Uncover the story behind the 'Biggest Heist Ever' — a gripping new Netflix documentary! Watch the trailer.

In Wake of Moscow Attack Understanding ISIS' Use Of Cryptocurrencies

TRM InsightsInsights
In Wake of Moscow Attack Understanding ISIS' Use Of Cryptocurrencies

On March 22, 2024, armed men stormed a concert hall near Moscow, opening fire and reportedly killing over 130 people and injuring dozens more. Within hours ISIS claimed responsibility for the attack, although as of this writing, it has not specified which affiliate was involved. According to ISIS’ Amaq News Agency:

“The attack was carried out by four attackers who were armed with machine guns, a pistol, knives and incendiary bombs, and was preceded by an intensive surveillance operation of the place…the fighters stormed the hall and three of them began shooting at the crowd, while the fourth fighter was busy setting fire to the hall using incendiary bombs that had been prepared in advance for this purpose.”

Image: ISIS’ Amaq agency publishing images of alleged attackers

However, ISIS’ affiliate in Afghanistan, known as Islamic State Khurasan Province (ISKP) is believed to be the main suspect given its central role and connections to pro-ISIS groups in Central Asia. The attack also fits its anti-Russian rhetoric (it had previously threatened to attack Russia) and its goals of expanding its reach beyond Afghanistan. In the days preceding the attack, the United States had warned Russia that ISIS was determined to strike the country. Furthermore, Russian authorities had allegedly foiled an attack by ISKP against a Synagogue in Moscow.

Following the attack, Russian authorities arrested four individuals, three of whom were of Tajik origins. According to multiple intelligence services, ISKP has focused on recruiting Tajik nationals. Despite the fact that ISKP’s involvement has not been officially confirmed, the group did release an infographic threatening Russia if they abused the captives.

Recently released ISKP infographic warning Russia not to harm arrested members

Notably, over the last few months, ISKP has been linked to several attacks (and foiled attempts) in multiple countries including Germany, Turkey and Iran.

According to the US Department of Treasury’s 2024 National Terrorist Financing Risk Assessment, ISKP serves as a regional hub that transfers funds to financial facilitators, in addition to providing personnel and weapons to support external operations. While cryptocurrencies are still a small piece of a much larger terrorist financing puzzle, US national security agencies and global partners are taking a deeper look at the way ISKP finances its operations including the use of cryptocurrency.

ISKP’s Use of Cryptocurrency

According to the US Department of Treasury, ISIS has increasingly used virtual assets service providers to finance its subordinates in central and south Asia. Furthermore, a 2023 report by the UN noted that ISKP was receiving tens of thousands of dollars in cryptocurrency monthly from ISIS’ al-Karrar office in Somalia.

Since at least 2022, ISKP has been using cryptocurrency to receive donations and move funds. TRM Labs identified multiple Bitcoin, Ethereum and TRX (Tron) addresses controlled by ISKP’s media unit, the al-Azaim Foundation for Media (AFM). AFM promotes ISKP ideology and militant activity in Afghanistan, Pakistan, Tajikistan and beyond, publishing content in at least ten languages including English, Russian, and Urdu.

In October 2023, AFM launched its inaugural donation drive with privacy coin Monero as the chosen currency.  First announced in the group’s newsletter, “Voice of Khurasan,” the donation drive has become a regular occurrence. 

Image: ISKP soliciting Monero donations in their Voice of Khurasan magazine

OFAC Sanctions

In July 2023, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated key ISIS leaders and financial facilitators including ISKP operatives. In addition to the individuals and entities sanctioned, OFAC added a USDT address associated with Ali Shafiu, a Maldivian national, who in 2018, according to OFAC, traveled through Pakistan to Afghanistan to join ISKP. According to OFAC, Shafiu, as recently as 2022, was a part of ISKP’s’ media office, was the Maldivian representative to ISKP’s leadership in Afghanistan.

Notably, the address associated with Ali Shafiu has on-chain connections to addresses that TRM has linked to the ISKP and ISIS’ affiliate in Pakistan (ISPP).

ISIS and Pro-ISIS Groups Use of Cryptocurrencies

Over the last few years, TRM has identified a number of ISIS and pro-ISIS fundraising efforts in cryptocurrencies, including multiple focused on recruiting Tajik nationals. In August 2023, Turkish police arrested a Tajikistan national associated with ISKP for operating a fundraising and recruiting campaign. In that case, TRM Labs provided intelligence to Binance which led to the arrest of two individuals in Tajikistan and enabled Turkish authorities to arrest Shamil Hukumatov, the senior ISKP fundraiser allegedly behind the fundraising campaign.

TRM graph showing funds from an ISKP recruiter to Binance where authorities were able to seize funds and disrupt network

TRM has identified fundraising campaigns for ISIS members and families detained and held in internment camps in Syria, on-chain evidence that pro-ISIS networks in the Philippines, Indonesia, Pakistan and Afghanistan have used cryptocurrencies to help conduct their activities, and other terrorist financing trends related to ISIS and pro-ISIS use of cryptocurrencies for fundraising activity. 

Five years since the fall of ISIS’s physical caliphate, it is clear that the group, while more decentralized, is still able to carry out deadly attacks. As national security agencies look to cut off sources of financing, understanding the ways in which ISIS and other terrorist networks raise funds is critical. While crypto remains a small piece of the larger terror financing puzzle, ISIS and other groups will continue to leverage new technologies to raise and move funds.

This is some text inside of a div block.
Subscribe and stay up to date with our insights

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Select
Transaction Monitoring/Wallet Screening
Training Services
Training Services
 
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
No items found.