North Korean Hackers Sent Stolen Crypto to Asian Payment Firm Wallet

Blockchain data demonstrates that North Korean hacking group Lazarus laundered funds in Southeast Asia by sending bitcoin worth over $150,000 to a large Cambodian payments firm

The crypto was received by Huione Pay, a Phnom Penh-based company that provides currency exchange, payments, and remittance services, between June 2023 and February of this year, according to the previously unreported blockchain data reviewed by Reuters.

Two blockchain analysts have reported that Lazarus hackers utilized an anonymous digital wallet to deposit funds stolen from three crypto companies in June and July last year, primarily through phishing attacks. The crypto was transferred to Huione Pay from this wallet.

In August 2023, the FBI reported that Lazarus had stolen approximately $160 million from three cryptocurrency firms: Atomic Wallet and CoinsPaid, based in Estonia, and Alphapo, registered in Saint Vincent and the Grenadines. The agency refrained from providing specifics. According to the United States, Pyongyang’s weapons programs are being financed by a succession of heists by Lazarus. These heists were the most recent examples.

The United Nations has stated that North Korea can evade international sanctions by utilizing cryptocurrency. According to the Royal United Services Institute, a London-based defense and security think tank, this could subsequently assist it in financing prohibited products and services.

In a statement, the board of Huione Pay stated that the company was oblivious that it had “received funds indirectly” from the hacks. The board cited the multiple transactions between its wallet and the source of the hack as the reason for its ignorance. Huione stated that the wallet that transmitted the funds was outside its supervision.

Third parties can conduct transactions to and from wallets that are not controlled outside heless; crypto security experts assert that blockchain analysis tools allow companies to identify high-risk wallets and attempt to prevent interaction with them.
Huione Pay, which is comprised of three directors, including Hun To, a cousin of Prime Minister Hun Manet, declined to disclose the reason for its receipt of funds from the wallet or to disclose the specifics of its compliance policies. The company stated that Hun To’s directorship does not involve the daily supervision of its operations.

Hun was unable to be reached for comment by Reuters. The news agency has no evidence that Hun To or Cambodia’s governing family knew about the crypto transactions.

In a statement to Reuters, the National Bank of Cambodia (NBC) stated that payment firms, including Huione, were prohibited from trading or dealing with cryptocurrencies and digital assets. In 2018, it was noted that the prohibition was intended to prevent investment losses caused by the volatility of crypto, cybercrime, and the anonymity of the technology, which could potentially lead to the financing of terrorism and money laundering.

The NBC informed Reuters that it “would not hesitate to impose any corrective measures” against Huione, but it did not specify whether such action was intended. The North Korean miss still needs to be heard. The United Nations in New York did not respond to a request for comment. In January, a representative from its mission to the United Nations in Geneva informed Reuters that the preceding reporting on Lazarus was “all speculation and misinformation.”

Alphapo and Atomic Wallet declined to respond to inquiries for comment. CoinsPaid informed Reuters that its data indicated that crypto seized from the company, valued at $3,700, was transferred to the Huione Pay wallet.

The blockchain is a public, immutable ledger that records the quantity of cryptocurrency sent from wallet to wallet and the transaction date, even though cryptocurrency is anonymous and operates outside the traditional banking system.

In a statement to Reuters, TRM Labs, a U.S. blockchain analysis firm, disclosed that Huione Pay was among the payment platforms and over-the-counter (OTC) brokers that received most of the crypto stolen in the Atomic Wallet breach. Brokers facilitate cryptocurrency exchange between buyers and vendors, providing traders more privacy than crypto exchanges.

TRM also stated that the hackers had converted the stolen crypto into various cryptocurrencies, including tether (USDT), a so-called “stablecoin” that maintains a consistent dollar value, through a complex laundering operation to conceal their activities. According to TRM, the Tron blockchain, a rapidly expanding register renowned for its low cost and speed, was employed for tether transactions.

“This majority of funds were converted to USDT on the Tron blockchain and appeared to be sent to exchanges, services, and OTC, one of which was Huione Pay,” TRM Labs informed Reuters, alluding to the hackers’ actions. It did not furnish additional information.

“Tron is committed to combating the abuse of blockchain technologies and other malicious actors in all forms and wherever they may be found,” stated a British Virgin Islands-registered Tron spokesperson. The Atomic Wallet hack was not addressed explicitly by the spokesperson.

According to Ago Ambur, the director of Estonia’s cybercrime bureau, the investigation into the 2023 hacks of Atomic Wallet and Coinspaid in Estonia is still ongoing. The Saint Vincent and the Grenadines cybercrime authorities did not respond to requests for comment regarding the Alphapo hack.

Merkle Science, a blockchain analysis firm based in the United States that has previously investigated Lazarus heists and serves as a client of law enforcement agencies in the United States and Britain, analyzed the movement of coins from the 2023 hacks for Reuters.

Its CEO, Mriganka Pattnaik, stated that the intricate methods employed to conceal the money trail made it challenging to trace funds from the Lazarus assaults.

Merkle Science reported that its investigation revealed that the Atomic Wallet hackers conducted three “hops” – or transfers – to the anonymous wallet, which subsequently transferred funds to Huione. For organizations that are interested in laundering funds, transfers between multiple crypto wallets are typically a warning sign, according to financial crime experts and blockchain analysts.

According to the data obtained by Merkle Science, the Lazarus hacker who targeted Atomic Wallet sent a tether valued at approximately $87,000 to the anonymous wallet between June and September 2023. Merkle Science also reported that the wallet received rope stolen from CoinsPaid and Alphapo and is estimated to be worth approximately $15,000.

In January, the United Nations accused Lazarus of sharing money-laundering networks with criminals in Southeast Asia, but the organization did not specify any involved platforms.

According to Jeremy Douglas, the former regional director for Southeast Asia at the UN Office of Drugs and Crime, the region is rife with unregulated crypto service providers and online casinos that function as “underground banks.”. He still needs to beress Huione.

He further stated that organizations like Lazarus are committed to maintaining a competitive edge over law enforcement, and the technology and infrastructure that have become ubiquitous in Southeast Asia are now essential to their capacity.

“Southeast Asia has in many ways become the global ground zero, the primary testing ground, for high-tech money laundering and cybercrime operations,” according to him.

Last year, the Financial Action Task Force (FATF), the illicit finance authority of the G7, removed Cambodia from its “grey list” of countries with flawed anti-money laundering policies. The FATF cited improvements to Cambodia’s regime as the reason for the deletion.

Nevertheless, a spokesperson for the Financial Action Task Force (FATF) directed Reuters to a 2021 report identifying “substantial deficiencies” in Cambodia’s illicit finance regulations for cryptocurrency firms. The spokesperson also reiterated that the assessment remained unchanged.

The central bank of Cambodia announced that it was developing regulations to identify and penalize the use of cryptocurrency for unlawful activities, such as money laundering, fraud, and cybersecurity threats.