System for Bitcoin Purchase via ABA Pay and Telegram

Telegram Bot Interface and User Flow

The core user interface is a Telegram chatbot that guides the user step-by-step. Users initiate the process by sending a command like /buy, and the bot asks for the desired purchase amount in local currency. The bot then fetches the current BTC/KHR price (via an exchange API) and shows the total payable amount. Next, the bot asks the user to confirm and provide a Bitcoin wallet address for delivery. For identity verification, the bot can prompt the user to complete a KYC form or upload required ID documentation (using an embedded link or secure attachment). Once details are confirmed, the bot generates a payment request. Throughout, the bot uses Telegram’s Bot API (official docs ) to communicate securely with the user and maintain session state. Bot responses and menus should be concise (3–5 sentence steps) with clear instructions. Key actions are automated via inline buttons (e.g. “Confirm & Pay”, “Cancel”) to simplify the flow.

Technical Architecture & Hosting

The system uses a cloud-hosted backend (e.g. AWS, Azure or DigitalOcean) running the Telegram Bot logic and payment logic. A recommended stack: a web server (Node.js, Python Flask, etc.) handling bot webhooks; a database (PostgreSQL or MongoDB) for tracking user accounts, orders, and transaction states; and a wallet service for custody. The bot server communicates with ABA PayWay’s API and with a crypto exchange or trading engine. For reliability and scalability, use containerization (Docker) and load-balanced instances. Secure the server with HTTPS and firewall rules; use environment variables or a secrets manager for API keys. All bot-server calls to Telegram and PayWay use TLS. Logging should be minimal (no sensitive PII) and monitored for failures. A high-level diagram might show: Telegram Bot ⇄ Backend Server (HTTPS) ⇄ {ABA Pay API; Crypto Exchange API; Database; KYC Service}. Use an architecture framework (MVC or microservices) so modules (Bot handling, Payment, Trading, KYC, Wallet) are separated.

ABA Pay Integration (PayWay API)

ABA Bank’s PayWay is the primary payment gateway. The backend uses PayWay’s REST API to create and monitor payment requests. For example, when user confirms a buy order, the bot calls PayWay’s “Create Purchase” endpoint to generate a transaction in KHR (or USD) for the exact amount. The response can include a dynamic KHQR (Cambodia QR code) or a payment link that the bot sends back. ABA PayWay supports dynamic QR payments – the bot can display a QR image or link, and the user scans it in the ABA Mobile app to pay .  Once the user scans and pays, the bot regularly calls PayWay’s “Check transaction” or webhook to confirm completion. Upon confirmation, the bot proceeds to execute the Bitcoin purchase. Recommendation: Register a PayWay merchant account and use the sandbox (developer.payway.com.kh) for testing. The PayWay API supports JSON POST calls for purchase, status, refunds, etc . Note that ABA’s terms explicitly forbid using PayWay for cryptocurrency transactions (PayWay T&C 14.1(v) bans crypto-related business) . Ensure legal review or special approval is obtained, and transactions marked as “digital goods” if required to avoid contract breach.

Crypto Acquisition (Exchange or P2P)

After confirming payment, the system must acquire Bitcoin. Option A: Centralized Exchange. If a licensed local exchange API is available (e.g. Royal Group Exchange – RGX), use its API to place a buy order in KHR or USD. The bot’s backend can hold an account on RGX or another exchange, execute a market order for the BTC amount, and specify the user’s wallet address as the withdrawal destination. If no local API exists, a global exchange (e.g. Binance) can be used via API: convert KHR→USDT (ABA Pay often supports USD/KHR ) and buy BTC. Ensure the exchange supports KHR or USD deposits. Option B: Peer-to-Peer (P2P). The bot could partner with a P2P trading platform. For example, it might automatically create a trade on Binance P2P or LocalBitcoins using the received KHR. The bot would post a sell order for BTC at a slight premium, and once matched, instruct the platform to release BTC to the user’s address. P2P requires careful escrow handling and delays. In either case, always withdraw purchased BTC promptly to a secure cold storage or the user’s provided wallet. If acting as custodian, use a service like BitGo or Coinbase Custody’s API to securely manage keys.  Recommendation: Automate trades via exchange APIs (e.g. Binance API【56†】) for speed and liquidity. Monitor order book depth to manage slippage.

Additional Local Payment Methods

For broader adoption, integrate other popular Cambodian pay options. Examples include Wing Money and TrueMoney (through a gateway like Bongloy), Pi Pay/SmartLuy, Ly Hour PayPro, PayGo Wallet, and Bakong. Many can be accessed via APIs or third-party aggregators. For instance, Wing’s system allows online payments and transfers . Bongloy is a Cambodian payment gateway with an API that connects local payment providers (Wing, TrueMoney, Ly Hour) to merchants . The backend could call Bongloy’s API to collect payments from Wing or TrueMoney users. Bakong is NBC’s own QR-based interbank system ; technically, the bot could generate a Bakong QR if partnering with a local bank (Bakong handles bank-to-bank transfers via QR). In summary, each additional method requires signing up with that provider and calling their payment API or webhook. Use bullet lists for options:

• Wing (via WingPay or WingB2B) 
• TrueMoney (via TrueMoney wallet or P2P)
• PayGo (UnionPay virtual card integration)
• Ly Hour PayPro (national e-wallet)
• Bakong QR (via local bank integration )

These should be secondary options when ABA Pay is unavailable. Each integration follows a similar pattern: create a payable transaction and confirm it. For example, Wing’s API (or Bongloy) can transfer KHR from the user’s Wing account to the merchant’s account.

Compliance, KYC and AML

Cambodia now regulates crypto transactions under the NBC’s December 2024 “Prakas on Cryptoassets” . Notably, the NBC only permits “Group 1” crypto (stablecoins/tokenized assets); unbacked crypto like BTC remains restricted . Therefore, this system should enforce strict AML/KYC. KYC: Collect customer identity (ID/passport, full name, phone, address) before any fiat receipt. Use a KYC service or API (e.g. Sumsub, Onfido) to verify documents and perform e-KYC checks. Record KYC documents securely. AML: Set transaction limits and monitor large trades. Any suspicious patterns trigger alerts. You may integrate blockchain analytics (e.g. Chainalysis API) for on-chain monitoring of withdrawal addresses. As a financial service under Cambodian law, register the service as a Virtual Asset Service Provider (VASP) if possible. Implement a Know-Your-Customer workflow in the bot: after /buy command, if the user is new or not verified, the bot must require KYC completion. NBC guidelines explicitly include “customer due diligence” for digital currency services . Also, enforce country sanctions checks (filter US SDN lists, etc.) and record-keeping of transactions. Provide receipts/invoices for audits.

Security & Custody

Funds custody: Do not keep large reserves in a hot wallet. Use a hierarchical deterministic (HD) wallet and segregate user funds: only after a successful ABA Pay confirmation should the equivalent BTC be released. Employ multi-signature or hardware wallet solutions (e.g. BitGo multi-sig API) for server funds. Ideally, use a cold storage vault for the bulk of BTC, and a small hot wallet (on an isolated VM) for immediate orders. Data security: Secure all API keys and secrets in encrypted vaults (e.g. AWS KMS). The bot should never log sensitive data (no plaintext IDs or keys). Communicate with users only over encrypted Telegram (Telegram messages are end-to-end by default for bots over HTTPS). Validate user input rigorously to prevent injection attacks. Bot security: Use up-to-date libraries for Telegram (e.g. python-telegram-bot) and patch CVEs. Limit bot admin commands. For user protection, educate users not to share passwords or private keys. For each payment, the bot should double-confirm amounts and addresses to prevent fraud. Consider implementing rate-limits and CAPTCHAs (via simple math questions) in the bot to thwart automated abuse. Regularly audit the system and conduct penetration tests before launch.

Implementation Plan & Milestones

1. Planning & Design: Define data models (orders, users, KYC status). Draw architecture diagram. Obtain access/credentials: Telegram Bot token, ABA PayWay sandbox keys, chosen exchange account, etc.
2. Bot Development: Develop basic Telegram bot flows (using Telegram Bot API ). Test chat commands (/start, /buy, /status).
3. Payment Integration: Integrate ABA PayWay API in sandbox. Create “purchase” calls and test dynamic QR generation (Sandbox docs and keys from developer.payway.com.kh). Verify fetching transaction status.
4. Crypto Engine: Set up a crypto wallet (e.g. BitGo or exchange wallet). Integrate exchange API (e.g. Binance or RGX) to execute buy orders programmatically. Implement functionality to send BTC to user address.
5. KYC/AML Integration: Incorporate or link a KYC provider API. Add verification steps in the bot UI. Implement back-end checks (e.g. limit amounts, watchlists). Document compliance processes.
6. Optional Methods: Add one or two alternative payments (e.g. Wing via Bongloy) using their test APIs. Each new method follows similar steps to ABA Pay.
7. Security Hardening: Migrate keys to secure storage, enable HTTPS, setup firewall, logging/monitoring, and perform security review.
8. Testing: Conduct end-to-end testing: simulate user buying BTC via ABA Pay. Check all error cases. Perform a pilot with a small user group.
9. Deployment: Switch to production keys (PayWay, exchange). Deploy to cloud. Monitor in real-time logs.
10. Iterate & Scale: After launch, gather feedback, optimize bot UX, and scale servers based on load. Ensure ongoing AML reporting and adapt to any regulatory updates.

Each milestone should have deliverables (e.g. working bot in sandbox, KYC functionality, live deployment). The high-level system flow is: User → Telegram Bot → (Generate Payway request) → User pays → (Confirm & Buy BTC) → Exchange/Wallet → Send BTC to User address.

By following this plan and citing relevant APIs and best practices (PayWay docs , ABA/Cambodia regulations , local payment gateways , Telegram Bot API ), a secure, compliant system can be built.