Lack of virtual asset regulation leaves door open to laundering cyber-crime proceeds

North Korea heists, Cambodian pig butchering

Image: Australian Strategic Policy Institute via X.

Organized cyber-crime and state-sponsored heists continue to be facilitated by widespread failure to regulate virtual assets, according to the global money laundering and terrorist financing watchdog, the Financial Action Task Force (FATF).

As of April 2025, global implementation of FATF standards on virtual assets (VAs) and virtual asset service providers (VASPS) had shown only slight improvement from 2024, the FATF said in a review published June 26. The number of “largely compliant” countries rose by just 4 percentage points to 29% from 25% over the period.

The issue is far from being simply a technical question about the regulation of a new asset class. North Korea this year carried out the largest single theft of VAs, stealing the equivalent of $1.46 billion from the ByBit VASP.

The theft from Dubai-based cryptocurrency exchange ByBit took place on Feb 21. The North Korean hackers were able to launder the stolen Ethereum tokens by exchanging them for Ether on trading plaforms such as eXch and THORChain. ByBit’s requests to eXch to block the transfers were unsuccessful.

Lack of regulation also makes it easier to launder proceeds from cyber-criminality. Pig butchering has become a major contributor to Southeast Asian economies led by Cambodia and Myanmar.

Stronger regulation of VASPs is essential if laundering of the criminal proceeds is to be made harder. Straightforward prohibition of VASPs is a tempting option but in fact may do little to tackle the issue. The FATF found 20% of respondents opting to prohibit VASPs, up from just 7% in 2022, but said that such prohibitions are difficult to enforce and may, in fact, be a course for concern.

In other words there are no shortcuts in the hard work of ensuring VASPs meet international standards and punishing them if they do not. The FATF says the private sector, particularly VASPs themselves, need to have risk identification and mitigation measures in place.

The slow pace of progress on adoption of the FATF’s Travel Rule also continues. The Travel Rule requires financial services providers, including VASPs, to collect and transmit information about the originators and beneficiaries of transactions.

The latest FATF survey showed a marginal increase in adoption to 73%. But 42 of 205 jurisdictions did not respond to the FATF’s survey, and it is likely that they have not implemented the requirements. Global implementation “remains incomplete and leaves VAs and VASPs vulnerable to misuse,” the FATF says.

Human Consequences

The ease with which the proceeds of criminality can be laundered into the formal economy has human as well as financial consequences.

A report from Amnesty International in June based on evidence from 423 victims of forced scam labour in Cambodia found that almost all were kept in a restraining physical space. Most of the compounds investigated by Amnesty had fencing with barbed wire or electric fencing.

The people interviewed were “told where to sleep, where, how and when to work, what they could and could not do and when, subjected in many cases to punishments that amounted to torture or other ill-treatment, and given little or no un-monitored contact with the outside world.”

Amnesty has no doubt that this is happening with official complicity. “The Cambodian state has consented or acquiesced to the torture and other ill-treatment taking place at scamming compounds,” it says.

The US Department of the Treasury’s Financial Crimes Enforcement Network (FINCEN) on May 1 designated Cambodian financial conglomerate Huione as a “financial institution of primary money laundering concern.” FINCEN cited Huione’s role in Cambodia scams as well as its involvement in North Korean cyber-heists. Yet Huione’s activities have continued to expand despite the US action, underscoring the need for a more co-ordinated regulatory approach.