A major Cambodian payment firm, Huione Pay, received over $150,000 in cryptocurrency from a digital wallet linked to North Korean hacking group Lazarus, according to blockchain data reviewed by Reuters. This transaction showcases the methods through which Lazarus launders stolen funds across Southeast Asia.
Huione Pay, based in Phnom Penh, provides currency exchange, payment, and remittance services. Between June 2023 and February 2024, it received substantial cryptocurrency deposits from an anonymous wallet. Blockchain analysts have identified this wallet as one used by Lazarus to channel funds stolen from three crypto companies through phishing attacks in mid-2023.
In August 2023, the FBI disclosed that Lazarus had stolen approximately $160 million from Estonia-based Atomic Wallet and CoinsPaid, and Alphapo, registered in Saint Vincent and the Grenadines. Although the FBI did not provide detailed specifics, the agency emphasized that these thefts are part of a series of heists funding North Korea’s weapons programs.
Cryptocurrency enables North Korea to bypass international sanctions, allowing the regime to acquire prohibited goods and services. This was highlighted by the United Nations and the Royal United Services Institute, a defense and security think tank in London.
In response to the discovery, Huione Pay’s board issued a statement asserting their unawareness of the origin of the funds, citing the numerous transactions between their wallet and the source of the hack. The company emphasized that the wallet responsible for the funds was not under their management.
Despite this, experts note that blockchain analysis tools can help companies identify and avoid interactions with high-risk wallets. Huione Pay, whose directors include Hun To, a cousin of Prime Minister Hun Manet, declined to comment on the specifics of their receipt of the funds or their compliance policies. Hun To’s involvement does not extend to daily operations, and Reuters could not reach him for comment. There is no evidence linking Hun To or the Cambodian ruling family to the transactions.
The National Bank of Cambodia (NBC) maintains that payment firms like Huione Pay are prohibited from dealing with cryptocurrencies. This ban, established in 2018, aims to prevent investment losses, cybercrime, and the anonymity-related risks of money laundering and terrorism financing. The NBC stated it would take corrective measures against Huione Pay if necessary but did not specify any immediate actions.
The North Korean mission to the United Nations did not respond to requests for comment. In contrast, a representative from their Geneva mission dismissed previous reports on Lazarus as “speculation and misinformation.”
Atomic Wallet and Alphapo did not respond to inquiries, while CoinsPaid confirmed that $3,700 worth of stolen crypto from their platform reached Huione Pay’s wallet.
Despite the anonymity associated with cryptocurrency, transactions are traceable on the blockchain, an immutable public ledger that records all transfers. U.S.-based blockchain analysis firm TRM Labs revealed that Huione Pay was among several platforms that received the majority of stolen crypto from the Atomic Wallet hack. These platforms, including Huione Pay, often offer greater privacy to traders than conventional crypto exchanges.
TRM Labs further detailed that the hackers converted the stolen cryptocurrency through complex laundering processes into different currencies, including tether (USDT), which is known for its stability. The transactions predominantly utilized the Tron blockchain, chosen for its speed and low transaction costs.
“The majority of funds were converted to USDT on the Tron blockchain and appeared to be sent to exchanges, services, and OTC brokers, including Huione Pay,” TRM Labs stated.
A spokesperson for the Tron blockchain condemned the misuse of blockchain technologies and affirmed their commitment to combating malicious actors.
Estonia’s investigation into the 2023 hacks of Atomic Wallet and CoinsPaid is ongoing, according to Ago Ambur, head of Estonia’s cybercrime bureau. Meanwhile, cybercrime authorities in Saint Vincent and the Grenadines did not respond to requests for comment regarding the Alphapo hack.