Correcting the Record: Inaccurate Methodologies for Estimating Cryptocurrency’s Role in Terrorism Financing

In recent days following the horrific terrorist attack by Hamas in Israel, we have received many questions about how terrorist groups including Hamas, Hezbollah, and the Palestinian Islamic Jihad are leveraging cryptocurrency. Our priority is to support our customers in Israel and around the world who are working to disrupt, freeze, and seize assets that may be used to fund their activities. But we have also seen overstated metrics and flawed analyses of these terrorist groups’ use of cryptocurrency, and feel compelled to address some misconceptions. 

Although terrorism financing is a very small portion of the already very small portion of cryptocurrency transaction volume that is illicit, some terrorist organizations raise, store, and transfer funds using cryptocurrency. Terrorist organizations have historically used and will likely continue to use traditional, fiat-based methods such as financial institutions, hawalas, and shell companies as their primary financing vehicles. 

There is no doubt that funds raised by terrorist organizations – no matter how small – are significant and every method should be investigated. The unique transparency inherent in blockchain technology makes cryptocurrency particularly traceable and thus less suitable for illicit activities, including financing terrorism. Indeed, government agencies and private sector organizations armed with the right blockchain analysis solutions can collaborate to identify and disrupt the flow of funds – a feat not easily achievable with traditional forms of value transfer. In this blog, we discuss common pitfalls in analyzing terrorist flows on the blockchain, specifically related to identifying and tracing through service providers.

The role of service providers 

There are two key components to analyzing the volume and flow of terrorism-related funds: quantifying the funds directly in the hands of a terrorist organization, and identifying the service providers that facilitate the movement of funds tied to terror financing. 

In order to measure the scale of terrorism financing in cryptocurrency and identify opportunities for disruption, investigators and other experts need to understand the role of service providers. When looking at known instances of terrorism financing, service providers such as money services businesses are often involved. One such service is the recently sanctioned Buy Cash, a Gaza-based business that provides money transfer and virtual currency exchange services. These service providers process volumes of funds greater than a typical individual and less than a typical exchange. Some may be more akin to over-the-counter (OTC) brokers while others may be more similar to street-level money businesses like hawalas.    

For example, when we look in Chainalysis Reactor at the counterparties to a wallet known to be affiliated with terror financing, we find at least 20 suspected service providers. 

Open in new tab to enlarge.

Each of these suspected service providers have received between $8.4 million and $1.1 billion in cryptocurrency in total from all of their counterparties. 

Taking a closer look at one of these counterparties, we find more evidence that it is likely some kind of service provider. 

This address processed over 1,300 deposits and 1,200 withdrawals in 7.5 months. Of the roughly $82 million in cryptocurrency received by this address, about $450,000 worth of funds were transferred from the known terror-affiliated wallet. Given the activity of this address, the person or group of people controlling it is likely not the same person that controls the terror-affiliated wallet, but is rather a service provider that knowingly or unknowingly facilitated the terror financing activity. 

Not all funds received by service providers are terrorist funds, but disrupting these facilitators is a priority 

To the untrained eye, it might appear that $82 million worth of cryptocurrency was raised for terror financing in the example above. But it is much more likely that a small portion of these funds were intended for terrorist activity and a majority of the funds processed through the suspected service provider were unrelated. 

We have seen recent estimates related to the attacks on Israel that appear to include all flows to certain service providers that received some funds associated with terrorism financing. In other words, those totals include funds not explicitly related to terrorism financing. Of course, these service providers are supporting terrorism by acting as facilitators, and cutting off terrorist access to them through sanctions or other offensive operations is an important component to disrupting terrorist finance. But it would be incorrect to assume all of the transaction activity conducted by those service providers is related to terrorism.

Tracing through service providers could lead to inaccurate conclusions

Following the flow of funds on the blockchain gets more complicated when someone sends cryptocurrency to an address used by a service provider. When a user sends cryptocurrency to any kind of service, the service pools and co-mingles it with the funds of other users. 

It therefore is often not productive to continue following funds once they’ve been deposited at a service, as the owner of the funds isn’t usually the one moving them after that point. Only the service provider knows which deposits and withdrawals are associated with specific customers, and that information is kept in their order books, which aren’t visible on blockchains or in investigative solutions like Reactor. 

Revisiting our example above, we see that 8 of the 20 suspected service providers that are counterparties to the known terror-affiliated wallet have also transacted with Garantex, a large Russia-based exchange that was sanctioned by OFAC in 2022 for its role in laundering illicit cryptocurrency. 

Open in new tab to enlarge.

In addition to inflating the estimates associated with this terror financing organization, failing to recognize that these addresses are likely service providers and tracing through them could lead to a further incorrect conclusion that terrorist funds were cashed out at, or received funds from Garantex. Realistically, these are just instances where a service provider has processed transactions for both Garantex and the terror-affiliated wallet.

How Chainalysis identifies and measures terrorism financing activity

Given terrorist organizations’ use of service providers across both traditional finance and the blockchain, it is very difficult to provide precise estimates for funds going directly to terrorist organizations, absent information validated by law enforcement through seizures or other enforcement actions. Even then, a careful look at the activity of counterparties should be considered. 

Chainalysis labels terrorist financing activity in our data with the utmost careful consideration. Related to the current conflict, we are working closely with our customers and partners to analyze any funding to Hamas, Hezbollah, the Palestinian Islamic Jihad, and any other terrorist organizations. 

Working together to fight terrorism financing on the blockchain

Given blockchain technology’s inherent transparency and the often public nature of terrorism financing campaigns, cryptocurrency is not an effective solution to finance terrorism at scale. However, even small amounts of funds sent to terrorists can do tremendous damage. When investigating small inflows of funds to terrorism campaigns, law enforcement and intelligence agencies can leverage blockchain analysis to investigate donors, facilitators, and cash out points and partner with private sector organizations to shut down activity. This kind of work has led to seizures of funds related to Hamas, Hezbollah, and other terrorist groups. These successes demonstrate that it is possible to understand and disrupt the financial networks that support terrorism. 

In fact, it’s possible that no one understands the challenges of using cryptocurrency for fundraising better than Hamas. On April 27, 2023, Al-Qassam Brigades (AQB), the military wing of Hamas, announced the shutdown of their longstanding cryptocurrency donation program. AQB cited concerns for the safety of their donors given the prosecution of those who donate through cryptocurrency.

Private sector organizations also play an important role in shutting down terrorism financing activity. Exchanges in particular offer the on- and off-ramps from cryptocurrency to fiat. Conducting Know Your Customer (KYC) due diligence, as well as monitoring transactions for money laundering and sanctions risks using blockchain analysis solutions are crucial to preventing terrorists and other bad actors from using cryptocurrency.

Chainalysis will provide further details on terrorism fundraising activity to the public as opportunities arise while protecting the integrity of ongoing investigations. In the meantime, it’s important to fact check analyses suggesting large totals of terrorism financing and exotic cashout points.  

This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.

Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.