Keywords

Introduction: Aims and Objectives of the CTC Project

Terrorist financing (TF) poses a significant threat to the security and stability of the EU and its member states. The prevention and disruption of TF require international cooperation and advanced investigative techniques based on new technologies. The CTC projectFootnote 1 capitalizes on an end user-driven methodology, having as its main objective to clearly depict the users’ operational, procedural, and organizational needs, integrating the final outcomes to the developed training and technical solutions. The whole project has been built on four main phases: Phase 1 includes the identification and analysis of use cases and end user requirements, along with the domain trend identification; Phase 2 focuses on the design and development of the CTC training framework with focus on cross-border collaboration and the public-private synergies; Phase 3 outlines (a) the acquisition, ingestion, and processing of financial and financial-related data for detecting malicious and unusual patterns, (b) the development of tools and solutions for the detection and analysis of suspicious patterns in financial transactions based on the data acquired, and (c) the development of agile solutions for sharing of evidence-related information in a secure and timely manner; Phase 4 includes the establishment of a wide stakeholder community of law enforcement agencies (LEAs), financial authorities, private organizations, and academia, along with the information exchange mechanism based on decentralized technologies, to ensure secure and leveled information and intelligence sharing.

Background

Understanding threats and trends in the modus operandi of TF networks is crucial for developing effective countermeasures and mitigating associated risks. In doing so, a comprehensive assessment was conducted that encompassed a thorough review of diverse sources, including public- and private-sector intelligence, police and judicial reports, institutional publications and press releases, EU legislation, academic literature, civil society reports, and media articles. The outcomes of this assessment revealed three primary categories of TF threats and trends. The first category encompasses traditional systems and technologies commonly employed by terrorists to finance their activities. Terrorist financers demonstrate a high level of confidence in using the formal banking system to conduct multiple small-amount deposits, often across different countries and involving cross-border transactions [1]. Bank transfers are sometimes accompanied by hand-transferred cash or integrated into schemes involving shell companies and money transfer services [2]. Hawala networks, both simple and complex, also play a prevalent role in facilitating the transfer of unlawfully obtained funds (e.g., through fraud, extortion, or kidnapping) via various schemes [3] [4]. Furthermore, evidence suggests the use of high-value commodities such as gold and diamonds, often obtained through robberies or smuggled from conflict areas controlled by terrorist groups [5]. The second category revolves around emerging payment systems and obfuscation techniques. Terrorist organizations have increasingly adopted cryptocurrencies, with Bitcoin being the most commonly used, posing a significant risk due to their pseudonymity, high negotiability, and real-time transaction capabilities [6,7,8]. Additionally, terrorists have embraced alternative crypto-based payment methods, including crypto debit and credit cards, Bitcoin ATMs, and local trades [9]. To evade detection, terrorist financers employ various obfuscation techniques such as crowdfunding, mixers, digital wallets, chain hopping, NFTs, and engaging in gambling activities within the Metaverse. Financers of terrorism also exploit other financial technologies, such as Internet-based payment systems like PayPal and e-commerce platforms like eBay, either individually or in combination [10]. The third and final category of TF threats pertains to Internet-based communication platforms and social media. Platforms such as Twitter, Telegram, Facebook, Wickr, YouTube, video games, personal blogs, and chat rooms play a crucial role in terrorist activities. These platforms enable terrorists to leverage the digital multiplier effect and reach a large audience with their messages. While fundraising is one aspect, terrorists also use these platforms for other purposes, such as recruiting new members, spreading propaganda messages, and disseminating technical knowledge related to their activities [11].

In parallel to the desk research, the CTC project garnered valuable insights into observed trends in financial transactions by conducting interviews with subject matter experts in anti-money laundering (AML) and counter-terrorist financing (CTF). These interviews adhered strictly to GDPR guidelines to ensure compliance and data protection. To obtain a holistic comprehension of AML/CTF, interviews were conducted with professionals possessing diverse backgrounds and roles, including (a) financial intelligence unit (FIU) experts, (b) AML/CTF analysts, (c) financial experts, (d) policy officers, and (e) AML factory (RegTech/fintech entity). Table 22.1 outlines the main outcomes, which provided the CTC consortium with a comprehensive understanding of the prevailing scenario in this domain, granting access to information not readily available in reports, analyses, policies, or academic papers.

Table 22.1 Main lessons learned from the interviews with experts
Full size table

The CTC Solution

Having identified the current landscape, gaps, and existing challenges, CTC aimed to function as a well-rounded response to the needs of the relevant end users, who are interested in the most updated information related to TF. In particular, to be able to (a) identify relevant suspicious transactions (fiat and cryptocurrency), label, classify, and properly annotate them, (b) identify potential networks of interest, (c) detect anomalous patterns and correlate the relevant findings, and (e) merge all relevant information in a suitable and useful format. To this end, the project proposes a combination of tools that aim to track and analyze transactions involving cryptocurrencies as well as traditional financial systems, while providing actionable insights for counter actions.

  1. 1.

    Cryptocurrency Value Transfer Analysis Platform (CVTA)

To strengthen the capacity of AML/CFT tools, CTC focuses on cryptocurrency transactions, which are typically used by malicious actors to finance their activities. The CVTA tool aims to perform investigations on multiple blockchains and visualize the interactions between different elements regrouping addresses, entities, lists, and types. It analyzes and tracks cryptocurrency transactions, through detecting anomalous patterns and providing actionable insights to counter TF in the digital currency domain. The end users will be provided with an in-depth analysis that delves into identifying behavioral and transactional patterns, as well as exploring relationship and interactions within the blockchain network. This analysis will guide them in effectively addressing high or critical risk alerts based on AML/CFT rules and to contribute to solving criminal cases. The outcomes of this analysis will be integrated into subsequent CTC tools such as the multilingual text analysis module (MTAM), the social network analysis module (SNAM), the AI-based pattern recognition of terrorist and criminal activities (AIBPRT), and the cross modal correlation module (CMCM), enabling significant correlations and the recognition of intricate patterns.

  1. 2.

    Infrastructure for Traditional Currencies Transaction (ITCT)

In parallel to the cryptocurrency transaction analysis, focus has been given to money flows and financial transactions across the financial services supply chain, including cross-border transactions, processing data, and identifying red flags, through an early warning system. The ITCT tool aims to monitor, analyze, and detect suspicious transactions in traditional financial systems, providing comprehensive coverage of both digital and conventional value transfers related to TF. Same as before, the outcomes of this analysis will be integrated into the CTC architecture.

  1. 3.

    Content Acquisition Tool (CAT)

One of the most crucial issues during a financial investigation in the online domain is for investigators to be able to monitor both the surface and the dark web to discover and identify relevant suspicious links to darknets, and hidden services to online marketplaces. For that reason, both web and social media crawlers have been developed and widely utilized by counter-terrorism units and other relevant actors. As part of the CTC pipeline, the CAT aims to facilitate the discovery and extraction of content relevant to the CTC domain from social media channels, surface websites (also to detect links related to darknets websites), and the dark web. CAT consists of one Web Crawler and one social media crawler. The Web Crawler is responsible for extracting text-based content from surface, deep, and dark web resources. End users provide web entry points of interest (i.e., URLs) and then additional sources with content related to terrorist financing are being identified. Parallel to that, the Social Media Crawler is responsible for the extraction of data (text based) from social networks of interest on behalf of the end users, thus for the discovery of TF-related content. CAT framework has been built to be privacy aware and GDPR compliant, since the controller applies techniques to pseudonymize any personal data found before storing it in the Data Store.

  1. 4.

    Multilingual Text Analysis Module (MTAM)

After having identified and listed all the suspicious financial activities from the previous CTC components, a thorough analysis of the textual findings is of interest to the relevant end users. The MTAM has been developed with its main objective to extract key information nuggets from a continuously updated collection of resources that originate from social media, surface, deep, and dark web, thus being used to identify suspicious activities and events including indications of illicit trade and funding. This module consists of three subcomponents: multilingual information extraction (MIE), automatic topic modeling (TM), and user-defined topic classification (TC). The MIE component processes the data collection by automatically extracting fine-grained information within multilingual documents, relevant to illicit activities or funding. It consists of two subcomponents, a multilingual named entity recognition (NER) deep learning model and a heuristic component that together extract entities of interest from a given text and it enables the extraction of Named Entities in 11 languages, including code-mixing, extraction of social identifiers, and extraction of blockchain addresses from four different cryptocurrencies. The TM component is an unsupervised procedure that is based on statistical methods deployed on the set of words in the corpus, which automatically clusters documents of similar semantic meanings and provides insights to the users in terms of similar documents and the topics described in them. Finally, the TC component classifies the instances into user-defined topics. The MTAM uses a combination of natural language processing (NLP) and machine-learning algorithms, trained on multilingual collections of texts, and a set of heuristics and linguistic rules, such as regular expressions, to support the systems’ capabilities. The components of the module are built utilizing publicly available datasets as well as data collected for purposes of the project, hence representing secondary use data, without the inclusion of personal data.

  1. 5.

    Social Network Analysis Module (SNAM)

The identification of potential networks of interest and, in particular, the community detection based on user interactions along with the key actor identification based on the influence exerted by specific users in each community can play a pivotal role in the investigation of TF activities. The social structure of financial and crypto transactions, as well as the network structures of digital currencies, can be revealed by applying social network analysis (SNA) techniques. These techniques can enhance the understanding of how funds flow and how patterns and relationships emerge in financial transactions. Some studies [12, 13] have used SNA techniques to analyze financial transaction data, while others [14] have focused on specific cryptocurrencies and their network structures. Overall, the use of SNA in the context of financial transactions and crypto transactions has the potential to provide valuable insight into the behavior of market participants and the underlying structure of financial systems. The CTC project aims to analyze online social networks and their associated graphs using the SNAM, which provides a systematic method for uncovering specific information inside a network. To begin with, user groups are being identified based on the frequency and commonality of their interactions (community detection). The community detection feature is made possible by the deployment of innovative AI algorithms that employ graph embedding methods. More specifically, the SNAM tool uses the graph embedding methods DeepWalk [15] and node2vec [16] to produce a low-dimensional vector representation for each graph node given an input social network and its accompanying graph. Then, the tool focuses on each of the detected communities to identify its significant individuals or, in other words, those key actors who exercise an influence on other community members, either indirectly or directly, because of the content they contribute or their frequent interactions with one another. The key actor identification utilizes sophisticated centrality measures (e.g., betweenness centrality and PageRank centrality), which estimate the level of influence a community member has as a “bridge” node or as a node that exerts impact beyond their local neighbors. Similarly, the degree centrality identifies users that share many interactions with other users in the same community. The final outcomes of the analysis are depicted in a user-friendly format, to ameliorate and further advance the investigative endeavors.

  1. 6.

    AI-Based Pattern Recognition of Terrorist and Criminal Activities (AIBPRT)

The AIBPRT component focuses on pattern detection in traditional finance and cryptocurrency transactions with emphasis on terrorist financing. The aim is to leverage the rich data acquired from various sources and tools of the CTC solution and identify paths of transactions across different platforms. The component delivers an advanced model that utilizes machine-learning research to detect and identify patterns of suspicious events using time-evolving graph neural network architecture and time-series analysis. The model is designed to handle incoming data by integrating information from different sources, such as traditional financing, cryptocurrency transaction data, and the monitoring of surface web and social media and others. It incorporates the results of CTC’s advanced techniques for data analysis, entity extraction, and multilingual text analysis to identify specific entities and information related to suspicious activities, including indications of illicit trade and funding. As all data are entering a single large graph, the analysis is able to reveal information beyond the single data source.

  1. 7.

    Cross-Modal Correlation Module (CMCM)

The financing of terrorist acts forms an interconnected network of interactions that is composed of different modalities (i.e., traditional banking services and cryptocurrencies). For that reason, it is important not only to unveil potential suspicious patterns, but also to correlate and combine information of different types and compose a more thorough overview of a situation. The CTC project has developed the CMCM, which provides a framework that allows for the combination of different modalities with the target to assist the investigation efforts by pinpointing time instances that exhibit irregular transaction activity. The proposed CMCM framework consists of three steps: feature extraction, feature selection, and change point analysis. In the first step, the transaction activity of an entity is provided as input to the module and the feature extraction mechanism generates features in the form of time series that represent multiple facets of the entity’s activity. The next step entails grouping the relevant time series into clusters in an unsupervised manner to perform feature selection and eliminate overlapping information among the several extracted features. Finally, change point detection is applied to the multivariate time series that is formed by the medoids of the formulated clusters to estimate time locations of statistically significant changes. This analysis enables the identification of potential relationships between time instances and event incidents that could have triggered the changes observed in the transaction activity. Overall, the developed framework can be used on both traditional banking and cryptocurrency data, serving as a digital forensics tool in two ways: first, it provides a comprehensive overview of the transaction activity by extracting several time series features of interest, and then, it can indicate time instances linked to event occurrences that could be further investigated to identify possible trends and patterns potentially related to illicit actions.

Conclusions and Future Work

To fight TF and prevent ML in the EU, the CTC project aims to make an important step forward. The capacity of the EU to detect, analyze, and predict TF activities is strengthened in terms of speed and accuracy through the use of innovative AI-based tools, while enhancing public-private partnerships (PPP). CTC supports the maintenance, as well as the improvement of the EU’s security against this persistent threat by harnessing the power of AI, collaboration, and innovation. In this way, the identification and prevention of TF threats by authorities will be improved in the following three pillars:

  1. 1.

    Facilitation of efficient cooperation and information sharing: In combating TF, the project seeks to foster collaboration among governments and private actors, pulling together intelligence and resources, in order to lead to more comprehensive observations and a consistent response to TF networks and activities.

  2. 2.

    Increase of understanding on the way terrorists finance themselves: To analyze financial data and gain a clearer understanding of TF methods and trends, the CTC project employs advanced AI algorithms, which provide information essential to support evidence-based policies and strategic decision-making, helping the EU to stay abreast of the ever-changing tactics employed by terrorist organizations.

  3. 3.

    Awareness raising and development of an innovative culture: Raising awareness on the importance of TF and its implications for the EU is one of the objectives of the project, while highlighting and promoting the culture of innovation and collaboration among all interested parties will lead to a sustained commitment, assistance, and financing for the fight against terrorism.

The CTC project will also integrate a blockchain-based chain of custody that reinforces secure and transparent intelligence sharing among stakeholders. This chain of custody, embedded within the project’s infrastructure, serves as a pivotal tool for secure, transparent, and auditable exchange of intelligence. Through the integration of blockchain technology, the CTC project facilitates the precise creation and access control of file objects that store potential evidence, improving the traceability and verifiability of shared intelligence. This blockchain-enabled evidence-sharing system presents a credible, immutable record of transactions that can be substantiated in a court of law [17]. As such, it strengthens the chain of evidence, having potentially critical implications for the successful prosecution of terrorism financing cases. All tools and modules will be embedded in a user-friendly interface, while their impact will be closely monitored and assessed to ensure their effectiveness and relevance to stakeholders and end users, supporting an effective fight against TF.