On October 17, 2023, Binance blocked 100 accounts linked to Hamas, the terrorist group that launched a surprise attack on Israel. This action comes on the heels of blocking 190 accounts also linked to Hamas just one week earlier. These actions rightfully drew concern from the media and public: To what extent are terrorist groups in general and Hamas in particular transacting with cryptocurrency?
This question is a complex one that merits a comprehensive analysis. In this article, I will begin by overviewing why terrorist groups have turned to cryptocurrency, document notable trends drawn from Merkle Science data, and forecast how integral digital currencies will be to the group’s future in light of counter-action from law enforcement agencies and blockchain forensics companies.
Terrorist organizations like Hamas use cryptocurrency for a variety of financial purposes, such as money laundering and soliciting donations. It is easier to move such illicit funds through cryptocurrency due to the non-custodial nature of DeFi. Unlike VASPs where legitimate users transact, there is an absence of KYC and AML regulations in DeFi, giving terrorists greater freedom with which to transact.
To further enhance the non-custodial nature of DeFi, bad actors also use anonymity-enhancing technologies. For example, the Lazarus Group is a cybercrime group sponsored by North Korea that has orchestrated multiple ransomware attacks and hacks, such as Alphapo, Atomic, CoinEx, and Stake.com. Despite being sanctioned, the Lazarus Group is then able to launder the spoils of their crimes through crypto. They will commonly use mixers and token swaps to different chains to obfuscate tracking.
Other sanctioned groups have even more complex obfuscation techniques. One involves creating extremely long, multiple peel chains and then breaking the funds into multiple addresses, before finally merging the peeled funds to a single address, which may serve as the cash-out point. Some groups may even employ spycraft for further privacy: One user might hand over a wallet’s private key to another person in lieu of cash over meet-ups.
This is another appeal of cryptocurrency for terrorist groups and other bad actors: There are many cash-out points in sanctioned jurisdictions like Russia and Iran, where international authorities cannot freeze funds. There, bad actors can use exchanges without mandatory KYC and AML policies as exit nodes for laundered funds.
Of course, the best way to truly understand the extent to which cryptocurrency appeals to bad actors is to look at the actual numbers. While cryptocurrency is typically used as a monolithic term when referring to illicit funds, bad actors have clear-cut preferences for specific coins as revealed by blockchain forensics. Analysis of our data at Merkle Science has revealed a major shift from Bitcoin and Ethereum Virtual Machine (EVM) to Tron, a much faster cryptocurrency blockchain.
As we can see from year-on-year transaction volume on the Tron network, concern over the use of cryptocurrency to evade sanctions is warranted. 34.1% of these transactions in fact are linked to sanctioned entities with the Lazarus Group, and the volume of sanction-related transactions grew by an incredible 556% from 2021 to 2022.
While the trend reversed in 2023 as sanction-related transaction volume declined by 98.3% compared to 2022’s figures, it is less significant than we would have liked. It is also worth noting that the 2023 data only goes up to Q2, leaving it unclear how Tron will trend for the rest of the year.
From 2020 to Q2 2023, a majority (59.4%) of illicit Tron transactions were associated with extremist factions, particularly Hezbollah and Al-Qassam Brigades, both of which are affiliated with Hamas. Al-Qassam Brigades is the military wing of Hamas, while Hezbollah is a close ally of Hamas and is also supported by Iran. Focusing solely on Hezbollah's activities, a substantial escalation was observed with a 648% growth in transaction volumes from 2021 to 2022. These volumes grew by 89% in 2023 compared to the prior year’s volumes.
This data may make it seem like the sky is falling, and terrorist organizations will use cryptocurrency to bring down the rest of the world. It is thus crucial we keep this data in context. Cryptocurrency is only one of several avenues that bad actors use for their financing. Terrorist groups also rely mostly on cash due to their lack of a digital footprint that authorities can follow, and they may occasionally also use the age-old Hawala system and even elusive donation boxes.
In comparison to cryptocurrency, those alternatives for moving illicit funds may become the increasing preference for terrorist organizations and other bad actors. As seen by the recent seizure by Binance, law enforcement agencies - in collaboration with blockchain forensics companies - are becoming more sophisticated in tracking funds, freezing them, and ensuring that perpetrators are brought to justice. In April, Hamas even announced that it will no longer be accepting donations in crypto most likely due to the increased scrutiny it brings to their finances. Other bad actors may follow suit behind closed doors. The upswell in illicit Tron transactions over the last few years may represent its final gasp before it flatlines for good.