Exclusive: North Korean Hackers Transferred Stolen Crypto to Wallet Associated with Asian Payment Firm, Reports Reuters

By Tom Wilson

LONDON (Reuters) – A prominent payments firm in Cambodia has reportedly received over $150,000 worth of cryptocurrency from a digital wallet linked to the North Korean hacking group Lazarus, highlighting the group’s methods for laundering funds in Southeast Asia.

According to blockchain data analyzed by Reuters, Huione Pay, located in Phnom Penh and providing currency exchange, payment, and remittance services, received these funds between June 2023 and February of this year. The cryptocurrency originated from an anonymous wallet associated with the Lazarus hackers, who reportedly used it to deposit assets stolen from three cryptocurrency companies during mid-2022, primarily through phishing attacks.

In August 2023, the FBI disclosed that Lazarus had stolen approximately $160 million from crypto firms, including Atomic Wallet and CoinsPaid in Estonia, as well as Alphapo, which is registered in Saint Vincent and the Grenadines. These incidents are part of a series of high-profile heists by Lazarus, which U.S. officials claim help finance North Korea’s weapons programs.

The United Nations has indicated that cryptocurrency provides North Korea with a means to bypass international sanctions, potentially facilitating the acquisition of prohibited goods and services.

In a statement, Huione Pay’s board claimed they were unaware of receiving funds indirectly from the hacks, citing the complexity of transactions involving multiple transfers that obscured the source. They asserted that the wallet from which the funds were sent was not under their control.

While it is true that third parties cannot dictate transactions involving wallets not actively managed by them, crypto security experts assert that analysis tools exist to identify high-risk wallets and can help blocks interactions with them.

Huione Pay, which has connections to the family of Prime Minister Hun Manet through one of its directors, Hun To, did not provide further details regarding its compliance policies or the reasons behind its receipt of funds from the suspect wallet. It clarified that Hun To’s role does not encompass daily operational oversight.

Reuters was unable to obtain comments from Hun To, and there is no evidence suggesting he or Cambodia’s ruling family had prior knowledge of the crypto transactions.

The National Bank of Cambodia issued a statement indicating that payments firms like Huione are prohibited from engaging in cryptocurrency transactions. The bank instituted this ban in 2018, aiming to prevent investment losses linked to cryptocurrency volatility and to mitigate risks related to money laundering and financing of terrorism.

The bank emphasized it would take appropriate corrective measures against Huione if it deemed necessary but did not elaborate on any specific actions at this time. The North Korean mission to the United Nations did not respond to inquiries for comment. Previously, a representative claimed that reports surrounding Lazarus were primarily speculative.

Responses from Atomic Wallet and Alphapo were also unavailable, while CoinsPaid confirmed that a small portion of the stolen crypto, valued at $3,700, reached Huione Pay’s wallet.

Despite the anonymity offered by cryptocurrency, the blockchain technology enables the traceability of funds throughout its network—a public ledger that logs all transactions.

TRM Labs, a U.S. blockchain analysis firm, reported that Huione Pay is among various payment platforms and over-the-counter brokers that received a substantial amount of crypto stolen during the Atomic Wallet heist. Brokers provide a level of privacy that distinguishes them from conventional crypto exchanges.

TRM also highlighted that the hackers utilized complex laundering techniques to convert stolen assets into various cryptocurrencies, including Tether (USDT), a stablecoin designed to maintain a constant value. The hackers executed Tether transactions on the Tron blockchain, known for its quick processing and cost-efficiency.

Estonia’s investigation regarding the hacks at Atomic Wallet and CoinsPaid remains open, according to the head of its cybercrime bureau. Law enforcement in Saint Vincent and the Grenadines has not responded to inquiries about Alphapo’s hack.

U.S.-based Merkle Science examined the fund transfers from the 2023 hacks and noted the challenges in tracking them due to elaborate concealment strategies. Their analysis indicated multiple transfers from the Atomic Wallet hackers to an anonymous wallet, which subsequently sent funds to Huione; these repeated transfers raise red flags for monitoring agencies concerned with money laundering.

Between June and September 2023, the Lazarus hackers reportedly sent approximately $87,000 in Tether from the Atomic Wallet breach to the undisclosed wallet, complemented by an additional $15,000 from CoinsPaid and Alphapo.

In January, the United Nations noted that Lazarus had formed money-laundering networks with Southeast Asian criminals but did not disclose specific platforms involved. An official from the UN Office of Drugs and Crime described Southeast Asia as a hotbed of unregulated cryptocurrency services and online casinos, serving as "underground banks."

The G7’s Financial Action Task Force (FATF) removed Cambodia from its "grey list" regarding flawed anti-money laundering policies last year, recognizing progress in its governance framework. However, FATF referred to a 2021 report highlighting significant gaps in Cambodia’s crypto regulation, implying existing concerns still linger.

Cambodia’s central bank is reportedly drafting regulations aimed at detecting and deterring the use of cryptocurrency for illicit activities such as fraud, money laundering, and cyber threats.