the number of cryptocurrencies sent from wallets to wallets, and when the transactions take place.

US blockchain analysis firm TRM Labs said that Huione Pay was one of a number of over-the-counter (OTC) payment platforms and brokers that received most of the stolen cryptocurrencies in the Atomic Wallet hack. Brokers link crypto buyers and sellers, offering greater privacy to traders than crypto exchanges.

In a statement, TRM also said that the hackers, to hide their tracks, had converted stolen cryptocurrencies through complex washing operations into various cryptocurrences, including tether (USDT) - stablecoins that maintain a fixed value in dollars. For tether transactions, they use Tron blockchain, a rapidly growing and popular register due to their speed and low cost, added TRM.

"Most of the funds were converted to USDT on the Tron blockchain, and appear to be shipped to exchanges, services, and OTC - one of which was Huione Pay," said TRM Labs quoted by VOI from Reuters, referring to the hacker's actions. They did not provide further details.

A spokesman for the Virgin Islands-listed Tron said: "Tron condemns the misuse of blockchain technology and is dedicated to fighting this, as well as other bad actors, in all forms, and wherever they are found." The spokesman did not comment directly on the Atomic Wallet hack.

"Erinese investigations into the 2023 Atomic Wallet and CoinsPaid hacks are still open," said Ago Ambur, head of Estonia's cybercrime bureau. Cybercrime police at Saint Vincent and Grenadines did not respond to requests for comment on Alphapo hacking.

Red Flag

US blockchain analysis firm Merkle Science, whose clients include law enforcement agencies in the United States and Britain and have previously checked Lazarus' hacks, inspected the movement of coins from the 2023 hack for Reuters.

His CEO, Mriganka Patt naik, said tracking funds from Lazarus' attack was difficult because the complex method used to hide traces of money.

Merkle Science said its investigation showed that there were three "jumps" - or transfers - from Atomic Wallet hackers to anonymous wallets which then transferred funds to Huione. Transfers between several crypto wallets are usually a red flag for organizations seeking to launder funds, according to financial crime experts and blockchain analysts.

Between June and September 2023, it was hacker Lazarus who targeted the Atomic Wallet to send a tether worth about US$87.000 (Rp1.4 billion) to an anonymous wallet, according to data found by Merkle Science. The wallet also received a tether worth about US$ 15,000 (Rp242.7 million) stolen from CoinsPaid and Alphapo, Merkle Science said.

In January, the United Nations said Lazarus had shared a criminal money laundering network in Southeast Asia, without mentioning the platform involved.

Jeremy Douglas, former regional director of the United Nations Office for Drugs and Crime in Southeast Asia, said the region was filled with unregulated crypto service providers and online casinos acting as "underground banks." He did not comment on Huione.

Groups like Lazarus are trying to stay one step ahead of law enforcement, he added, with technology and infrastructure that has spread across Southeast Asia which is now an important part of their ability to do so.

"Central Asia in many ways has become a global hub, a major testing ground, for high-tech money laundering operations and cybercrimes," he said.

The illegal financial body G7, Financial Action Task Force (FATF), last year removed Cambodia from the country's "grey list" with a flawed anti-money laundering policy, citing improvements to its regime.

However, a FATF spokesman referred Reuters to a 2021 report highlighting "major gaps" in Cambodia's illegal financial rules for crypto companies, adding that the assessment still applies.

Cambodia's central bank said it was drafting regulations to identify and punish the use of cryptocurrencies for illegal activities including fraud, money laundering, and cybersecurity threats.