Cryptocurrency and the Dismantling of Terrorism Financing Campaigns

The Department of Justice announced on Aug. 13 that U.S. counterterrorism authorities dismantled a series of sophisticated online fundraising campaigns run by three separate U.S.-designated terrorist organizations. The takedown of these networks underscores their vulnerabilities and also provides valuable lessons for future attempts at countering terrorism financing online.

Two of the campaigns—run by the al-Qassam Brigades (Hamas’s military wing) and donors linked with the jihadist group Hayat Tahrir al-Sham in Syria—had been receiving Bitcoin donations since at least 2019. The third case involved a fake website created at the start of the coronavirus pandemic by a purported Islamic State financial facilitator and hacker based in Turkey. His website claimed to sell personal protective equipment such as N95 masks.

Terrorist organizations draw revenue from a vast array of sources. From expansive territorial control-based revenue to kidnapping-for-ransom to small donations from supporters around the world, terrorist groups have steadily diversified their funding sources over the past few decades. One aspect of that diversification includes expanding into online fundraising, first through traditional online donation platforms and social media, and more recently through cryptocurrencies and other avenues. The global spread of the coronavirus pandemic has pushed terrorist groups to increase their use of online financial services and virtual assets, highlighting concerns raised by the Financial Action Task Force earlier in May. The recently announced multi-campaign disruptions by the Department of Justice, Internal Revenue Service and Department of Homeland Security are certainly a victory for counterterrorism financing efforts. But they also show just how adaptable and versatile terrorist groups can be when it comes to online fundraising—even during a pandemic.

While many of these fundraising campaigns and methods predate the global pandemic, current events have both accelerated and spotlighted terrorist organizations’ efforts. In January 2019, Hamas’s al-Qassam Brigades began to advertise its online Bitcoin fundraising campaign on social media platforms including Twitter. By spring 2019, the organization expanded beyond its social media accounts and began promoting Bitcoin donations on three of its official websites. One of those websites had been in operation since 2006 and previously hosted more than 20,000 English-language articles on Hamas and al-Qassam. However, last year all of those articles were taken down and replaced by a single Bitcoin donation page. When asked by an undercover Homeland Security Investigations agent how donations would be spent, al-Qassam’s official fundraising email responded with promises that donations would be used to buy weapons and train its fighters.

Despite common assumptions that Bitcoin transactions are fully anonymous, U.S. officials used third-party blockchain analysis and personally identifying information from virtual exchanges to track 150 cryptocurrency accounts associated with al-Qassam, and to investigate U.S.-based individuals who donated to these campaigns. Additionally, they charged two Turkish nationals, Mehmet Akti and Hüsamettı̇n Karataş, with operating an unauthorized money service business that involved transactions totaling more than $90 million, and with laundering of monetary instruments. As part of their investigation, U.S. officials seized and covertly operated one of al-Qassam’s websites, forcing the organization to publicly announce that it had lost control of its own website in July 2020.

As al-Qassam was busy building its online fundraising campaign, in April 2019 the administrator of a pro-al-Qaeda Telegram channel began soliciting donations to a Bitcoin address associated with the organization’s Syrian affiliate. In May, the administrator emptied the entire balance of the posted Bitcoin address to a secondary address that served as a central hub for collecting and redistributing funds to and from subsidiary accounts. Between February 2019 and February 2020, more than $175,000 in Bitcoin flowed into the central hub account, about $105,000 of which was then redistributed into the administrator’s account. From there, the administrator was able to cash out by selling Bitcoin on various gift card exchanges.

The owner of the subsidiary account was later traced through a number of other transactions to the administrator of a Telegram channel for Al-Ikhwa, a group that claims to be an independent charity based in Syria but funnels money from Bitcoin donations to armed groups in the area. One of its beneficiaries is Malhama Tactical, a group that provides military training to jihadist organizations such as al-Qaeda’s former affiliate in Syria, Hayat Tahrir al-Sham. The administrator of Al-Ikhwa believed that donations coming into the posted address would be obfuscated by the fact that Bitcoin generates unique addresses for every new transaction and that his Syrian IP addresses would be hidden using Turkish internet connections.

Assuming their crypto-transactions were safely anonymized, the administrators of multiple pro-al-Qaeda Telegram channels began sharing posts containing the Bitcoin addresses. Al-Qaeda-aligned channels such as Reminders From Syria and Al-Sadaqah reshared and forwarded the original posts, and some even generated pictures featuring weapons and statements like “He who equips a fighter in Allah’s cause has taken part in the fighting” next to Bitcoin addresses. Alongside equipping ground fighters, the fundraisers hoped to collect enough donations to purchase drones for artillery adjustments and reconnaissance, and even floated the possibility of purchasing surface-to-air missiles. All in all, U.S. agents traced their donations across 155 associated addresses before dismantling these virtual assets.

Meanwhile, the spread of the coronavirus led one Islamic State operative in Turkey to innovate with new online fundraising schemes. Murat Cakar, a key Islamic State financial facilitator who has been overseeing select hacking operations for years, served as a financial conduit for donations from Islamic State supporters around the world. His accomplices include Zoobia Shahnaz, a lab technician from New York City who defrauded American banking institutions of more than $85,000, the majority of which she laundered through cryptocurrencies like Bitcoin and wired to Cakar before attempting to join the Islamic State in Syria in 2017.

As the rapid spread of the coronavirus left many countries short on personal protective equipment, Cakar saw an opportunity. On Feb. 26, he created a new website under the name FaceMaskCenter, which claimed to sell N95 masks, gloves, goggles and other health products. Cakar used a number of measures to increase the legitimacy of his fake website, including various health facts released by the Food and Drug Administration and the Centers for Disease Control and Prevention about N95 masks, and claims that the FaceMaskCenter company first launched in 1996. Cakar also created a fake Facebook page for FaceMaskCenter and used two other fraudulent websites that he created to post additional advertisements for FaceMaskCenter products.

When asked by a customer in the U.S. about possible masks for hospitals, nursing homes and fire departments, an accomplice of Cakar claimed that FaceMaskCenter could provide up to 100,000 N95 masks. While it was operating, the website accepted payments by Visa, Mastercard and PayPal. After agents with the Internal Revenue Service, Department of Homeland Security and FBI learned of Cakar’s plans, they quickly moved to dismantle his website and related online accounts.

Conclusion

Whether through organizational efforts like al-Qassam’s official donation campaign or through creative individual efforts like Cakar’s N95 mask scheme, terrorist groups continue to be resourceful and innovative when it comes to fundraising online. However, these efforts remain fraught with challenges.

First, as the al-Qassam and pro-al-Qaeda account administrators learned, transactions through Bitcoin and other similar cryptocurrencies are not always as anonymous as they seem. These pseudo-anonymous cryptocurrencies offer law enforcement a number of tools to determine individual identities associated with certain transactions. Although platforms like Telegram offer terrorists a number of operational security features, online fundraising campaigns often spill over into channels that have been infiltrated by officials. Posting Bitcoin addresses in these channels (let alone on official websites) allows third parties to find addresses and run advanced blockchain analyses (such as clustering) on public transactions to monitor any suspicious activity and helps to uncover the identities of the address owner and of the owners of any other associated accounts.

In addition, many virtual exchanges that store and trade cryptocurrencies are subject to anti-money-laundering and counterterrorism financing regulations like know-your-customer rules, or they require registration with the Financial Crimes Enforcement Network (FinCEN) as authorized money service businesses (MSBs). These regulations affect all registered exchanges that involve U.S.-based customers and/or MSBs, and include gathering personally identifiable information about account holders. Despite their best efforts to ensure anonymity, terrorists who use virtual MSBs—authorized and unauthorized—risk popping up on law enforcement radar. Some platforms, such as Telegram and Kik, have tried and failed to avoid registering their own developed crypto-assets with the U.S. Securities and Exchange Commission, another key anti-money-laundering and counterterrorism financing regulatory body. Had their efforts been successful, Telegram and Kik would have circumvented gathering personally identifiable information from their users. Other cryptocurrencies, such as Monero, try to sidestep regulations through identity-protecting measures like ring signatures and stealth addresses, but for now they remain underused.

Second, in the case of Islamic State facilitator Murat Cakar, simply creating a fake online business to scam unwitting customers does not necessarily lead to significant fundraising returns. There is no evidence in the public documents that any online users submitted payments on Cakar’s website. In fact, website registration records that revealed the discrepancy between his website’s declared and actual registration dates ultimately betrayed Cakar’s IP address to law enforcement. Still, the creation of a fake website may not have been intended to dupe unfortunate customers. Past schemes involving the creation of fake websites that advertise nonexistent goods for sale have been used to fund terrorism plots like the failed Mohamed Elshinawy plot of 2018. To fund his planned attack, the Maryland resident received more than $8,000 in payments for fake services rendered through a computer equipment company run by an Islamic State external operations planner. In these scenarios, supporters like Elshinawy and their terrorist organization funders know about the scheme, using fake websites to launder money across international lines to fund attacks.

Finally, while a select number of terrorist groups or individuals may overcome the initial technological innovation phases of early adoption and iteration, these groups have not yet achieved significant and widespread breakthroughs with cryptocurrencies. Online fundraising itself is nothing new, and it should not come as a surprise that Hamas, former al-Qaeda-aligned groups and the Islamic State are bolstering their online fundraising efforts. These groups will continue to suffer some growing pains as they adopt new technologies and adapt to new challenges, especially when it comes to exploring more sophisticated avenues like cryptocurrencies. When terrorist groups do innovate with fundraising, efforts to counter the financing of terrorism must also change with the times