How Huione Guarantee and Huione Pay Facilitate Cybercrime and Advanced Persistent Threats
As light has been shed on cryptocurrency mixers like Tornado Cash, cybercriminals right through to advanced persistent threats (APTs) looking to launder stolen funds have been forced to turn elsewhere. In Southeast Asia, two entities have come under scrutiny for their involvement in a broad array of illicit activities: Huione Guarantee and Huione Pay. These platforms, both subsidiaries of the Cambodian conglomerate Huione Group, have become significant players in the region’s illicit financial ecosystem.
Huione Guarantee
Huione Guarantee, established in 2021, has rapidly evolved into a significant player in the illicit digital economy of Southeast Asia. Ostensibly intended as a legitimate marketplace, it is a hub for cybercriminal operations. The platform, which comprises of various messaging app channels, offers a variety of illicit services, including money laundering, deepfake technology and stolen data. The platform helps to facilitate “pig butchering” scams, where fraudsters develop relationships with victims to persuade them into fraudulent investments.
The platform is also linked to human trafficking and worker abuse, with scam compounds operating like prisons, where trafficked workers are restrained and subjected to torture. Merchants on the platform advertise equipment like electric shock shackles and batons used to control these workers.
Over three years, researchers have tracked $11 billion in transactions on Huione Guarantee, primarily conducted using Tether (USDT), a stablecoin pegged to the U.S. dollar. The total figure is likely larger, due to the turnover of vendors obscuring at least a portion of transactions.
Huione Pay
Huione Pay, another subsidiary of the Cambodian conglomerate Huione Group, operates as a merchant on Huione Guarantee’s platform. Huione Pay offers currency exchange, payments, and remittance services. Despite its legitimate facade, Huione Pay has been implicated in significant illicit activities, particularly involving the laundering of stolen cryptocurrency.
From June 2023 to February 2024, Huione Pay received over $150,000 worth of cryptocurrency from a digital wallet associated with APT45. Attributed to North Korea’s 3rd Bureau, Foreign Intelligence / Lab 110 of the Reconnaissance Bureau of the General Staff Department (RGB), APT45 is also known as Lazarus Group, Hidden Cobra, Guardians of Peace, NICKEL ACADEMY, Black Artemis, COVELLITE, CTG-2460, Dark Seoul, High Anonymous, Labyrinth Chollima, New Romanic Cyber Army Team, NNPT Group, Who Am I?, Whois Team, TA404, APT-C-26, ZINC and Diamond Sleet.
The United Nations Office on Drugs and Crime (UNODC) has observed similar collaborations between North Korean hackers and other criminal enterprises in Southeast Asia, leveraging casinos and unregulated cryptocurrency exchanges to launder money.
The Huione Pay wallet had been used to deposit funds stolen from three crypto companies, Atomic Wallet, CoinsPaid and Alphapo. The FBI attributed the hacks to APT45.
Huione Pay is also deeply intertwined with Cambodia’s political elite. One of its directors, Hun To, is a cousin of the current Cambodian Prime Minister, Hun Manet. Hun To has reportedly been suspected of heroin trafficking and money laundering by Australian Police. He has also been linked to Chinese organised crime and at least one scam compound.
Challenges
The lack of operational security around the advertisement of these services, and around transactions related to these services is remarkable at first glance, but less so on further investigation.
The National Bank of Cambodia (NBC) has stated that payments firms like Huione Pay are prohibited from dealing with cryptocurrencies due to risks related to volatility, cybercrime, and anonymity, which can facilitate money laundering and terrorism financing. Despite these regulations, Huione Pay continues to receive cryptocurrency transactions. No public action from NBC has been forthcoming against Huione Guarantee or Huione Pay.
It was also reported in 2012 by the Sydney Morning Herald that Australian police planned to arrest and question Hun To on an upcoming trip to Australia, but the operation was foiled when Hun To was denied a visa to enter Australia. Australian embassy officials in Phnom Penh cited the need to avoid a diplomatic incident.
This seeming invulnerability is now being leveraged by groups like APT45 to continue funding the North Korean regime.
Moving Forward
By offering services such as money laundering, deepfake technology, and equipment for restraining trafficked workers, Huione Guarantee has become a vital resource for cybercriminals looking to exploit the digital economy’s vulnerabilities. Similarly, Huione Pay’s involvement in laundering cryptocurrency stolen by North Korea’s APT45 exemplifies the intersection of geopolitical interests and organised crime.
Delving into the workings of Huione Guarantee and Huione Pay provides a clearer picture of the cybercrime and APT landscape. This understanding is the first step in developing robust strategies to combat digital illicit activities, protecting the integrity of the global financial system, and safeguarding individuals and organisations from the growing threat of cybercrime and cyberespionage.
References
https://www.elliptic.co/blog/cyber-scam-marketplace
https://therecord.media/tether-freezes-29-million-crypto-connected-to-scam-marketplace
https://www.mandiant.com/resources/insights/apt-groups#north-korea
https://www.secureworks.com/research/threat-profiles
https://learn.microsoft.com/en-us/defender-xdr/microsoft-threat-actor-naming?view=o365-worldwide
https://www.smh.com.au/national/drugs-our-man-in-cambodia-20120325-1vsiz.html
https://www.youtube.com/watch?v=fiy03A7YfW4
https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine
