When Hamas’s cyber unit posts cryptocurrency wallet addresses on Telegram, they’re not just asking for donations—they’re revealing a sophisticated network of small-scale money services that help convert digital assets into cash. New research from RUSI’s Project CRAAFT, powered by Crystal Intelligence data, exposes how terrorist groups exploit these overlooked intermediaries.
The findings should concern every compliance officer, law enforcement agency, and financial institution working to combat terrorist financing. While traditional methods like cash couriers still dominate, terrorist organizations are integrating virtual assets into their operations in ways that can slip past standard monitoring.
What our investigation revealed
Crystal Intelligence’s investigation team uncovered specific tactics used by Hamas’s “Shadow Unit” to solicit and move cryptocurrency donations. Through our blockchain analytics, we identified:
- Direct solicitation of USDT donations on Telegram channels
- Instructions to donors on using “trusted” money exchange services
- Regular rotation of wallet addresses to evade detection
- Links to over-the-counter (OTC) brokers facilitating conversions
One particularly concerning discovery was that when authorities traced funds tied to Al Qassem Brigades (Hamas’s military wing), they found transaction patterns consistent with OTC cash-to-crypto businesses. These small services—often operating from kiosks in major cities—can unknowingly process terrorist funds when proper compliance checks aren’t in place.
The Lebanon connection: following the money
Our analysis of 32 OTC brokers based in Lebanon revealed the scale of this challenge. These services moved millions in virtual assets to major exchanges:
- 2021: $2.4 million
- 2022: $6.1 million
- 2023: $5.8 million
- 2024: $12.9 million
- 2025 (partial): $1.3 million
The sharp increase suggests growing adoption of these services, whether for legitimate purposes or illicit activities. What makes this particularly challenging for investigators is that Lebanon’s cash-based economy and limited virtual asset regulations create an environment where these services can operate with minimal oversight.
How small exchanges become unwitting accomplices
The research identifies a critical vulnerability in the crypto ecosystem: small conversion services that don’t implement adequate anti-money laundering checks. These businesses offer customers a simple proposition—convert crypto to cash or vice versa—but may unknowingly facilitate terrorist financing.
Our data revealed specific red flags:
- Services receiving funds from sanctioned addresses
- Unusual transaction patterns indicating nested services
- Use of money transfer services like Western Union and MoneyGram for fiat conversions
- Applications openly advertising cash delivery to any location in Lebanon
Two services identified in Israeli seizure warrants showed clear connections to Hezbollah activity. While their websites are now offline, archived versions and app store listings showed they operated like typical OTC brokers, except they processed funds for designated terrorist organizations.
Why compliance teams should care
Traditional transaction monitoring might miss these threats. When a terrorist supporter in Lebanon uses a local OTC broker to convert donations into cash, the transaction might appear as a routine transfer to a major exchange. Without proper know-your-business (KYB) procedures for nested services, exchanges could unknowingly process terrorist funds.
The challenge intensifies because these actors often diversify their activities. Eight out of 20 suspected service providers linked to terrorist wallets also transacted with Garantex, a sanctioned exchange shut down by authorities. This means a case that initially appears to involve simple fraud might actually connect to terrorist financing.
What this means for detection and prevention
For compliance officers and investigators, these findings highlight several critical areas:
- Enhanced monitoring of nested services: Any customer showing OTC broker patterns needs deeper scrutiny, especially if operating in high-risk jurisdictions.
- Geographic risk assessment: Countries with limited crypto regulations and cash-based economies require extra vigilance for conversion services.
- Transaction pattern analysis: Look for addresses receiving many small deposits and making consolidated transfers to exchanges—classic OTC broker behavior.
- Cross-referencing multiple risk indicators: Don’t treat fraud and terrorist financing as separate silos. Bad actors often engage in multiple types of illicit activity.
The path forward
While terrorist groups still prefer traditional financing methods, their experimentation with virtual assets is evolving. As more conversion options emerge in jurisdictions where these groups operate, the risk will only grow, especially if authorities don’tmonitor and regulate these intermediary services.
The good news? Blockchain’s transparency, combined with advanced analytics, makes detection possible. Our investigation into Hamas’s Shadow Unit succeeded because we could trace funds through the blockchain and identify the services facilitating conversions.
For financial institutions, crypto exchanges, and law enforcement agencies, the message is clear: understanding these intermediary services isn’t optional—it’s essential for disrupting terrorist financing in the digital age.
Our blockchain analytics platform helped uncover these terrorist financing networks. We can help you investigate suspicious transactions, conduct due diligence on nested services, or build stronger compliance programs.
