Terrorist Use of Virtual Currencies

Introduction

In the past several years, terrorist groups in Gaza have solicited support in Bitcoin; there are isolated reports that ISIS has used the cryptocurrency; and cybercriminals use it and other virtual currencies in a range of circumstances. We cannot yet know whether the uses of virtual currencies by terrorist groups amount to isolated incidents or foretell a broader and more pernicious trend.² Individual incidents in which lone terrorists or terrorist groups use VCs of course pose a challenge. This is particularly so because the funding requirements for disruptive lone wolf acts of terror are small enough to pose a risk because they may slip through a counterterrorism financing system that struggles to stop small-scale acts of such financing regardless of the medium. But VCs become a strategic threat in the counterterrorism context only when they can compete with cash and other readily available means of financing and achieve “scale,” which in this paper signifies a combination of market capitalization, liquidity, convertibility, and network effects that add up to ease of use. Scaled use of VCs by illicit actors poses a particular challenge and exacerbates the underlying threat posed by criminal or terrorist activity because it makes illicit funding networks harder to disrupt. And the larger the stable funding supply for terrorist groups, the greater the scale at which the groups themselves can operate and the more they can engage in acts of violence. 

While VCs have many very important legitimate uses, certain characteristics also make them susceptible to abuse. Many, especially cryptocurrencies, protect or obscure identities, thereby making it more difficult for law enforcement to reveal and track those identities than traditional mechanisms of value transfer. Should terrorists adopt VCs at scale, therefore, it could become much more difficult to track and disrupt them.

A second reason it is important to understand the circumstances in which terrorist groups may wish to use VCs at scale is the global reach of such currencies. With certain virtual currencies, it is possible to transfer money instantly around the world without making use of institutions like banks, which require more transparency and have obligations to report suspicious transactions. Even centralized VCs may be accessible online anywhere in the world, so terrorists and criminals can take advantage of these currencies that have been set up in jurisdictions with less scrutiny. Potentially, such characteristics could effectively build a digital platform on top of established systems that currently allows terrorists, and others, to transfer cash on an international scale. Such an architecture would make it easier for terrorist groups to amass larger amounts of money than has generally been possible previously. 

Finally, the novelty and some particular attributes of VCs, such as decentralization, make them a particular regulatory challenge. Decentralized cryptocurrencies such as Bitcoin lack concentrated repositories of identifying information on account-holders, which law enforcement agencies typically use in financial crimes and counterterrorism investigations, but which are unavailable when dealing with many VCs. A more precise understanding of the threats and risks posed by VCs will help regulators to develop an effective and efficient governance framework to monitor for potential abuse. In turn, a successful framework will ultimately strengthen the global fight against terrorist financing and terrorism as a whole.

In the post-9/11 era, the international community has made significant progress in the struggle against terrorism generally, and in the struggle against terrorist financing specifically. In the counterterrorism context, “following the money” has been a particularly effective component of an overall strategy to degrade the capabilities of terrorist groups.³ One of the most significant victories has been the establishment of a global legal and policy framework—grounded in U.N. Security Council Resolutions, national legislation, and global standards—that, by blocking terrorist groups’ access to the formal financial system, has made it significantly more difficult for them to raise, move, store, and use funds.

However, recent evolutions in the terrorist threat, including the rise of ISIS and the continued importance of al Qaeda and its affiliates, have led the Financial Action Task Force (FATF), the intergovernmental standard–setting body for combating money laundering, terrorist financing, and other threats to the integrity of the international financial system,⁴ to note that “further concerted action urgently needs to be taken . . . to combat the financing of . . . serious terrorist threats” that have “globally intensified.” ⁵ 

Specifically, a number of challenges regarding terrorism and its financing remain. First, terrorist groups that control territory pose one of the most difficult strategic challenges that the counterterrorism community faces. When groups control territory, it is easier for them to plan and train without disruption. It is also easier for them to derive financial and material support from the local population (through taxation, extortion, or the extraction of natural resources) without having to rely on transfers of funds from external sources that are inherently more vulnerable to disruption.

A second strategic challenge pertains to individual lone wolf terrorists or cells that lack formal ties to any established group. This dynamic makes it more difficult to anticipate attacks with intelligence, because it is difficult to determine which unaffiliated individuals will perpetrate attacks. And because these attacks are relatively inexpensive to execute, it is more difficult to identify and choke off their sources of support. Terrorists such as those who carried out attacks in Orlando, Florida; San Bernardino, California; or Nice, France do not rely on associations with larger groups that require significant funds to sustain themselves. Therefore, they leave only trace financing “signatures” and are not easy to detect and disrupt under a global framework built for more established and less nimble threats.⁶ Addressing lone wolf attacks is a significant intelligence challenge for the counterterrorism community. And identifying the ways in which such attackers may use VCs to fund themselves is similarly a significant forensic and intelligence issue that may require the government to invest in new capabilities and to work more closely than it has in the past with private entities.

Despite significant progress in the global counterterrorist financing regime, gaps remain in implementation and coverage. The charitable sector, for example, is still vulnerable to abuse, and unlicensed money transmitters, cash smugglers, and criminal activity of all kinds are a source of support for terrorist groups, both in the United States and abroad.⁷ Furthermore, the global counterterrorism financing regime is more oriented toward identifying and degrading the ability of organized groups to function than toward the rising threat of independent attacks. When a terrorist in Nice, for example, can kill 86 people simply by renting a truck and driving it through crowds of revelers on Bastille Day, policy leaders must rethink the approach to counterterrorism that has been oriented primarily toward well-defined groups, as al Qaeda was before the 9/11 attacks.

Looking specifically at the counterterrorist financing risk for VCs, it does not appear that terrorist groups have yet used these currencies at scale, even while other criminal groups (specifically cybercriminals) have done so. Indeed, the U.S. government’s 2015 “National Terrorist Financing Risk Assessment” cited cash and the banking system as two of the most significant terrorist financing risks that the United States faces.⁸ The assessment described virtual currencies only as a “potential emerging TF [terrorist financing] threat,”⁹ and noted that “the possibility exists that terrorist groups may use these new payment systems to transfer funds collected in the United States to terrorist groups and their supporters located outside of the United States.”¹⁰ At the same time, the European Banking Authority classified as a high priority risk terrorist use of VC remittance systems and accounts.¹¹ More troubling is the potential for virtual currencies to “democratize” the funding of terrorism, allowing far-flung, disconnected individual donors to participate in TF networks.¹² So while terrorist groups are not yet using VCs at scale, a key goal of the policy and financial regulatory communities is to prevent that from happening by adapting measures to better track and prevent this threat. A more forward-leaning posture on financial information sharing and disclosure would benefit all stakeholders involved in addressing terrorists’ use of VCs and illicit financial activity more broadly. 

Terrorist groups have not yet adopted VCs at scale, but cybercriminal networks have. There are several reasons criminal and terrorist groups have behaved differently with respect to the adoption of virtual currencies. One important factor surely is the degree of technological sophistication needed to use such currencies at scale. The criminal enterprises that have made extensive use of VCs are generally engaged in technically complex crimes such as the remote theft and sale of data (or significant narcotics trafficking), and they operate in areas that have at least reasonably well-developed financial and telecommunications infrastructures. 

Many terrorist groups, by contrast, operate in areas with poor infrastructure and low penetration of modern technical and telecommunications tools. This is true, for example, of al Qaeda in the Islamic Maghreb (AQIM) in the Sahel, al Qaeda in the Arabian Peninsula (AQAP) in Yemen, and, in some measure, ISIS in Iraq and Syria. And this dynamic illuminates a major obstacle to the adoption of VCs, even while terrorist groups take advantage of sophisticated technology in non-financial contexts. ISIS’s use of social media to recruit and propagandize¹³ and Hezbollah’s use of drones stand out as two prominent examples.¹⁴ Technologies like drones do not rely on network effects to be useful and can be provided (nearly) off the shelf and ready to use. Similarly, social media is available on the kinds of smartphones and websites that have been commoditized. Virtual currencies, by contrast, are more difficult to create (should a terrorist group try to do so), employ, and maintain. 

Of course, not all terrorist groups or their supporters contend with limited Internet access, computing capabilities, or knowledge of sophisticated tactics to evade regulatory detection of electronic money movements. This is one reason for the instances of terrorist groups using VCs, albeit in more limited ways. 

Terrorist networks and criminal groups also have different financial structures in which they do or may take advantage of virtual currencies. Cybercriminals often use VCs to buy or sell stolen data, for their exploits in online “dark web” markets,¹⁵ or for commercial transactions in illegal activities such as drug or weapons trafficking.¹⁶ There is less of a need for VCs to be convertible in that context because their users can simply recycle them for the next purchase. Cybercriminals located in Eastern European countries with poor records of law enforcement cooperation with the West can exchange VCs for fiat currencies in unregulated exchanges.¹⁷ Cybercriminals also often engage in extensive vetting of other purported criminals who wish to join online forums in which cybercrime activities take place; therefore they have some degree of confidence that their transaction counterparties can be trusted.¹⁸ This dynamic stems from the fact that the criminals are often repeat players who depend on the continued operation of the network for their activities.

Terrorist networks, by contrast, have a different “business model.” They often seek to move money from places outside the locations where they operate to the areas in which they plan and from which they launch attacks. Often they use many layers of intermediaries so that donors and ultimate recipients may not be known to one other. Or, in the case of lone wolf attackers, they scrape together funding from a wide range of sources. In either case, terrorists use the funds to buy things they need to sustain the group or to conduct attacks. And because they do so from the general economy, they often would need to reconvert the VCs they receive into fiat currency. This final step introduces both an unnecessary layer of complexity and an increased vulnerability to the disruption of their operations by adding additional actors and entities into the fundraising matrix.

Moreover, the virtual currency that has achieved the greatest market capitalization and penetration—Bitcoin—is only pseudonymous, not fully anonymous, as is commonly and incorrectly understood. The cryptographic addresses of the sender and the recipient of transactions are recorded; although they may not be linked to real-life identities, with enough investigative resources it may be possible to uncover the true identity of senders and recipients of Bitcoin transactions. This of course diminishes the allure of that means of transferring funds to terrorists. Notwithstanding its incomplete anonymity, Bitcoin remains dominant in the space. For example, Monero, a cryptocurrency that is more anonymous than Bitcoin, has a market capitalization of about $340 million; Bitcoin’s market cap is $17 billion.¹⁹

But the final—and most important—reason that terrorist groups have not adopted virtual currencies at scale is that these groups, and individual terrorist operatives, have not yet perceived the need to do so. They still find it possible to circumvent global rules governing terrorist financing with sufficient ease and frequency that using VCs is unnecessary. They exploit incomplete implementation of regulatory requirements and global standards at banks, use unlicensed and undersupervised money services businesses (MSBs), or simply cart around cash. As long as these value transfer methods are readily available, there is no great need to invest in new, complicated techniques to transfer value.

Therefore, the crux of the challenge that financial regulators and the counterterrorism community must confront with regard to virtual currency is one of monitoring and prevention: How will they know if and when terrorists begin to use VCs at scale? And how can they design the financial regulatory framework governing VCs to harness the positive uses to which they can be put while preventing them from abuse?

One of the most important factors in the ability of governments and other stakeholders to manage the risks posed by VCs is effective collaboration and communication. Three main categories of actors make up this ecosystem—financial institutions, the regulatory agencies that supervise them, and the law enforcement and intelligence community that target criminals and security threats. 

At present, tension among these constituencies prevents them from optimally monitoring and governing the use of virtual currencies. Fundamentally, law enforcement agencies and bank regulatory agencies have different authorities and use information from the private sector in different ways. They also have different approaches to the terrorist financing challenge. Whereas the mission of law enforcement officials is to halt terrorism, regulators are charged with ensuring that financing does not occur in banks that they supervise. Law enforcement agencies take data that they get from banks (often via the government’s financial intelligence unit, the Financial Crimes Enforcement Network, FinCEN, in the United States), combine it with other intelligence or evidence to improve their understanding of the threat landscape, and engage in further intervention—often a prosecution—to address it.²⁰ Regulatory agencies such as the Federal Reserve Bank or the Office of Comptroller of the Currency (OCC) and state-level regulators such as the New York State Department of Financial Services (NYDFS), by contrast, use information from the private sector to assess compliance with existing rules, and then undertake enforcement actions if necessary. These regulators also use private sector information to inform their view of changes that they or others may need to make to manage risk in the financial sector.

In the past decade, financial regulators responsible for supervising banks have imposed significant fines for violations of laws designed to counter illicit finance.²¹ As described later in this paper, these enforcement actions have inhibited the development of effective public-private collaboration in the governance of VCs, because they have generated a significant amount of uncertainty within banks. Such collaboration is critical to prevent virtual currencies from being abused for illicit purposes at greater scale, particularly by terrorist groups.

Two main trends stand in the way of greater incorporation of VCs into the formal financial system, which would help manage the risks inherent in the near-instantaneous and anonymous global transfer of funds. The first trend in the financial sector is the desire of banks to avoid high compliance-cost business activities, including in jurisdictions with poor regulation and a relatively high occurrence of illicit financial activity or sanctions evasion, or in dealings with high-risk types of clients.²² This trend has led many financial institutions to shed expensive-to-service accounts, correspondent relationships, and clients, and is commonly referred to as “de-risking.”²³ Virtual currencies have been caught in this trend. Businesses that deal extensively in VCs have found it difficult to establish relationships with the largest global banks because the businesses are often perceived as relatively risky and therefore too costly to take on.²⁴ As a result, VC businesses have had to conduct their banking operations at smaller financial institutions that do not devote as many resources to compliance as do large global banks, and that are less well regulated than large money center banks. This dynamic, in turn, increases the likelihood that VCs will be used for the conduct of illicit activity at a scale, posing a security threat. 

Virtual currency firms are also stepping into lines of business—such as cross-border remittances—that some large global banks are abandoning because of the perceived risk.²⁵ And the anti–money laundering (AML), combating-the-financing-of-terrorism (CFT) and sanctions-compliance system requires companies to establish customer identification programs, screen for sanctions compliance, and establish suspicious activity reporting systems. This rigor may be too expensive for small VC startup companies, which may therefore either collapse before they get off the ground or operate in an unregulated manner, thereby increasing the risk that bad actors may use VCs without detection.

The second broad trend that has made it more difficult to govern virtual currencies is the libertarian ethos that animates many of the individuals and entities involved in the creation and growth of the VC movement.²⁶ For many people, the most attractive dimension of VCs such as Bitcoin is the same one that makes it most difficult to govern—it serves as a store of value, unit of account, and medium of exchange that does not require the involvement of any large centralized government institutions or banks.²⁷ That means these kinds of VCs lack many of the features of national currencies that make them secure and trusted, and it makes them susceptible to abuse by criminals, terrorists, and fraudsters who want their financial transactions to be opaque. It also makes the currency volatile. A recent dispute among developers about one of the technical characteristics of the virtual currency led to a 20 percent decline in the value of Bitcoin over a single weekend.²⁸ Any system of regulation and governance for virtual currencies must contend with the fact that the developers who create many VCs do so in a manner designed to avoid control by centralized institutions of authority. 

So what is the way forward for the governance of virtual currencies? How do policy leaders ensure that terrorist groups do not migrate to them and simultaneously support their innovative contributions to the financial system? Part of the answer requires changes to the current AML regulatory system—reforms to be discussed in greater detail in this paper. Another path is to create incentives for VC businesses themselves to see that preventing abuse is in their commercial interests. This is because a greater number of people will participate in a market in which they have confidence—which, in turn, requires that the public perception of VCs be positive. It also requires ordinary people to feel as though VC exchanges—the gateways between the fiat currency systems and new systems—will protect them against fraud. As described in this paper, this dynamic is what ultimately induced PayPal to develop one of the most sophisticated fraud prevention systems available. Ultimately it is the way in which any disruptive new technology may achieve scale. 

The paper first describes contemporary methods of terrorist financing and the emerging virtual currency marketplace. Against this backdrop, the paper lays out strategies to better monitor terrorist use of VCs and adapt policies and regulations to guard against broader use. It concludes with specific policy recommendations to stakeholders.