Tech
North Korean Hackers Steal $150,000 in Cryptocurrency
Blockchain data shows that North Korean hacker firm Lazarus deposited more than $150,000 worth of cryptocurrency into a major Cambodian payment company via a digital wallet.
Phnom Penh-based Huione Pay, which offers currency exchange, payments and remittance services, received the cryptocurrency between June 2023 and February this year, according to previously unreported blockchain data analyzed by Reuters.
The cryptocurrency was sent to Huione Pay from an anonymous digital wallet that, according to two blockchain analysts, was used by Lazarus hackers to deposit stolen funds from three cryptocurrency companies in June and July last year, mostly through phishing attacks.
The FBI said in August 2023 that Lazarus had stolen about $160 million from cryptocurrency firms: Atomic Wallet and CoinsPaid based in Estonia; and Alphapo, registered in Saint Vincent and the Grenadines. The agency did not disclose details. It was the latest in a series of thefts by Lazarus that the U.S. says are funding Pyongyang’s weapons programs.
Cryptocurrencies allow North Korea to circumvent international sanctions, the United Nations has said. That could in turn help it pay for banned goods and services, according to the Royal United Services Institute, a London-based defense and security think tank.
Huione Pay’s board of directors said in a statement that the company did not know it had “received funds indirectly” from the hacks, and cited multiple transactions between its wallet and the source of the hack as the reason it was unaware. The wallet that sent the funds was not under its management, Huione said.
Third parties cannot monitor transactions to and from wallets that are not under their control. However, blockchain analytics tools allow companies to identify high-risk wallets and try to prevent interaction with them, crypto security experts say.
Huione Pay, whose three directors include Hun To, a cousin of Prime Minister Hun Manet, declined to specify why it received funds from the wallet or provide details of its compliance policies. The company said Hun To’s management does not include day-to-day oversight of its operations.
Reuters could not reach Hun for comment. The news agency has no evidence that Hun To or Cambodia’s ruling family knew about the cryptocurrency transactions.
The National Bank of Cambodia (NBC) said in a statement to Reuters that payments firms such as Huione were not allowed to trade or exchange cryptocurrencies and digital assets. In 2018, it said the ban was aimed at avoiding investment losses due to cryptocurrency volatility, cybercrime and the anonymity of the technology “which could lead to money laundering and terrorist financing risks.”
NBC told Reuters it would “not hesitate to impose corrective measures” against Huione, without saying whether such action was planned. North Korea’s mission to the United Nations in New York did not respond to a request for comment. A person at its mission to the United Nations in Geneva told Reuters in January that previous reports about Lazarus were “all speculation and disinformation.”
Atomic Wallet and Alphapo did not respond to requests for comment. CoinsPaid told Reuters that its data showed $3,700 worth of stolen cryptocurrency reached the Huione Pay wallet.
Although cryptocurrency is anonymous and circulates outside the conventional banking system, its movements are traceable on the blockchain, a public, immutable ledger that records how much cryptocurrency was sent from one wallet to another and when the transactions occurred.
U.S. blockchain analytics firm TRM Labs told Reuters in a statement that Huione Pay was one of several over-the-counter (OTC) payment platforms and brokers that received the majority of cryptocurrencies stolen in the Atomic Wallet hack. Brokers connect buyers and sellers of cryptocurrencies, offering traders a higher level of privacy than cryptocurrency exchanges.
In its statement, TRM also claimed that the hackers, to cover their tracks, had converted the stolen cryptocurrency through a complex
laundering operation in several cryptocurrencies, including tether (USDT), a so-called “stablecoin” that maintains a constant value in dollars. For tether transactions, they used the Tron blockchain, a rapidly growing ledger that is popular for its speed and low cost, TRM added.
“This majority of funds were converted to USDT on the Tron blockchain and appeared to be sent to exchanges, services and OTC, one of which was Huione Pay,” TRM Labs told Reuters, referring to the hackers’ actions. It did not provide further details.
A spokesperson for Tron, which is registered in the British Virgin Islands, said: “Tron condemns the abuse of blockchain technologies and is committed to combating these and other malicious actors, in all forms and wherever they may be found.” The spokesperson did not comment directly on the Atomic Wallet hack.
Estonia’s investigation into the 2023 cyberattacks on Atomic Wallet and Coinspaid remains open, said Ago Ambur, head of Estonia’s cybercrime bureau. Saint Vincent and the Grenadines’ cybercrime police did not respond to requests for comment on the Alphapo cyberattack.
With data from Reuters