Iran's leader Ali Khamenei, crypto coins

The crypto path: How terrorist organizations finance their activities under the radar

Terrorist organizations use thousands of digital currency wallets and unregistered crypto exchanges through Iranian banks to conceal their funding sources. New research reveals that as of 2021, about 5,000 crypto wallets have transferred at least $7 billion without any response from enforcement authorities

Some crypto asset paths are clearer, some less so. But in the unique case of terrorist financing, it usually starts with Iranian banks, some of which work directly with Iranian crypto exchanges. One of them, Nobitex, the largest in Iran serving about 5.4 million users, explicitly states on its website that it allows Iranians to invest in crypto despite the "shadow of sanctions" and counts among its important achievements "reducing the risk from the blocking of assets of Iranian users in foreign markets." Although evading sanctions is one of its best and clearest achievements, the company itself is not among those impacted by international sanctions, despite the fact that it is known today that the digital assets that enter through it later exit other legitimate exchanges while bypassing the sanctions.
The path of terrorist finances is winding and the sophistication is increasing: from Iranian banks to local money changers in Turkey, the United Arab Emirates and other countries that do not suffer from international sanctions, who then purchase crypto-currencies with the funds on regulated crypto-exchanges, split the funds into small amounts and begin to move through a branched network of thousands of wallets, moving repeatedly between exchanges and accounts until the source of the money is concealed.
1 View gallery
המנהיג העליון של אירן עלי ח'מינאי מטבעות קריפטו עלי חמינאי
המנהיג העליון של אירן עלי ח'מינאי מטבעות קריפטו עלי חמינאי
Iran's leader Ali Khamenei, crypto coins
(Credit: Reuters)
For example, one of the crypto wallets seized by Israel last May after it was identified as linked to terrorist activity, with the suffix DW3WY, has existed for the past year and before the sanctions interacted with 653 other crypto wallets. According to a new study by the research company Xplorisk, only 14 of the wallets made it to the Israeli blacklist, even though a closer look raises a fundamental concern that other wallets are taking part in the terrorist chain.
For example, a crypto wallet with the suffix EBprx received $882,000 in 14 different transfers from DW3WY and more than a million dollars from ten other wallets that are on Israel's blacklist. EBprx itself remains active without any sanctions and since Hamas’ attack on October 7 has received another $3 million from various sources. In the same way, the fbYjM wallet received no less than $14 million from the DW3WY wallet in 126 different transfers in the last 12 months. fbYjM is associated with the Binance exchange, apparently a regulated exchange that complies with the rules of international sanctions, which could freeze all funds with the push of a button if required to do so.
Xplorisk, which operates as part of MasterCard and Enel X's FinSec incubator, claims that they have identified about 5,000 wallets that slipped under the radar of enforcement bodies, and that they have transferred between them about $7 billion since 2021. Although part of this amount includes repeated transfers and there are many wallets that participate in the money laundering project without their owners knowing it at all, it is still a high level of activity, especially if you take into account that what draws the most public attention on the subject today is the crowdfunding projects of terrorist groups on social networks. These campaigns are open and public on social media networks such Telegram groups like GazaNow with hundreds of thousands of users. They are quickly frozen only to pop up again and again. Snir Levi and Shiran Kleiderman, the founders of Xplorisk, call engaging in these projects "distractions.”
"These are smoke screens," Kleiderman stated. "On Telegram, everyone is chasing it, wasting time, but a lot of money flows through the back door." Levi added: "There is no logic in accepting donations in crypto when everyone can see there is nothing here."
Small transactions so as not to arouse suspicion
Reuters revealed that between 2018 and 2022, the world's largest crypto exchange Binance processed transactions amounting to $7.8 billion from the Iranian Nobitex, regardless of sanctions or no sanctions. This relationship is also described in an indictment against Binance and its founder on suspicion of money laundering filed this year in New York. The same indictment states that Binance was aware that some of the transactions it processed were for Hamas. In an internal correspondence revealed in the legal documents, a senior company official stated that "it's fine," and that terrorists usually send "small amounts." A colleague of his replied that he "could hardly buy an AK47 (assault rifle) with $600."
$600 may not be enough to buy an assault rifle, but the two executives from Binance were wrong to assume that small amounts indicate something about the scale of the transactions. The small volumes are designed not to attract the attention of the platforms and enforcement authorities, and sometimes the cryptocurrency issuers themselves. For example, three crypto wallets against which Israel issued a seizure order last July due to their connection to the Palestinian Islamic Jihad, sent over the course of a year approximately $2 million cumulatively to one crypto wallet (L3AKc). They did this using 6,661 intermediaries, only seven of which were accounts that later found their way to the Israeli blacklist.
In total, in the seizure warrants published by the Ministry of Defense this month, approximately 660 accounts were seized in crypto exchanges, 98% of which were Binance accounts. "Money comes in and out quickly," Levi explains, "despite the large amounts that pass between the wallets, they don't hold millions of dollars at one point in time, it always acts as a conduit so that they don't recognize that there are large balances in the wallet and that they don't accidentally block it."
The fear of blocking is not only of wallets or accounts, but also of the digital currencies that are in them. The largest stable currency in the world, USDT issued by the company Tether, is used today as the main currency for transferring funds for terrorism and various activities associated with it. USDT is a cryptocurrency that is pegged to the price of the US dollar and has the highest volume of any cryptocurrency in circulation, two features that make it more desirable for terrorist organizations. A report by TRM Labs found that until they started issuing the currency in 2017, Bitcoin was the default currency for all terrorist organizations, today it is the USDT.
The terrorist organizations also have a preferred network, TRON, which was established at the peak of the first crypto hype in 2017, and since then has positioned itself as the preferred network for terrorist transactions, drugs and other crimes - 92% of all terrorist financing is done on this network. Every one of the 40 crypto wallets seized in the last month were on the Tron network and contained USDT. All the currencies that passed through the sanctioned wallets were USDT.
The use of USDT comes with danger, the company that issues and controls them can also block coins, if, for example, they are stolen or identified as having been used illegally. On October 16 of this year, Tether announced that it had frozen coins worth $873,000 across 32 wallets related to terrorism and warfare in Israel and Ukraine, following cooperation with Israel’s National Bureau for Counter Terror Financing (NBCTF). In Tether they have limited the asset sending function.
For Dr. Udi Levy, former head of Mossad's Economic Warfare Division, the Israeli sanctions are not a key to success. "They are not respected anywhere in the world," he says, "I have no answer for that. Just because we declare a certain sanction doesn't mean a body like Binance will honor it. Almost no bank in the world looks at the Israeli lists."
Everything becomes more complicated by this. It's not just thousands of wallets that automatically issue transfer orders for millions of dollars to confuse their origin. Some also include legitimate exchanges, users whose identity has been stolen and others who hide or mislead about their identity, the country they operate from or the system of laws they are subject to. For example, $65.2 million found their way from three crypto wallets seized by the Israeli Ministry of Defense last July to one crypto wallet that poured all these funds directly into the main account of a crypto exchange called ZixiPay. Of these funds, $47 million came from just one wallet (mhpf). Another $10 million reached the main account at ZixiPay through more intermediaries. All these funds circulate in one account and go to accounts in regulated exchanges, where they can easily be converted into dollars. ZiXiPay has an application that can be easily downloaded from anywhere in the world on Google Play and the App Store, and in order to open an account on the platform there is no need for the "Know your Customer" (KYC) procedure - a basic procedure that every regulated company that observes the anti-money laundering rules is required to do.
A billion dollars passed through a company without registration
The conduct of the ZixiPay exchange is confusing. The company's website states that it is subject to Swiss law and on its Telegram page, which was opened in 2020, it defines itself as "technology made in Switzerland '', but a Calcalist investigation found that an entity under its name is not in the Swiss records. Company website domain owners are confidential. A reference to the company can be found on the website of the payment platform CyberBTC, where it is noted in a June 2018 announcement about cooperation with ZixiPay, which has the same logo and website as the one advertised online today but is registered as a payment service under Georgian supervision. A search in the records of the Georgian Central Bank reveals that the company was indeed registered under the name Ziqsipay, but this registration was canceled in June 2019 and the company went into liquidation proceedings shortly after. CyberBTC, which also creates the impression of an empty shell, states that it is a subsidiary of a Swiss financial company, but this too does not exist in the Swiss records except as a financial company that has been on the blacklist of the Swiss Financial Market Supervisory Authority (FINMA) since 2013. CyberBTC's few posts concern the announcement of the cooperation with ZixiPay.
In the last three years, ZixiPay has processed transactions worth a billion dollars. 7% of all these, Xplorisk explains, came from wallets under Israeli sanctions. A billion dollars is a respectable figure for a company that not only has no Swiss registration or valid registration in Georgia, but also has no web presence - a shockingly unusual thing for the online crypto community. Its Twitter page has 35 followers and on Facebook (where it is also inactive) it has eight reviews, which a brief check confirms were written by bots. Who, then, are the customers who find their way to a company that does not advertise its activities? An examination of the website traffic of ZixiPay and CyberBTC in recent months shows that there is almost no user traffic to the websites, and they mainly refer to each other. How can a company process billion dollar transactions and there is no record of it? These are the advantages of the crypto market. "If a company does not use cash or bank accounts, it may not be registered," Kleiderman points out. "If it only receives and processes crypto, even if it takes a stake for itself, it may not be registered. There are hundreds of companies without a legal entity, they do not exist at all. That's the problem."
The sophisticated approach to cryptocurrency trading is based on a long documented history of digital currencies being used to finance terrorism. Back in 2014, ISIS turned to crypto to finance their activities. In 2021, a senior Hamas official told the Wall Street Journal that "our fundraising strategies continue to evolve as more restrictions are imposed on us." So even though terrorist financing is a tiny part of the crypto market, between a mere 1% and 1.5% of the market, the sums of money are large enough for the issue to continue to be a concern for the enforcement authorities. Within the crypto market, which in any case serves anonymity, the sophistication of terrorist organizations such as Hamas also increases. Under this type of activity Law enforcement agencies face extraordinary challenges that require cross-border cooperation and also include private partnerships to thwart terrorist financiers from taking advantage of the speed and reach of the crypto market. "The state is doing and trying as much as it can," notes Kleiderman, "but a real-time monitoring system needs to be built, not just after the fact."
In two years the NBCTF has issued 7 seizure warrants for crypto
Since 2021, the National Bureau for Counter Terror Financing of Israel has issued seven seizure warrants for crypto assets that have reached, among others, money changers (Hawala) and stock exchanges in Gaza. This activity is perhaps the largest and most significant in the world when it comes to the fight against terrorist financing through crypto. The Israeli enforcement agencies were able to identify exit points of the digital assets through intelligence, and after the various organizations worked to hide their activities in a certain volume of legitimate activity. However, the use of exchangers through unregulated crypto platforms, the ease with which crypto wallets can be opened, the identity of their owners hidden, and all funds routed through mixers, have made the ability to enforce these money transfers extremely difficult.
Meanwhile, the key to greater success is still missing - multinational coordination, and the definition of international standards for the crypto market, like the traditional global financial system. Although the global banking system also suffers from money laundering problems, the crypto market is much more hacked and there is not even a broad consensus on the manner or the authority that should supervise it. The country leading the way today is the United States, which in the last two years has been working to identify and close as many loopholes as possible. Among other things, the state put one of the major mixer developers on trial, and put the technology as a rule under "a known means of money laundering" and filed indictments against various stock exchanges that apparently facilitate money laundering.