Update, 3/26/24: OFAC sanctions Al-Law, highlights cryptocurrency address previously identified by NBCTF
On March 26, 2024, OFAC sanctioned Syria-based hawala operator Tawfiq Muhammad Said Al-Law, who was previously identified by NBCTF as having worked with Hezbollah operatives on cryptocurrency funding infrastructure. OFAC included as an identifier on Al-Law’s SDN list entry a cryptocurrency address, also previously identified by NBCTF. That cryptocurrency address is TWBAPzpPiZarfVsY2BLXeaLhNHurn4wkWG.
Original blog, 6/27/23:
On June 27, 2023, Israeli Defense Minister Yoav Gallant announced an important achievement in the disruption of terrorism financing: Israel’s National Bureau for Counter Terror Financing (NBCTF) has, for the first time ever, seized cryptocurrency from Hezbollah, a heavily sanctioned terrorist group based in Lebanon, and from Iran’s Quds Force, which funds and works extensively with Hezbollah. In total, the agency seized roughly $1.7 million worth of cryptocurrency and disrupted cryptocurrency-based terrorism financing infrastructure jointly run by the two organizations. We’re proud to say that Chainalysis tools played a role in this landmark national security achievement.
NBCTF’s seizure is yet another victory in the fight against cryptocurrency-based terrorism financing, and the details revealed in this announcement also reveal crucial operational details of how Hezbollah and other terrorist groups utilize cryptocurrency. We’ll break down the announcement and some of those details below.
How Iranian and Syrian entities funded Hezbollah with cryptocurrency
Since its inception, Hezbollah has received the bulk of its funding from Iran — in particular from the Iran Quds Force of the Islamic Revolutionary Guard Corps (IRGC) — often via Syrian intermediaries. Revelations from this announcement show that some of that activity has shifted to cryptocurrency, often following a pattern in which funds are moved first from financial facilitators to hawala services and OTC brokers, and then to Hezbollah-controlled addresses at mainstream exchanges. We’ve previously covered the usage of such services for terrorism financing, but those analyses have focused on the laundering of small donations rather than funding from state sponsors like Iran.
The NBCTF seizure focuses on wallets controlled by Tawfiq Muhammad Said Al-Law, a Syria-based hawala operator, who worked with senior Hezbollah operators like Muhammad Qasim Al-Bazzal and Muhammad Ja’far Qasir — both of whom are sanctioned by OFAC — to operate Hezbollah’s crypto funding infrastructure. Qasir in particular is a critical conduit for financial disbursements from Iran’s Quds Force used to fund Hezbollah’s activities.
We can see examples of how funds moved through Al-Law’s wallet on the Chainalysis Reactor graph below.
We can see here how funds move first from financial facilitators to a wallet controlled by Al-Law, and then to a Hezbollah-controlled deposit address at a mainstream exchange. Note also that an Al-Law counterparty address affected by the seizure also transacts with an Iranian exchange. All of the funds shown above, as well as all of the funds seized by NBCTF in this action, were in USDT on the TRON network (USDT-TRON).
List of Hezbollah-affiliated cryptocurrency addresses affected by NBCTF’s seizure
In total, NBCTF includes 40 addresses on the seizure list associated with this action. According to blockchain data, as of this blog’s publication, Tether froze four of those addresses, all of which are visible on the Reactor graph above. Those four addresses are:
- TWBAPzpPiZarfVsY2BLXeaLhNHurn4wkWG (belongs to Tawfiq Muhammad Said Al-Law)
- TXfKFBPkZTjcjvZLpzZcXeTZVav1VBEmfu
- TJqPocniAs5fyauqLgmRJXdKdfgFGjMTRA
- TCvMMsShKX8vHUxx1GbZ7jf8TRbXDmVfMG
The fight against cryptocurrency-based terrorism financing continues
This NBCTF seizure is important for several reasons, beyond just the fact that it’s the first time any agency has seized cryptocurrency from Hezbollah and Quds Force. The activity we analyze above is one of the first publicly available examples of terrorism financing via cryptocurrency that goes beyond simple, social media-based donation campaigns — in this case, sophisticated state actors were using crypto to funnel money across borders to a dangerous terrorist organization. It also shows that despite victories like Hamas’ recent abandonment of crypto donations due to law enforcement pressure, the fight against crypto-based terrorism financing isn’t yet over. The private and public sectors must continue working together to address this crucial issue. Chainalysis will continue to be a part of those efforts in partnership with our government customers in Israel, the United States, and elsewhere. We look forward to sharing more updates on these efforts when possible.
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.