Keywords

1 Introduction

As cases are prosecuted, and crypto wallets included on many sanctions’ lists, new and more data is becoming available.

Virtual currencies have broad application in criminal contexts.

Terrorist groups raise money through myriad illicit networks, from state sponsors, transnational crime, and occupying territory to exercising the trappings of a crypto state, such as taxation.Footnote 1 This chapter focuses on the way terrorist organizations solicit donations through fraudulent charities which then use front companies to transmit and hide transactions.Footnote 2 Initially, scholars and policymakers were not overly concerned with crypto in terrorism.Footnote 3 Then the United Nations’ Counter-Terrorism Committee Executive Directorate estimated that crypto and other digital assets financed 5 percent of terrorist attacks. That estimate has since risen to 20 percent. Terrorist groups have been shifting to cryptocurrency-based financing, in part because cryptocurrencies have increased viability in complementary and adjacent markets that terrorists frequent, including the darknet.Footnote 4 Yet, the co-optation of cryptocurrency by terrorist groups has received little scholarly attention compared to other crypto-enabled crimes.Footnote 5

Virtual currency, and specifically Decentralized Finance (DeFi), are emerging as the new frontier in terrorist financing. According to congressional testimony by the U.S. Department of Homeland Security, “cryptocurrency has some appealing attributes that have already been exploited by terrorists, and we anticipate violent extremists will continue to use this tool to facilitate their terrorist activities, especially as the technology becomes easier to access and more wide-spread in use in general commerce and the commercial sector.”Footnote 6 Enabling attributes include anonymity, decentralization, global reach, speed, non-repudiation, ease of use, low cost of use, the ability to upgrade anonymity and security, and the ability to move networks to new venues, taking advantage of the uneven development of cryptocurrency regulation between different countries.Footnote 7

DeFi technology operates on peer-to-peer networks with more anonymity than crypto coins such as Bitcoin.Footnote 8 Crypto offers an alternative financial system of transboundary pseudonymous transactions for terrorists. DeFi harnesses the benefits of crypto while expanding anonymity. Compared to the traditional financial system, cryptocurrency is under-regulated and under-enforced: crypto coins are subject to far fewer counter-terrorist financing (CTF)Footnote 9 and anti-money laundering (AML) requirements than fiat currencies.Footnote 10 Alongside traditional mechanisms such wire transfers and cash, the virtual financial ecosystem is rapidly emerging as a key transnational funding mechanism for terrorism. Al-Qaeda, Jam’at al Tawhid wa’al-Jihad, and al-Nusrah Front have all received crypto through social media.Footnote 11 Their networks then laundered funds through layered transactions using crypto.Footnote 12

DeFi makes accessible financial services such as borrowing, trading, and investing, without relying on banks or brokerages. DeFi is an extension of the traditional financial system insofar as it provides open source, interoperable smart contracts that exist on the blockchain, most often Ethereum. However, any form of DeFi that supports script or coding can develop DeFi protocols throughout their platforms. Examples of DeFi include non-fungible tokens (NFTs), altcoins such as Monero, and tokens.Footnote 13 Whereas banks are required to track and verify the identity of clients and their transactions, DeFi exchanges are only subject to these requirements when they are classified as Virtual Asset Service Providers (VASPs); but for jurisdictions to identify DeFi exchanges and classify them as such is proving difficult.Footnote 14 That makes DeFi vulnerable to being leveraged by terrorist groups to solicit and receive donations, use social media to share wallets IDs, and promptly move funds through exchanges or mixers. The result is a complex web that makes transactions nearly untraceable. DeFi thus heightens the risk of terrorist financing.Footnote 15

Since the introduction of Bitcoin in 2009, cryptocurrency has gained in popularity as an alternative financial system. It has proven popular with illicit actors, especially transnational criminal networks. Cryptocurrency is premised on open access, decentralized finance independent of traditional political and economic institutions such as banks or federal reserves. Instead, cryptocurrency (also referred to as crypto or virtual currency) transactions are recorded on a public ledger accessible on the blockchain. Theoretically devoid of central authority, Bitcoin ushered in an alternative financial system. Other virtual currencies emerged alongside technological advances and social responses. Crypto has experienced numerous crashes, coins have collapsed, many because of fraud allegations. Still, crypto has grown into a multibillion-dollar industry.

Concerns about a putative nexus between crime and terrorism are well known.Footnote 16 Yet, concerns about the role of virtual currency in terrorism previously seemed farfetched given the public ledger of the blockchain. Now, not only have terrorist groups begun leveraging cryptocurrency as a financing tool, but they are also integrating DeFi technology. DeFi and crypto markets overlap: many crypto coins are decentralized, non-custodial, community driven, and operate on distributed ledger technology (DLT).Footnote 17 However, this is not a given; many forms of cryptocurrency, such as coins that are backed by central banks as well as stablecoins, are centralized and operate with a degree of oversight. Mainstream coins such as Bitcoin are centralized and not DeFi. In fact, relative to total crypto assets, DeFi markets are small. Still, DeFi is quickly becoming integral, not only to the crypto-crime nexus, but especially to the crypto-terror nexus.

The chapter is driven by recommendations made by the Financial Action Task Force (FATF) to evaluate the current regulatory environment of cryptocurrency and DeFi. FATF has a mandate to develop a global CTF regime, in collaboration with committees of the European Union (EU) and United Nations (UN).Footnote 18 State jurisdictions and national financial intelligence units are then responsible for implementing the regime. Organizations such as FATF, the EU, and the UN have mandates to combat financial crime, particularly money laundering. Due to pressure to mobilize counter-terrorism efforts expeditiously post-9/11, CTF rules were grafted onto pre-existing regulations and legislation that had originally been developed as AML protocols. The resulting regulatory standard has effectively resulted in the same instrument being used to contain two types of crimes that are quite different in character.Footnote 19 But just how effective FATF’s recommendations and regulations in compliant jurisdictions really are is up for debate.Footnote 20

This research has three objectives: (1) To ascertain the conditions under which terrorist groups use cryptocurrency and/or DeFi to fund their activities. (2) To draw on the Al-Qaeda Joint Campaign and the Al-Qassam Brigades Campaign case studies to inform our understanding of cryptocurrency-enabled crime in the illicit international political economy (IIPE). (3) For findings to inform regulatory recommendations for domestic actors and FATF. The chapter’s two case studies, review of the literature, and overview of the novel terrorism dataset on which it draws point to an emerging crypto-crime-terror nexus: terrorist organizations are using cryptocurrency to raise funds through criminal ventures. Under-regulation makes crypto and DeFi an attractive option for criminals and terrorists alike. This inference from our data and literature review leads us to conclude that current FATF standards on terrorist financing are inadequate given the scale of risk posed by virtual currencies and DeFi in financing terrorist groups, their activities, and attacks. FATF needs to include DeFi in updated guidance for Virtual Assets and Virtual Asset Providers (VASPs) to make the technology and degree of central authority verifiable. Unless standards are adapted, or new standards developed, that account for software, DeFi technologies will remain vulnerable to exploitation by bad actors.Footnote 21 To be sure, this will vary by blockchain, technology and jurisdiction. For FATF to offer no clear, specific, guidance on DeFi regulations amounts to a failure, and abdication of its mandate.

The chapter is organized accordingly. First, a section on materials and methods outlines the role of FATF in curtailing terrorist financing, reviews the literature, and introduces key methods and terms. Second, the chapter reviews the relationship between cryptocurrency and terrorist financing. Third, case studies of the Al-Qassam Brigades and Al Qaeda illustrate the role of cryptocurrency and DeFi in terrorist fundraising. The chapter concludes by assessing the relationship between virtual currency, DeFi, and financing terrorism.

Literature relevant to the role of cryptocurrency as a terrorist financing tool is limited, and public legal documents and data are scarce. This is true to an even greater extent for DeFi, which is almost entirely unaccounted for in the literature and policy discussions of crypto and crypto-enabled crime. This information failure is sanguine. First, cryptocurrency operates with minimal government oversight. As a result, information on crypto is not readily available at the same rate as government information on other types of financial transactions that underpin the economy. Research can thus play an outsized role in ascertaining the value and risk of cryptocurrency. Second, terrorist financing has significant implications: from harms to destruction of infrastructure and radicalization. Third, cryptocurrency is already being used at a scale to enable other crimes. Yet, FATF’s recommendations do not differentiate among crypto nuances in enabling and perpetrating different crimes.Footnote 22

2 Materials and Methods

2.1 Key Terms

This section reviews concepts that are key to understanding how cryptocurrency is leveraged to finance terrorism: Bitcoin, decentralized coins, centralized coins, fiat currency, altcoins, distributed ledger technology, decentralized finance (DeFi), crypto bridges, crypto mixers, and cryptocurrency exchanges.

Bitcoin was the first cryptocurrency to market. It is created through a process called “mining”, which requires solving a complex mathematical problem with an easily verifiable solution. Each Bitcoin has its own solution, and once the solution is found it is added to the blockchain, ensuring it cannot be “mined” again. This process is expensive and resource-intensive, requiring a lot of time, expensive computer hardware, and a lot of electricity.Footnote 23 Bitcoin is a fiduciary currency: once it is mined, it has no intrinsic value other than in exchange. Although the market price fluctuates regularly, the value of Bitcoin relative to fiat currencies is high.

Most cryptocurrencies are decentralized coins, including Bitcoin. Decentralized coins facilitate peer-to-peer transactions with limited oversight from a central authority such as a bank or government.Footnote 24 These currencies exist as a means of circumventing power structures inherent to centralized coin systems.

Decentralized finance is a sector of the financial system that was built on principles of being open source, near anonymous, financially inclusive, and separate from central authority. DeFi takes place on the blockchain, for example the Ethereum Blockchain. DeFi technology often does not require verification of identity, which makes crimes that involve DeFi coins or exchanges difficult to trace.Footnote 25 These transactions have some form of peer-to-peer transaction and often use smart contrast and self-executing codes to manage the blockchain.Footnote 26

Centralized coins are owned or operated by a central authority with oversight. Unlike decentralized coins, centralized coin transactions must go through and operate within a central exchange monitored by an authority.Footnote 27

Centralized coins include fiat currencies: monies that are created and regulated by a sovereign nation state (i.e., the US dollar). Fiat currencies can be converted into other fiat currencies, where their relative value is determined on foreign exchange markets.Footnote 28

In a non-digital context, altcoins refer to currencies other than a given fiat currency. In cryptocurrency circles, the term altcoin encompasses all cryptocurrencies other than Bitcoin. Most altcoins use blockchain technology like that of Bitcoin and aim to improve on and complement Bitcoin features.Footnote 29Altcoins are frequently used in conjunction with Bitcoin and fiat currencies to enable virtual money-laundering.Footnote 30

Financial institutions use ledgers to ensure that the same money is not spent twice. In centralized networks, each institution tracks transactions of individual account holders on an internal ledger. Transactions between financial institutions are then validated by a central ledger. Distributed ledger technology, commonly referred to as blockchains, serves the same purpose in cryptocurrency networks. Blockchains are maintained by the cryptocurrency network and members can verify and validate each transaction. Once a consensus is achieved among the network, a transaction can be added to the blockchain. These ledgers are publicly available, permanent, and cannot be altered.Footnote 31

Crypto bridges allow users to exchange cryptocurrency coins and assets between different blockchains, a process known as “chain hopping”. Bridges are beneficial to criminals because they lack ID verification requirements and allow assets to be easily converted to other blockchains, allowing a large amount of liquidity to flow. These bridges often take place on blockchains smaller in scale with lower security testing and regulatory obligations. Beyond their risks to investors and users and involvement in crime, bridges are particularly susceptible to being hacked and losing funds. Bridge hacks surpassed $USD 1 billion in the first quarter of 2023. Bridges are targeted by criminals for their liquidity and high volume of throughflow.Footnote 32

Crypto mixers allow individuals to warp the value of cryptocurrency assets and redistribute them. This process makes it more difficult to trace the movement of funds across public blockchains.Footnote 33

Cryptocurrency exchanges function much like traditional currency exchanges. They provide opportunities for users to exchange crypto assets for other cryptocurrencies or for fiat currencies. These exchanges can be centralized in structure, or peer-to-peer. While some exchanges operate legally, other cryptocurrency exchanges specialize in cryptocurrency originating from or providing funding to illicit activities.Footnote 34

2.2 Illicit International Political Economy

This chapter draws on recent work on money and crypto laundering, especially its role in the Illicit International Political Economy (IIPE). IIPE gauges political and economic variables of illicit transnational trade. As in the legal economy, distinct trends manifest across networks, geography, and flows of goods in IIPE, which focuses on globalization, financial flows, and the role of the state.Footnote 35 Past research on IIPE has focused on the role of digital currency;Footnote 36 the intersection between licit and illicit markets and policy;Footnote 37 and cross-border cooperation.Footnote 38 This chapter expands this work by analyzing the use of virtual currency by terrorist groups, specifically the growing role of DeFi within the broader IIPE.

2.3 Literature Review

This chapter makes three contributions to the literature. First, it contributes to the research on cryptocurrency, DeFi, and terrorist financing. Second, it presents a proof-of-concept argument that terrorist organizations are actively integrating DeFi into their financing networks. It raises the issue of DeFi in the financial regulation of cryptocurrencies. Implications of this gap are the third contribution of the chapter. It contributes new data to scholarship on cryptocurrency and terrorist financing by drawing on case studies of crypto and DeFi in terrorist financing networks and identifying trends within these cases while situating them in the context of the crypto-crime nexus. In addition, this chapter contributes to novel research in the field of IIPE, notably crypto laundering and the role of DeFi within the IIPE.

Notwithstanding extant literature on terrorist financing in the traditional financial system, research on cryptocurrency and terrorist financing is still relatively new, and there is a significant gap in the literature on DeFi in general, and its use for criminal purposes in particular. Extant literature that discusses crypto terrorist financing is generally restricted to theory, with little supporting evidence. That scholarship has significant limitations. A large subset is specific to Bitcoin rather than cryptocurrency broadly, and discussion of terrorist entities is often restricted to the Middle East; right-wing extremism and other forms of terrorism are generally absent. The research that has been conducted flags cryptocurrency as an alternative financial system that is attractive to terrorists for the same reason it is popular with criminals: anonymity, decentralization, and globalized reach.Footnote 39 Cryptocurrency transactions are also irreversible and low-cost.Footnote 40 As a high-value commodity, it can be used to create venture capital, which matters to terrorist organizations that operate in regions that have weak financial infrastructure or domestic instability.Footnote 41 While plenty of crypto regulation has been developed in recent years, much of it has been achieved through adjustments to existing legal or regulatory frameworks developed for traditional financial systems. Some scholars have argued that the unique attributes of cryptocurrencies such as Bitcoin are not adequately covered by these existing frameworks, making it difficult to devise effective regulation.Footnote 42

2.4 Methodology

This research is based on data on transnational crypto laundering and crypto-funded terrorist financing that was distilled from a larger original dataset on prosecutions of cases of transnational terrorist financing. The chapter analyzes observations in the context of the existing literature, synthesizes findings and identifies priority areas for future research and policy.

The dataset is comprised largely of terrorist financing prosecutions in rule-of-law jurisdictions: the United States, Canada, and Europe. The scope of transnational terrorist financing activities is thus limited to information collected and which the prosecution has opted to disclose. A funnelling effect thus limits the evidence presented in legal contexts and publicly available. These limitations are exacerbated by the pseudonymity and highly adaptable nature of cryptocurrencies used in terrorist financing contexts, which is compounded by cryptocurrency regulation and monitoring practices across global jurisdictions.

Notwithstanding evidentiary limitations, the chapter still makes an important contribution to advancing the understanding of the relationship between cryptocurrency and terrorism. The use of cryptocurrency in terrorist financing networks is postulated widely in the literature, but actual evidence is scant—in part, at least, due to a dearth in prosecutions of related offences. Hardly any literature exists on the intersection of terrorist financing and DeFi. The cases reviewed in this chapter are part of a dataset of 43 other cases of transnational terrorist financing. However, the two cases in this chapter are so different from the other cases that they warrant a discreet analysis. The coding instrument is comprised of variables such as investor identity and location, recipient identity and location, financial intermediary identification and location, banks, type of currency, value transferred, value raised, etc. Other legal documents, news sources, blogs, corporate reporting, and informal interviews are used to triangulate results and expand the number of data points.

3 FATF’s Counterterrorism Recommendations

Countering terrorism became a priority for FATF after the terrorist attacks of 9/11 in 2001 in New York City, and was re-prioritized following 2015 when attacks around the world were attributed to the Islamic State (IS) and Al Quaeda.Footnote 43 FATF sets the global standard of CTF, AML, and counter-proliferation financing recommendations at the international and domestic levels and requires relevant risk assessments. It does not develop or implement regulations, and it does not formally define risks or set risk assessment standards. Rather, it develops standards and provides specific recommendations to inform the development of regulation by individual jurisdictions. FATF has published relevant reports on terrorist financing for decades,Footnote 44 but with little attention to virtual currencies. Instead, FATF’s recommendations are focused on traditional forms of terrorist financing, particularly in the Middle East and West Africa. A recent report on risk factors associated with Right Wing Extremism and terrorism is the exception. It observes that a recent decline in credit card access has incentivized some terrorist groups to use virtual assets, most notably Bitcoin.Footnote 45 These reports highlight the role of cash, foreign currencies, NGO’s, recruitment, and risk assessment; virtual assets are conspicuously absent.

As the international watchdog for terrorist financing, proliferation financing, and money-laundering activities, FATF sets international standards in CTF, counter-proliferation financing, and AML regulation.Footnote 46 These standards are applicable to banks and other financial institutions, not individual behaviour. This can present a challenge in CTF and AML regulation, as these crimes are perpetrated by actors who fall outside of the scope of FATF standards. FATF is funded by 39 member countries and observed by over 20 organizations, including the United Nations. As both a policy diffusion body, FATF standards and mandates hold sway. Jurisdictions are expected to develop regulations in accordance with FATF recommendations and mandates. Jurisdictions with strategic deficiencies are placed on one of two lists.Footnote 47 The Black List is comprised of jurisdictions with serious strategic deficiencies. Other jurisdictions have been called upon to apply enhanced due diligence and, in some cases, apply countermeasures to reduce international risks stemming from illicit financial activities within blacklisted regions. Those on the Grey List have strategic deficiencies that they have committed to resolve and are under increased monitoring.Footnote 48

FATF has been the most proactive international body in identifying and responding to the risks cryptocurrency poses as a terrorist financing tool. In 2018, it amended mandatory recommendation 15 by explicitly stating that it applied to financial activities involving cryptocurrency, and ensured cryptocurrencies were identified as subject to other mandatory recommendations by adding the terms “virtual asset” and “virtual asset service providers” to its definitions.Footnote 49 Virtual asset service providers (VASPs) are subject to the most stringent oversight—all jurisdictions of the FATF must establish VASP licencing or registration requirements, in addition to being subject to the same obligations as other financial intermediaries. These obligations include conducting customer due diligence and monitoring, recordkeeping, submissions of suspicious transaction reports, and screening of transactions and customers. VASPs are required to obtain, hold, and transmit originator and beneficiary information immediately when conducting virtual asset transactions. However, VASPs are only subject to oversight when they are licenced and registered, and registration or licencing is not a requirement in many jurisdictions.Footnote 50 Virtual asset (VA) transfers over 1000 Euros trigger FATF cross-border customer due diligence requirements. This threshold is relatively low. FATF features a single report published in 2020 on virtual assets and terrorist financing, entitled Virtual Assets Red Flag Indicators of Money Laundering and Terrorist Financing. While the combined outputs of FATF’s recommendations and requirements are a good step forward, implementation and enforcement vary widely across FATF jurisdictions,Footnote 51 which significantly limits the practical impact of these regulations. It is also hard to assess the success of these regulations. Although cryptocurrency has been identified as a means of terrorist financing, evaluating the extent of its use in terrorism financing is a challenge due to the difficulty in prosecuting crypto terrorist financing cases.

4 Cryptocurrency and Terrorist Financing

4.1 Overview: Cryptocurrency and Terrorist Financing

Terrorist financing refers the process by which terrorists accumulate funds. Often the funds used to finance terrorism originate from legitimate sources, but enable illicit activities.Footnote 52 Terrorist financing networks often appear “remarkably ordinary”, with small amounts being moved through legitimate channels such as bank transfers, cash, and other money services providers.Footnote 53 Those involved in terrorist financing networks may be guilty of additional crimes such as offshore tax evasion and international money laundering, depending on how funds are reported and transported across borders. Terrorists also use illicit means of generating resources, ranging from petty theft and money laundering to kidnapping and extortion.Footnote 54 Terrorist financing is consequential, contributing to geopolitical risks, regional instability, impaired economic development, and instability of financial markets in affected regions.Footnote 55

The introduction of cryptocurrencies has caused an evolution in terrorist resourcing models, resulting in cases that differ from traditional terrorist financing schemes. Cryptocurrency transactions and assets cannot be frozen and are difficult to confiscate because they exist virtually. Compared to traditional financing mechanisms, that complicates disruption.Footnote 56 Crypto also lends itself to terrorist financing because of its anonymity, security, ease of movement, and untethered nature, and the uneven regulatory practices which exist between different countries make it especially attractive.Footnote 57 In particular, USDT, Bitcoin, and decentralized finance have gained in popularity among terrorist groups in recent years.Footnote 58

Dozens of terrorist financing campaigns utilizing cryptocurrencies were identified in 2022,Footnote 59 and one analysis suggested that there may be a significant long-run link between Bitcoin transactions and terrorist financing.Footnote 60 However, much of the scholarship on crypto-enabled terrorist financing highlights the ways crypto lends itself to terrorist resourcing networks, and research on the extent and impact cryptocurrency has had on terrorist financing is limited. How does the use of cryptocurrency change the dynamics of terrorist financing models and establish how terrorist agents accrue and use cryptocurrencies? That will help gauge crypto’s broader impact on the IIPE. This is all the more important given the significant risks terrorist financing poses to international security and economic stability within affected countries.

4.2 Cryptocurrency Case Study Case Study: Al-Qaeda Joint Campaign

From late 2018 until mid-2020, Al-Qaeda, Al-Nusra Front (ANF), Hay-at Tahrir Al-Sham (HTS), and other affiliated terrorist groups conducted a fundraising campaign using Bitcoin. The period of solicitation began via a Telegram group, where Bitcoin donations to an address serving as a repository were specifically requested by the group administrator. All donations sent to this repository were later moved to a central hub via a cluster of Bitcoin addresses. This hub was used to collect and redistribute funds for the remainder of the campaign. Multiple charities and businesses affiliated with terrorist activities also posted virtual currency exchange deposits to their respective Telegram and Twitter channels for the purpose of contributing to the fundraising effort. Donations made via PayPal, MoneyGram, and Western Union were also encouraged by these affiliates. Funds raised by these organizations were linked to the financing network via clusters of Bitcoin addresses and deposits made to the central hub. Specifically, Leave an Impact Before Departure, Al Ikwah, Malhama Tactical, Reminders from Syria, and Al Sadaqah were implicated as affiliated organizations. Al Ikwah was associated with a total of 15 Bitcoin addresses, four of which were posted to Facebook and eleven of which were posted to Telegram. Malhama Tactical posted two Bitcoin addresses on Twitter which were connected to a cluster of 23 Bitcoin addresses used to distribute funds throughout the network. Two virtual currency exchanges were used to transfer money collected by the financing network and launder it through mixing services.Footnote 61

An undercover agent was able to contact an administrator of the Reminders from Syria Telegram channel, asking to donate Bitcoin. The administrator provided a Bitcoin address that was later clustered with two others, in addition to his own personal Bitcoin wallet. Along with ongoing social media presence, this was used to generate donations and made it possible to identify some actors in this network. However, other actors could only be identified via Bitcoin addresses. A number of these addresses originated in Idlib, Syria.Footnote 62 This was also the location of the central hub, which was hosted by a publicly registered cryptocurrency exchange known as BitcoinTransfer.Footnote 63 The use of both Telegram and BitcoinTransfer in this case is consistent with law enforcement records indicating a history of use by Al-Qaeda. Millions of dollars were generated through this network. Some of the funds were used in gift card exchanges and to purchase online Bitcoin gaming vouchers in a manner consistent with money laundering.Footnote 64 The Bitcoin Terror Takedown Team composed of FBI, IRS-CI Cyber Crimes, and HSI agents detected and investigated this case.Footnote 65 In total, 155 virtual currency assets were implicated. The assets were civilly prosecuted in U.S. District Court.Footnote 66

5 DeFi and Terrorism

5.1 Overview of DeFi

The ascent of DeFi is cause for concern from law enforcement and counterterrorism agencies. In the United States, the Office of Foreign Assets Control (OFAC) sanctioned crypto mixer Tornado Cash for enabling sanctions evasions using cryptocurrency. Almost half of the funds, (49.6 percent) originated with “Defi protocols”.Footnote 67 Tornado Cash is an example of a smart contract-based mixer, similar to other mixers and bridges. Their code runs without central oversight; so, when a mixer such as Tornado Cash is sanctioned, it continues to run, which places a significant onus on VASP’s to be vigilant against platforms that may interact with the mixer. This creates regulatory complications. DeFi technology that continues to run independent of sanctions and human oversight can be used by terrorist groups to facilitate financing. For example, a group can crowdsource donations to a DeFi coin and easily distort the source of those funds using mixers or bridges. Taking particular care to engage only with smart contract services allows for simple distortion of funds with no identification or transaction transparency required.

While there is growing risk associated with truly decentralized DeFi technology, many DeFi services have a centralized authority that performs some blockchain management. For example, many forms of DeFi use the Ethereum blockchain which has a small group overseeing the blockchain. This means that in some cases DeFi entities are susceptible to the AML, KYC, and CTF measures put in place for their parent organizations and are simply not meeting their obligations. The U.S Department of the Treasury has identified DeFi services being used in terrorist financing, among other crimes. Specifically, DeFi services are being selected to launder illicit funds using mixers, bridges, and coins with a perceived lack of oversight. Although noncompliance is pegged as an overarching issue, there is little proof to this effect.Footnote 68

5.2 DeFi Case Study: Al-Qassam Brigades Campaign

From 2019 until mid-2020, the Al-Qassam Brigades perpetrated a three-stage fundraising campaign via social media platforms and websites affiliated with the military wing of the terrorist organization Hamas. In the first stage, donations were solicited via Twitter and other social media platforms as requesting for Bitcoin deposits. These deposits were made to a single address hosted at the US Bitcoin Exchange. In the second stage, the Al-Qassam Brigades maintained the request for donations to be sent to a single address, however this address was hosted within Al-Qassam Brigade controlled infrastructure. In the final stage, the Al-Qassam Brigades developed and deployed technology that generated a new Bitcoin address for every individual donation made. In total, 53 virtual currency accounts, 127 virtual currency properties, 5 accounts held at traditional financial institutions, and three websites were implicated. At least 12 virtual currency exchanges were used, in addition to 26 financial intermediaries. The locations of most actors involved in this network were not identified, although one individual was identified via an email address, and another was identified by name through association with an unregistered money service business involved in the financing network. The origin of some Bitcoin addresses could also be traced to Turkey and the Palestinian Territories. The money service business (MSB) converted the Bitcoin donations received into centralized currencies and assets such as gift cards. Wire transfers of U.S dollars were also converted to altcoins and Bitcoin by this money service business.Footnote 69 In this case, altcoins included Ethereum, XRP, and EOS. The use of altcoins in this case is consistent with virtual money laundering.Footnote 70 Amounts totaled approximately $168,200,812 USD, 13,987.1543833 Bitcoin, 11,824 Ether, 188,043 EO, and 1,080,609 XRP. In USD, the value of these combined currencies totals approximately $558,383,568.

Using third-party anti-money laundering software, investigators disrupted the network and initiated legal proceedings. Agents from the Federal Bureau of Investigations (FBI), the Internal Revenue Service’s Criminal Investigations (IRS-CI) Cyber Crime Unit, and Homeland Security Investigations (HSI) collaborated as part of the Bitcoin Terror Takedown Team.Footnote 71 The case was brought against the virtual currency accounts, virtual currency properties, financial institution accounts, and websites in U.S civil court.Footnote 72

6 Implications and Recommendations

6.1 DeFi Regulation

While FATF requirements related to VASPs and virtual assets may technically apply to DeFi, the nature of DeFi makes them irrelevant. The majority of FATF requirements and recommendations hinge on the collection of identifying information from parties engaging in virtual asset transactions.Footnote 73 DeFi operates, at least hypothetically, without central oversight.Footnote 74 The collection of identifying information is, therefore, impossible, and FATF recommendations, if they have been implemented at all, are nugatory. The pseudonymous nature of cryptocurrencies makes them attractive to terrorists and other criminal actors such as those involved in OCSEA and ransomware, and legal records show that criminal actors are using them to conduct illicit activities. DeFi maintains the most attractive features of cryptocurrency for illicit actors—anonymity, poor regulation, untethered, easy to move, difficult to trace and confiscate—and scales them up, providing an actually anonymous and almost completely unregulated alternative.Footnote 75 It also facilitates the borrowing and lending of crypto, savings, investments, and more that cryptocurrencies alone do not.Footnote 76 DeFi already has vast links to money laundering, because users are not required to follow AML and KYC protocols.Footnote 77

Bad actors are already mobilizing cryptocurrency networks and integrating elements of DeFi, which puts them on a trajectory to using DeFi as a primary financing tool. Regulating DeFi should, therefore, be a high-level priority for organizations mandated to develop effective counterterrorism and anti-money laundering protocols.Footnote 78 Even without DeFi, investigators in the Al-Qaeda campaign were unable to identify most actors involved in the network. In the Al-Qassam Brigades campaign, which operated in part in an internal network and did utilize DeFi in addition to cryptocurrency, there were even fewer identifiable actors. This anonymity likely explains, in part, the use of a civil prosecution against assets rather than criminal prosecution against individuals, which weakens the legal consequences suffered by the terror cell. Regulation needs to curtail the growth in DeFi as a financial alternative for criminals, notably expanding the FATF definition of VA’s and VASP’s to include more DeFi entities. Furthermore, crypto and DeFi entities that operate with high volumes of trade should have nuanced and appropriate KYC, CTF, and AML requirements.

6.2 Criminal Behavior

Geography is one explanatory variable for the use of cryptocurrency in these cases. Regions where groups involved in these cases operate are subject to several sanctions, as are the terrorist groups themselves. The Gaza Strip, for example, has been subject to sanctions from IsraelFootnote 79 and the Palestinian Authority,Footnote 80 in addition to international sanctions on Hamas and other terrorist organizations within the region.Footnote 81 Syria as a whole, including Idlib, is also subject to sanctionsFootnote 82 as are terrorist groups in Idlib.Footnote 83 Sanctioning and the remote location of these regions means travel is restricted and traditional financial infrastructures are inaccessible. The geographic location of these groups may, therefore, incentivize the use of virtual assets, as crypto is accessible where other forms of financing are not. Based on this observation, it seems plausible that groups cut off from other financing opportunities have an incentive to use cryptocurrencies.

Both case studies indicate that terrorist organizations have the capability to use third-party cryptocurrency networks and exchanges with ease, and at least in the case of the Al Qassam Brigades, they have the capability to build internal crypto networks. These internal crypto networks should be of concern, as they may be insulated from checks and balances that apply to public networks. The sophistication of these cases also indicates that terrorist organizations may, in some ways, be more skilled in the use of cryptocurrencies than other criminals. For example, in the Welcome to Video case of Online Child Sexual Exploitation and Abuse (OCSEA), the perpetrator left behind a trail of identifying information, including transfer funds to personal accounts registered in his own name.Footnote 84 The aforementioned terrorist financing cases do not make the same rookie mistakes. If these terrorist organizations are indeed more skilled than other criminal actors in cryptocurrency, then they may be the first to use DeFi as an illicit tool. This possibility is supported by the presence of DeFi in the Al Qassam Brigades case. Crimes in these case studies were largely perpetrated by organizations rather than individuals, save for the Welcome to Video case.Footnote 85 This suggests that organizations and individuals may interact differently with the illicit crypto economy, and that organizations may be more successful in evading identification and accountability as a result. Given the long reach and generally sophisticated structure of criminal organizations, better regulatory practices need to be applied and enforced equally across jurisdictions. Otherwise, as in the terrorist financing cases, criminal organizations will operate out of less developed regulatory jurisdictions, which sustains their activities while they evade prosecution.

The pattern of behaviour in these cases differs from traditional terrorist financing cases. The transfer network is more intricate with more nodes but requires fewer total actors, and the actors leverage social media to expand their reach. In addition to the use of social media, the Al Qassam Brigades case leveraged altcoins and DeFi. Patterns for sanctions evasions are similar.Footnote 86 Both terrorist financing cases and the sanctions evasion case study also used aspects of the traditional financial system as a complement to cryptocurrencies and DeFi, yet law enforcement still failed to identify them. This is unexpected, as DeFi and crypto provide anonymity that traditional financial institutions do not, and activities did not require the use of traditional financing pathways. That is, actors opted to use them despite their proficiency in a financial system more useful for their purposes. Understanding the relationship between traditional financing and DeFi or cryptocurrency warrants further investigation. The presence of partnerships between criminal groups in the Al-Qaeda case is also of interest, as this behaviour was observed less frequently in traditional terrorist financing cases. Ransomware shows similar traits: the Lazarus group partnered with other external groups.Footnote 87 In both cases, the collaboration between criminal groups made it difficult to shut down and mitigate criminal activity. These partnerships present an interesting and unexpected aspect of the crypto-crime nexus that warrants further research. Understanding how these relationships come about and how partnerships are negotiated matters to criminal intelligence and to developing effective regulation.

6.3 The Dark Web

Another explanatory variable for the use of cryptocurrency in these cases is a reliance on transboundary payments. The terrorist groups implicated in the case studies require large amounts of funding to meet their mandates. Owing to lack of prosperity or support among the population and the risk of detection by law enforcement, funding at this scale cannot be reliably collected through fiat currencies or from the region in which the group is operating. Transboundary payments allow the group to solicit more funds with greater discretion. Terrorist groups also require certain materials to meet their mandates, many of which can only be bought through transnational networks. In particular, terrorist groups engage in proliferation financing on the Dark Web, which necessitates transboundary payments.

Opportunities for proliferation financing resulting from crypto-terrorist financing include the Dark Web, which is an illicit marketplace platform that uses cryptocurrency and is frequented by terrorists.Footnote 88 As early as 2010, the cybersecurity firm Procysive estimated that upwards of 300 terrorist forums and 50,000 radical websites were operating on the Dark Web. The Dark Web provides a platform for the buying and selling of prohibited goods critical to terrorist mandates; including weapons of mass destruction (WMDs)Footnote 89 and chemical, biological, radiological, and nuclear (CBRN) materials.Footnote 90,Footnote 91 While the financing networks discussed in this chapter were discovered and prosecuted before funds were used to perpetrate a terrorist attack, previous cases provide evidence that terrorists use the Dark Web to accumulate materials used in terrorist attacks. A 2016 attack in Paris by ISIS was perpetrated using assault rifles bought on the dark web, and at a Nuclear Security Summit in the same year, President Obama described how terrorists acquired radioactive isotopes from the Dark Web.Footnote 92 The cases discussed in this chapter represent an evolution through which terrorists can engage in proliferation financing more readily and discreetly. By soliciting donations directly through cryptocurrencies and DeFi, terrorist entities gain funds that are useful on the dark web without having to do the potentially traceable work of converting fiat currency into cryptocurrencies.

6.4 Interagency Cooperation

Interagency cooperation was critical to disrupting both terrorist financing cases. Interagency collaboration likely allowed law enforcement officials to identify the “big picture” of the crime, rather than remaining restricted by individual mandates and resources. This indicates a larger need for interagency mandates and collaboration defined by regulations and legal frameworks. But while this works at the national level, transnational interagency collaboration across sovereign jurisdictions remains a challenge. FATF’s recommendations highlight the necessity of cooperation and a collaborative approach between international and domestic actors to contain terrorist resourcing.Footnote 93 Lack of common standards and laws puts lightly-regulated jurisdictions at risk of being exploited by terrorist groups.Footnote 94

In many circumstances intelligence identifies and tracks terrorist groups by analyzing clusters of payments between parties. In some circumstances analysts can apply social network analysis to identify individuals with more connections that are more centralized to the organizations.Footnote 95 Cryptocurrencies record transactions permanently and publicly, so once specific individuals are identified, their wallet transactions can be identified. Investigating these clusters is one of the most useful tools law enforcement agencies have in tracking down crypto-funded terrorist groups. Ergo, better network mapping and information sharing would beneficial investigators who are under-resourced or undertrained on virtual asset investigations.

6.5 Legal & Regulatory Frameworks

Three patterns emerge from the terrorist crypto-financing cases in this chapter. First, money laundering was required to make cryptocurrency donations useful to the group in both case studies. This overlap between criminal sectors means that terrorist financing regulation developed from AML protocols may be more effective when applied to crypto terrorist financing as opposed to traditional terrorist financing. Since traditional terrorist financing does not necessarily involve money-laundering, coupling traditional CTF to AML regulation is suboptimal.

Regulation is further complicated by the globalized and transboundary nature of cryptocurrency. Effective deterrence of illicit activities necessitates a coordinated international regulatory regime on cryptocurrency.Footnote 96 This grouped regulatory approach may be useful in identifying crypto terrorist financing given its apparent link to money laundering. To be useful, regulations must be properly adapted to apply to cryptocurrencies and universally implemented and enforced. That is, regulations must account for both cryptocurrencies and DeFi, including introducing and improving regulations around collecting identifying information. More importantly, proper adaptation requires appropriate enforcement. Given the globalized nature of DeFi and crypto, jurisdictional implementation and enforcement standards need to be universal; otherwise, terrorist groups will sustain their operations in less stringent jurisdictions. Thus far, FATF standards are neither universally implemented nor are they universally enforced. Recommendations such as those for VASPs may, in some cases, pertain to DeFi, but are difficult to apply and limited in scope. FATF should, therefore, optimize current regulations around virtual assets, VASPs, and cryptocurrency transactions, and develop new ones that apply specifically to DeFi. In addition, local jurisdictions should ensure that current AML, KYC, and CTF obligations, to which DeFi may be subject due to the use of the blockchain, are met. Regulations should be appropriately nuanced, adopted universally and enforced evenly.

Second, in both terrorist financing cases in this chapter, as well as in cases of OCSEA, third-party software was instrumental to the investigative process. In cases involving cryptocurrency, software is complemented by the easily accessibly public ledgers that cryptocurrencies use. At least in these instances, criminal intelligence has visibility to identify criminal behaviour. Why they are not doing so is unclear, possibly for lack of staff, skills, or priorities. The need for third-party software in identifying crypto terrorist financing indicates that in cases of DeFi, third-party software is also likely to play a critical role. Without cooperation and consultation with third-party companies it may be difficult to develop investigative protocols that are effective against crypto and DeFi.

Finally, both terrorist financing cases in this chapter were tried in civil court. This is unusual. Terrorism financing cases brought by prosecutors tend to be criminal in nature, with indictments against actors in the network.Footnote 97 In these instances, indictments were brought against virtual assets rather than actors. This is telling: the legal system does not appear to have the means to prosecute these kinds of activities criminally. This may be in part due to a lack of evidence in crypto crime cases—an issue exacerbated by DeFi. The problem thus becomes not only how the legal system might adjust to prosecute such cases, but also how the type and quality of evidence can be improved. The largest obstacle in both terrorist financing cases was the anonymity and ability for terrorist groups to pivot and adapt their networks, such as moving a deposit from a US exchange to an internal network exchange, or the balance transfer of an initial repository to a central hub. Ergo, regulations around these aspects of cryptocurrency should be a priority. The fact that DeFi has perfected these aspects only makes the need for regulation more pressing.

7 Conclusion

This chapter has two key findings: the understanding of the role of DeFi in the crypto-crime nexus and within research is poor, and DeFi and crypto are indeed, being leveraged by bad actors in the illicit international political economy. The chapter contributes to the literature by establishing that DeFi is being weaponized by terrorist financing schemes, patterns of behaviour can be anticipated, and current regulation is insufficient and, in some ways, wholly lacking. The chapter has identified that an international, universal approach to CTF regulation is necessary to counter the risks of DeFi and crypto effectively as terrorist financing tools. For this to be possible, the entity which sets the standard for CTF protocols must have the ability to ensure the development and enforcement of said protocols. As such, FATF may be inappropriate as the international standard-bearer because of its lack of actual power in developing and enforcing regulation. Further, it would be disadvantageous to have counter crypto-terrorism be a single-entity effort overseen by a single body. Governments and law enforcement agencies should prioritize counter-crypto crime and counter-DeFi projects, and engage with regulatory bodies in efficient, meaningful ways.

The chapter identifies uneven regulatory development as an obstacle to effective CTF protocols. This uneven development is in part a result of ineffective interactions between organizations such as FATF and jurisdictions committed to upholding their standards. The lack of well-implemented regulation and enforcement indicates a disconnect between FATF expectations and government or law enforcement capabilities. Resolving these disparities will require better communication, collaborative development of recommendations, and swift responses to obstacles of enforcement or implementation. Private industry experts and technology firms should be part of a partnership with public entities, with a goal of developing useful and nuanced software that is capable of tracking virtual assets and decentralized finances. There must also be real consequences for states that do not comply with regulations, which puts the international financial system at risk by enabling proliferation and terrorist financing. For lack of a swift, adequate, and achievable regulatory framework, crypto and DeFi are bound to be leveraged by terrorist financing networks and other criminal actors with impunity to great effect.

Research for this article was supported by the Social Sciences and Humanities Research Council of Canada, Insight Grants 435-2022-0862 and 435-2019-1333 and Partnership Grant 895-2021-1007.