Chainalysis in Action

Chainalysis in Action: Department of Justice Announces Takedown of Two Terrorism Financing Campaigns with Help from Blockchain Analysis

Today, the U.S. Department of Justice (DOJ) announced the disruption of two terrorism financing campaigns that utilized cryptocurrency donations (and a third that didn’t), following a multi-agency investigation conducted by the FBI, HSI, and IRS-CI. The investigation led to the largest ever seizure of cryptocurrency assets related to terrorism financing, with more than $1 million worth of cryptocurrency recovered from terror finance campaigns and financial facilitators operating unlicensed money services businesses (MSBs).

We’re proud to say that Chainalysis tools aided in the investigation of the two campaigns relying on cryptocurrency donations. One of these campaigns was carried out by al-Qaeda and affiliated terror groups, while the other was carried out by the al-Qassam Brigades, the military arm of Hamas and a designated terror organization in most Western countries. Al-Qaeda specifically relied on BitcoinTransfer, a cryptocurrency exchange based in Idlib, Syria that has facilitated several other financing campaigns associated with the group. You can read a full breakdown of BitcoinTransfer’s operations and transaction history in our newest intelligence brief here.

These cases show that the financial facilitators and infrastructure that terrorist groups have traditionally used to move money, such as unlicensed MSBs and hawala networks, have begun to adopt cryptocurrency. Blockchain analysis enables further investigation into the donation campaigns that terrorist groups conduct on social media, as well as the larger underlying financial networks that facilitate their operations. Chainalysis Reactor provides opportunities to uncover who sends funds, who helps launder funds, the goods and services they buy with the funds, and more.

Below, we examine both Al-Qaeda’s and the Al-Qassam Brigades’ cryptocurrency-based terrorism financing campaigns in greater detail and break down how blockchain analysis enabled investigators to stop them.

Al-Qaeda’s terrorism financing donation and money laundering infrastructure

Al-Qaeda, along with several related terrorist groups operating mostly in Syria, launched a cryptocurrency-based infrastructure for receiving and laundering donations for terrorism financing. According to the criminal complaint, these groups used multi-layered transactions to obfuscate the movement of these donations to a central hub of addresses, from which funds are then redistributed to the individual groups. Through blockchain analysis, we’ve identified the BitcoinTransfer Office in Idlib, Syria as the central hub described in the criminal complaint. BitcoinTransfer purports to be a cryptocurrency exchange but has been implicated in several terrorism financing schemes and appears to be fully under the control of terrorist groups. Since the service became active in late December 2018, more than $280,000 worth of Bitcoin has passed through BitcoinTransfer, much of it related to terrorism financing.

While multiple terrorist groups ran their own individual donation pushes, nearly all of them followed a similar strategy. The groups presented themselves as charitable organizations operating in Syria and solicit Bitcoin donations on social media and messaging platforms — mostly Telegram and Facebook. However, despite the charity facade, these groups often published posts indicating that donations would go towards purchasing weapons for militant groups, as we see in the screenshot  below.

In May 2019, agents monitoring the Telegram page of one such group, Tawheed & Jihad Media, saw the administrators promoting a funding campaign for “bullets and rockets for the mujahideen” with a single Bitcoin address listed. That address is labeled as “Defendant Property AQ1” in the DOJ complaint and in the Chainalysis Reactor graph we show below.

Open image in new tab to expand

Agents monitored that address as donations came in, and noticed that the group administrators eventually moved the funds to an address hosted at BitcoinTransfer, which is labeled as “Defendant Property AQ2.”

Using similar analytical techniques, agents observed terrorism financing campaigns conducted by other al-Qaeda-affiliated groups, most of whom solicited donations in similar ways — pretending to be charities while actually funding militant activity — before sending the proceeds on to al-Qaeda’s BitcoinTransfer addresses. Those groups include:

  • Malhama Tactical, a private military contractor that has provided training for and fought alongside several terrorist groups in Syria.
  • Al Sadaqah, another Syrian organization active on social media that purports to be a charity but has been implicated in terrorism financing.
  • Al Ikhwa, a terrorist organization with documented ties to terrorist groups like Hay’at Tahrir al-Sham.
  • Reminders from Syria, a Telegram channel affiliated with terrorist groups that frequently interacts with and boosts content from Al Ikhwa on social media.
  • The Merciful Hands, another Syrian organization active on social media that purports to be a charity but has been associated with armed groups in Syria.

Following this investigation, the DOJ is seeking to seize all funds associated with the al-Qaeda-controlled addresses. However, BitcoinTransfer remains active as a service. Given its facilitation of extensive terrorism financing activity, it’s crucial that cryptocurrency businesses examine past transactions for exposure to BitcoinTransfer and monitor transactions to address any possible future exposure.

The al-Qassam Brigades’ terrorism financing campaign

The Izz ad-Din al-Qassam Brigades (AQB) is the military wing of Hamas and a designated terror organization in the U.S.. We’ve written previously about AQB’s use of cryptocurrency in donation campaigns in our 2020 Crypto Crime Report — you can read the specific excerpt on our blog here and download the entire report here. AQB’s donation campaign occurred in three stages that we delineate based on the cryptocurrency infrastructure used to receive donations. While agents were able to take down AQB’s primary website promoting the campaign (and, apparently, pull the well-known “Rick Roll” prank on incoming visitors), the third stage is ongoing, and has raised 2.39 BTC over 124 transactions as of August 7, 2020.

Undercover agents emailed with the administrators of the AQB website promoting the campaign and confirmed that donations would be used to purchase weapons for Syrian militant groups. Using blockchain analysis, agents were then able to identify 40 Bitcoin addresses of donors who sent funds to AQB donation addresses across any three stages of the campaign. Most of these addresses are hosted at various exchanges.

Open image in new tab to expand

In addition to receiving donations, we also see above that AQB-controlled addresses used an exchange, a Gaza-based MSB, and a payment processor to launder cryptocurrency donations and convert them to cash. We also see a likely administrator paying for encrypted cloud storage services from a provider who accepts Bitcoin.

Finally, agents also identified two Bitcoin addresses associated with an unlicensed MSB that helped AQB convert donations from cryptocurrency into fiat cash. Agents reached out to the exchange hosting those addresses and learned that they belonged to a Turkish national named Mehmet Akti, who owns and operates the unlicensed MSB. Most of the more than $1 million worth of cryptocurrency seized in this investigation comes from Akti’s businesses. According to the DOJ complaint, the main address he used to run his MSB received over $80 million worth of cryptocurrency and U.S. dollar wire transfers between October 2017 and March 2019, though the majority of this was likely unrelated to terrorism financing.

Government and industry must work together against terrorism financing

It’s important that cryptocurrency exchanges and government agencies continue to work together to end terrorism financing campaigns like these and prevent new ones from getting off the ground. We look forward to continuing to supply governments and businesses around the world with the blockchain analysis tools necessary to accomplish those goals. Today, we labeled in our products all cryptocurrency addresses implicated in this investigation, and Chainalysis KYT customers with exposure to these addresses will receive severe alerts in real-time .

Want to learn more about this case? Download our intelligence brief on BitcoinTransfer to learn more about its operations, social media presence, and cryptocurrency transactions related to terrorism financing campaigns.

You can also click here to sign up for our August 25 webinar for a further in-depth look at the blockchain analysis techniques that helped investigators dismantle these networks and how you can leverage Chainalysis tools to fight against this type of dangerous activity.