North Korean hacking outfit Lazarus, blockchain data shows, deposited crypto worth over $150,000 with a major Cambodian payments firm through a digital wallet.
Huione Pay, which is based in Phnom Penh and offers currency exchange, payments and remittance services, received the crypto between June 2023 and February this year, according to the previously unreported blockchain data reviewed by Reuters.
The crypto was sent to Huione Pay from an anonymous digital wallet that, according to two blockchain analysts, was used by Lazarus hackers to deposit funds stolen from three crypto companies in June and July last year, mostly via phishing attacks.
The FBI said in August 2023 that Lazarus plundered about $160 million from the crypto firms: Estonia-based Atomic Wallet and CoinsPaid; and Alphapo, registered in Saint Vincent and the Grenadines. The agency didn’t disclose specifics. They were the latest in a series of heists by Lazarus that the United States has said is funding Pyongyang’s weapons programmes.
Cryptocurrency allows North Korea to circumvent international sanctions, the United Nations has said. That may in turn help it to pay for banned goods and services, according to the Royal United Services Institute, a London-based defence and security think tank.
Huione Pay’s board said in a statement the company had not known it “received funds indirectly” from the hacks and cited the multiple transactions between its wallet and the source of the hack as the reason it was unaware. The wallet that sent the funds was not under its management, Huione said.
Third parties cannot control transactions to and from wallets that aren’t under their management. However, blockchain analysis tools enable companies to identify high-risk wallets, and to seek to prevent interaction with them, crypto security experts say.
Huione Pay – whose three directors include Hun To, a cousin of Prime Minister Hun Manet – declined to specify why it had received funds from the wallet or to provide details of its compliance policies. The company said Hun To’s directorship does not include day-to-day oversight of its operations.
Reuters was unable to reach Hun for comment. The news agency has no evidence that Hun To or Cambodia’s ruling family had any knowledge of the crypto transactions.
The National Bank of Cambodia (NBC) said in a statement to Reuters that payments firms such as Huione weren’t allowed to deal or trade any cryptocurrencies and digital assets. In 2018, it said the ban sought to avoid investment losses due to crypto’s volatility, cybercrime and the anonymity of the technology “which may cause risks of money laundering and financing of terrorism.”
The NBC told Reuters it “would not hesitate to impose any corrective measures” against Huione, without saying if such action was planned. The North Korean mission to the United Nations in New York did not respond to a request for comment. A person at its mission to the United Nations in Geneva told Reuters in January that previous reporting on Lazarus was “all speculation and misinformation.”
Atomic Wallet and Alphapo didn’t respond to requests for comment. CoinsPaid told Reuters that its own data showed crypto stolen from it worth $3,700 reached the Huione Pay wallet.
While cryptocurrency is anonymous and flows outside the conventional banking system, its movements are traceable on the blockchain – a public, immutable ledger that records the amount of crypto sent from wallet to wallet, and when the transactions occurred.
U.S. blockchain analysis firm TRM Labs told Reuters in a statement that Huione Pay was one of a number of payment platforms and over-the-counter (OTC) brokers that received a majority of the crypto stolen in the Atomic Wallet hack. Brokers connect buyers and sellers of crypto, offering traders a greater degree of privacy than crypto exchanges.
In its statement, TRM also said that the hackers, to hide their tracks, had converted the stolen crypto via a complex
laundering operation into different cryptocurrencies, including tether (USDT) – a so-called ‘stablecoin’ that retains a steady value in dollars. For tether transactions, they used the Tron blockchain, a fast-growing register that is popular for its speed and low cost, TRM added.
“This majority of funds were converted to USDT on the Tron blockchain, and appeared to be sent to exchanges, services, and OTC – one of which, was Huione Pay,” TRM Labs told Reuters, referring to the actions of the hackers. It did not provide further details.
A spokesperson for the British Virgin Islands-registered Tron said: “Tron condemns the abuse of blockchain technologies and is dedicated to combating these, and other malicious actors, in all forms, and wherever they may be found.” The spokesperson did not comment directly on the Atomic Wallet hack.
Estonia’s investigation into the 2023 hacks of Atomic Wallet and Coinspaid remains open, said Ago Ambur, the head of Estonia’s cybercrime bureau. Cybercrime police in Saint Vincent and the Grenadines did not respond to requests for comment on the Alphapo hack.
With Reuters inputs