Blockchain data has revealed that Huione Pay, a prominent payments firm based in Phnom Penh, received over $150,000 worth of cryptocurrency from a digital wallet linked to the North Korean hacking group Lazarus.
The transfers occurred between June 2023 and February this year, according to previously unreported blockchain records reviewed by Reuters.
The crypto was traced back to an anonymous wallet reportedly used by Lazarus hackers to deposit funds stolen from three cryptocurrency companies via phishing attacks.
These companies include Estonia-based Atomic Wallet and CoinsPaid, as well as Alphapo registered in Saint Vincent and the Grenadines, with total losses estimated at about $160 million, as disclosed by the FBI in August 2023.
Huione Pay, known for its currency exchange, payments, and remittance services, stated it was unaware of receiving funds indirectly from these hacks.
The company attributed this to the numerous transactions between its wallet and the source of the hack, which was beyond its management.
The National Bank of Cambodia, responding to Reuters, reiterated that payments firms like Huione are prohibited from dealing or trading in cryptocurrencies and digital assets due to concerns over volatility, cybercrime risks, and potential for money laundering and financing terrorism.
Huione Pay, which includes Hun To among its directors, clarified that Hun To’s role does not involve day-to-day oversight of operations. The company declined to elaborate on why it received funds from the wallet or provide details of its compliance policies.
Cryptocurrency movements are traceable on the blockchain, despite its anonymity, which allows for tracking transactions between wallets. U.S. blockchain analysis firm TRM Labs noted that Huione Pay received a significant portion of the stolen crypto from the Atomic Wallet hack, most of which was converted into tether on the Tron blockchain to obscure its origins.
The complex methods used by Lazarus to launder money make tracing these funds challenging, as highlighted by Merkle Science, a blockchain analysis firm. The United Nations has previously mentioned Lazarus’ involvement in money-laundering networks in Southeast Asia, emphasizing the region’s vulnerabilities to cybercrime and illicit finance operations.
While Cambodia has made strides in improving its anti-money laundering measures, gaps remain, particularly in regulating crypto firms. The Financial Action Task Force noted these deficiencies in its 2021 report and suggested the need for stronger controls to combat fraud, money laundering, and cybersecurity threats associated with cryptocurrencies.
In response to these developments, Cambodia’s central bank stated it is drafting regulations to better identify and penalize illicit uses of cryptocurrencies, aligning with global efforts to strengthen financial integrity and cybersecurity.