Investigations | October 23, 2023

Why is terrorism finance tricky?

By Nick Smart

Director of Blockchain Intelligence 

‘One’s state’s terrorist is another’s freedom fighter’, goes the adage we have all surely heard and more so in recent times. Defining terrorism, and who is considered a terrorist, is not always universal. 

Further compounding this, is the method in which terrorists generally raise funds – charitable donations. In these instances, it is hard to segregate what is a legitimate charity, political organization, and terrorist group. The key is always in the detail – and typically, the ‘spend’ phase of the financing activity. Proving that a charity or donation campaign is directly supporting terrorism can be extremely hard. 

Terrorism Finance 101: Raise, Store, Move, Spend… Crypto? 

Terrorism financing activity (or, for that matter, any fund-raising activity) can be broken down into four stages; Raise, Store, Move, Spend. It is perhaps an oversimplification of the model, but it does provide a useful framework to understand the process. 

Raise” relates to the collection of funds and can be done through licit or illicit means.  For example, it could be derived from charitable donations directly, front organizations, or even legitimate business concerns or investments. In crypto assets, the group will need to consider carefully what they choose to ‘raise’ – which currency to request, how to broadcast any payment information as well as how it will fit into the later stages of the activity. 

Store” relates to how the funds are stored. Cash, currencies, bank balances, real estate – all of these will be considered as ways to maintain control of funds. The group will need to carefully balance the security risks, such as theft, destruction, or seizing of funds, against the operational needs of the organization. For crypto assets, this generally may mean the distinction between holding a balance on an Exchange or using self-custody. 

Move” relates to the laundering process, as well as getting funds from the donors at the first stage to the operational teams who need it at the last. Crypto assets provide a fairly easy route to the end user as they do not require an intermediary. However, laundering is likely to be necessary to obfuscate the source to the destination. 

Finally, “Spend” is the conversion of the raised and laundered funds into some form of operational capability, buying weapons, paying salaries, and so on.  Whilst crypto assets do offer a fairly convenient solution to the first three stages, the final “spend” phase may be far more difficult due to the limited opportunities to convert crypto assets, particularly for large expenses such as paying fighters’ salaries. That being said, this perception may now be dated and require re-evaluation in light of recent events. 

Not all the things we find can be labelled neatly  

Some of these services operate using the infrastructure and accounts on larger exchanges known as ‘nested’ services 

This is sort of like using your bank account, as a bank for others. In some cases, services are operated by payment processors that offer a platform for a merchant to receive payment in crypto assets. 

This collection process takes a lot of effort   

At Crystal, we have not only language skills but also a cultural understanding of what we’re looking at. We are at great pains to understand the nuance of what we’re collecting. When we find something, we keep notes about where and how we found it. These are completely auditable – if a client asks us ‘Where did you get this from?’ we have an answer for them that lets them decide if the information is credible or not. 

The importance of maintaining  

First and foremost, it allows our clients to examine our work and make informed decisions in contentious cases. If a customer says that something is not what we say it is, we’re able to show the truth of the matter and help teams resolve the conflict. 

Secondly, and perhaps of growing importance, is a new technique we have observed that we describe as ‘signal laundering 

What is signal laundering? 

Signal laundering is a return to the tried-and-true concept of adding layers of legal entities to a chain of transactions to obfuscate the source of funds. 

Blockchain analytics tools, when used for transaction monitoring, generally work on the aggregation of ‘signals’ to determine the reputation of a transaction or wallet; that is, where the incoming funds have come from and any other interactions the wallet has had.  

For example, if a wallet has received money from a wallet known to belong to a terrorist organization, but also received money from an unlicensed exchange, the reputation of the wallet would be based on the total value of money received from both sources.  

The type of entity that’s involved will have a different signal strength. So, in our example, the terrorism finance link will override the unlicensed exchange value and typically produce a high score (or lower, depending on what platform you’re using and how it conveys risky-ness). 

Peel chains 

One technique that is well understood and can be used to reduce exposure to the high-risk source is known as a ‘peel chain‘. In this case, the launderer tries to distance the source of funds from the destination by adding transactions to the chain.  

Modern analytics tools are wise to this and can generally see through peel chains. However, not all compliance policies are so wise, and some firms instead look back at a set number of transactions (hops) to determine exposure, reasoning that the distance they look back is enough to determine ultimate control.   

How bad actors evade blockchain analytics 

This brings me to a more fiendish way of evading blockchain analytics – feeding them data that hides the signal’s source.  

Blockchain analytics tools rely on a relentless collection of data from public sources to determine who’s who. By knowing how risk scores are generated, someone looking to defeat a tool by resetting the risk signal could ‘seed’ information about a wallet in a public place or forum that gets picked up and ingested into an analytics dataset.  

The signal is now something else less dangerous and probably not picked up by transaction monitoring tools that work on a riskiness threshold. 

This is why we, at Crystal, work so hard to verify our data and ensure that it can be audited.  Mass-scraping of addresses, even crowdsourcing, is a sure way to end up with many false positives. We want confidence in our tools but recognize that deception is a very real issue that leaves us vulnerable. 

Transaction monitoring tools can recognize problem sources of funds, but what if they are tricked?  Can you audit the information that was used to make that call? 

How to defend against signal laundering 

There are some immediate countermeasures you can employ to defend against signal laundering: 

  • Thorough Onboarding and KYC:
    Creating an accurate client profile will help you to determine if the activity seen is in line with expectations. Transaction monitoring is not a solution to poor onboarding! 
  • Counterparty Entity Source of Funds 
  • Having a ‘trusted’ list of counterparties makes sense, but if a payment is from an unknown source, looking at the funds being sent to that entity may help to reveal if there is something untoward. If there is significant exposure to illicit or sanctioned sources, it would be wise to ask further questions.   
  • Look at the Service Websites and Marketing Activity
    Examining websites for conflicting information may also provide useful results. Providing unusual currency pairs unsuited to the region of the business i.e., offering KRW/BTC but being based in Brazil, the website is in a different language to the location it is incorporated in, or even being advertised in a foreign language than the place it operates in are all good indicators. 

To learn how Crystal can help transform your approach to crypto compliance, book a demo here.

Be the first to get news from Crystal