Amid Resurging Terror Threats, Banks and VASPs Must Leverage CyFI to Fight Back

An April 2025 advisory issued by the Financial Crimes Enforcement Network (FinCEN) offers guidance to financial institutions on how to identify and report suspicious activity related to the financing of the Islamic State of Iraq and Syria (ISIS). The FinCEN advisory provides an insight-rich glimpse into the way Islamic terrorist organizations are incorporating financial technology (fintech) and digital assets into their funding operations.

Given the Trump administration’s sharp focus on combatting terrorism globally, it is crucial for financial institutions (FIs) to take heed of FinCEN’s advisory and other recent terrorism financing (TF) risk alerts. From the Middle East to Latin America, the U.S.’ transformed defense objectives have proportionally redefined the compliance risk calculus for Fis globally.

According to FinCEN, “ISIS is a Sunni terrorist organization that has conducted and inspired terrorist attacks worldwide for more than a decade, killing or injuring thousands of people.” ISIS, “which separated from al-Qa’ida (AQ) and declared itself a caliphate in 2014, remains a regional and global threat,” according to the FinCEN advisory. The resurging ISIS threat has gained additional momentum in the wake of former Syrian President Bashar al-Assad’s ouster from power in December 2024.

Additionally, a January 2025 report authored by the Institute for the Study of War said ISIS has “gradually rebuilt its capabilities since 2022 in the central Syrian desert—where regime forces infrequently and ineffectively patrolled—and gradually infiltrated then-regime-held towns along the Euphrates River.”

In fact, the U.S. Intelligence Community’s Annual Threat Assessment, published in March 2025, asserts that ISIS “will seek to exploit the end of the Asad regime in Syria to reconstitute its attack capabilities, including external plotting, and to free prisoners to rebuild their ranks.”

Despite the reported dwindling of ISIS’ liquid assets to some figure between $10 million and $20 million, the FinCEN advisory noted the increasingly sophisticated and cyber-enabled methods that the organization uses to source and transfer terror-nexus funds.

Furthermore, ISIS is already “exploiting the post-Assad situation in Syria to continue its slow reconstitution in central Syria,” according to the ISW. The ISW also noted that the Assad regime’s “sudden collapse has provided ISIS an opportunity to seize large weapons stockpiles on former Assad regime bases throughout the desert.”

Furthermore, the reemergent ISIS threat has metastasized far beyond the borders of the Syrian conflict zone. The ISW report noted that ISIS has “taken advantage of weak states and poor governance in Africa to establish growing affiliates that control territory, support the IS global network, and bolster IS propaganda narratives.” The FinCEN advisory noted that ISIS has affiliates in Somalia, Libya, West Africa, the Sahel, the Democratic Republic of the Congo, and Mozambique.

Additionally, FinCEN said ISIS “maintains a presence in Central, South, and Southeast Asia.” However, these “affiliates vary in their goals, tactics, leadership structures, and threat profiles,” according to FinCEN. FinCEN also said that ISIS continues to attract foreign terrorist fighters (FTFs), but their “recruitment efforts have become much more regional, reflective of the organization’s broader trend towards regional autonomy and decentralization.”

Nevertheless, “last year’s mass casualty attacks in Iran and Moscow by ISIS’s’ branch in Central Asia, known as ISIS-Khorasan (ISIS-K), as well as the 2025 New Year’s Day attack in New Orleans, carried out by an ISIS-inspired homegrown violent extremist (HVE) demonstrate that the ISIS threat” remains urgent worldwide, according to FinCEN.

Beyond ISIS, recent Treasury sanctions aimed at the Houthis, a Yemeni Shia Islamist terrorist organization, further illuminate how these types of radical extremist groups leverage fintech payment rails like virtual assets to finance their operations. In the following blog post, Resecurity will discuss some of the cyber-enabled TF tactics, techniques, and procedures (TTPs) identified by the recent FinCEN advisory and Office for Foreign Asset Control (OFAC) announcement.

The objective is to educate financial crime compliance (FCC) professionals about the rapidly evolving digital savvy of TF networks and how they can leverage Resecurity’s cyber-enabled financial intelligence (CyFI) capabilities to mitigate these emerging risks.

ISIS Funding Techniques

When ISIS-controlled territory in Iraq and Syria, the group was able to “fund itself and its affiliates by exploiting oil and other natural resources, taxing and extorting local populations, kidnapping for ransom, and selling looted antiquities,” noted FinCEN. However, ISIS’ access to natural resources was cut off in Iraq and Syria after it lost territory in 2019, FinCEN said. The group’s ability to tax and extort local populations was significantly diminished, though not fully eliminated.

Today, ISIS in Iraq and Syria and its global affiliates “fund themselves through a combination of taxation and extortion of local populations and businesses, resource extraction, kidnapping for ransom, crowdfunding, and donations, depending on the region,” according to FinCEN.

Regarding cyber-enabled fundraising and payment obfuscation schemes operationalized by ISIS, FinCEN highlighted the following TF typologies:

• Crowdfunding and donations
• Digital assets
• Loan and credit card fraud
• Fraudulent humanitarian appeals
• Banks/Hawalas/MSBs

Crowdfunding and Donations

Ever adaptive and digitally savvy, ISIS often “solicits donations through its official websites and publications, and on social media platforms,” casting a wide crowdfunding net for “sympathizers around the world,” according to FinCEN.

FinCEN also noted that terror sympathizers have also “taken it upon themselves to raise funds for ISIS, coordinating donation drives through encrypted mobile applications,” citing a Federal Bureau of Investigation case from 2022. Furthermore, FinCEN said that donations from supporters are typically “derived from legal sources, such as personal savings,” which can make it difficult to identify malign fund flows.

The FinCEN report further noted that terror-nexus funding contributions are often “collected in a centralized bank account, peer-to-peer (P2P) platform account, or digital asset wallet either belonging to the coordinator of the fundraiser or to a nominee, usually a friend or family member.” Once the funds are collected, money may be “sent to ISIS members in the form of digital assets, wired abroad through a fiat MSB, or withdrawn in cash and passed to couriers who deliver the money to ISIS members abroad,” according to FinCEN.

For FIs, these TF methods highlight the importance of rigorous and region-specific web intelligence (WEBINT) collection, which is essential to identify and navigate digital environments that host fundraising campaigns of this nature. This framework is particularly relevant given the borderless nature of online donations.

The FinCEN advisory spotlighted the activities of ISIS-K, which has “frequently published posters in its flagship magazine, the Voice of Khorasan, that contain QR codes that enable supporters to send donations using virtual currency.” According to the Office of the Director of National Intelligence, ISIS-K was “formed in 2015 by members of militant groups—including Tehrik-e Taliban Pakistan and the Islamic Movement of Uzbekistan—who pledged allegiance to ISIS.”

The ODNI said ISIS-K aspires to “establish a province in ISIS’s self-proclaimed caliphate by controlling territory in “the Khorasan,” referring to Afghanistan and parts of Pakistan, Central Asia, and Iran.” Notably, ISIS-K financed the 2024 Crocus Hall terror attack in Moscow in part by transferring at least $2,000 in virtual currency to the gunmen, according to the U.S. Treasury.

Digital Assets

FinCEN said that ISIS and its affiliates have increasingly “adopted digital assets, including virtual currency, as a means of storing and moving funds.” In 2023, the United Nations reported that ISIS’s Al-Karrar office sent up to $25,000 to ISIS-K in virtual currency each month.

Furthermore, FinCEN said that ISIS has used “Bitcoin as well as stablecoins like Tether (USDT) to raise and move funds but has also promoted fundraising campaigns using the blockchains Ethereum, Monero, and Tron.” Virtual assets have been “sent directly to ISIS supporters located in northern Syria, often to Idlib, or indirectly via Türkiye, where ISIS is able to access them through virtual asset trading platforms,” according to FinCEN.

Turkey is a particularly vital node in ISIS’s funding operations. Since 2014, ISIS has “invested funds in legitimate commercial businesses such as real estate and automobile dealerships,” according to the Combatting Terrorism Center at West Point. However, the CTC noted that the “bulk of the group’s residual and liquid assets are reported to have been transferred to Turkey, some in cash but a portion in gold.” Additionally, broader crypto adoption is exceptionally high in Turkey relative to the rest of the world, with 50% of the population having invested in crypto at some point, according to Kaiko Research estimates.

ISIS-K is particularly prolific in Turkish crypto TF, according to the CTC. The group has “used Tether to receive funds, and recent attacks and arrests suggest a broad use of cryptocurrency by the group and its supporters,” noted the CTC. The CTC also said that “some of these funds are believed to transit through virtual asset exchanges in Turkey,” where ISIS-K can “convert cryptocurrency into cash and other monetary instruments with relative ease and impunity.”

To this end, “ISIS takes advantage of virtual currency exchanges with lax or non-existent AML/CFT controls to send, receive, and convert these funds,” according to FinCEN. Turkey has responded to concerns about heightened TF risks in its domestic crypto industry by introducing new crypto anti-money laundering regulations in December 2024. Under this new crypto AML regime, “users executing transactions of more than 15,000 Turkish lira ($425) will be required to share their identifying information with the country’s crypto service provider,” according to CoinTelegraph. The law came into force in February 2025.

Regarding ISIS-K’s crypto fundraising operations, these campaigns “employ diverse techniques to collect and launder virtual currency, including addresses shared among campaign members, rapid fund transfers between largely unhosted addresses, temporary addresses, cross-blockchain movement, asset conversion, and various systems for converting virtual currencies into cash,” according to FinCEN.

According to blockchain tracing firm Elliptic, unhosted addresses – “also referred to as “self-hosted” wallets – are cryptoasset wallets that allow private users to exercise full control over their funds.” These addresses “contrast to hosted wallets, which are crypto wallets held by third parties – usually regulated virtual asset service providers (VASPs) or financial institutions – that can access and control users’ funds,” according to Elliptic.

Elliptic also said “unhosted wallets are the subject of scrutiny from anti-money laundering and countering the financing of terrorism (AML/CFT) regulators, who worry that they present elevated financial crime risks in cryptoasset transactions.”

Loan and Credit Card Fraud

Unlike money laundering-related suspicious activity, most funds underlying ISIS-nexus funding transactions do not originate from illicit predicates. However, FinCEN noted that some ISIS-nexus funds have also been “generated by illicit means such as fraudulently obtaining large numbers of loans or credit cards.” Typically, these frauds are staged via the use of stolen or synthetic identities, which criminal terrorist sympathizers exploit to obtain loan funds or credit cards.

In fact, synthetic ID fraud (SIF), where fraudsters use a combination of real and fictitious data points to create non-existent yet credit-worthy personas, was the fastest-growing form of fraud perpetrated in 2024, according to a report published by credit bureau TransUnion. TransUnion also said, “Total lender exposure for credit card and consumer loans in the US attributed to synthetic identities are at their highest point since TransUnion began tracking, reaching $2.9 billion in H1 2023.”

Furthermore, many of the real data markers used in SIF schemes originate from data leaks plastered across the Dark Web, where threat actors attempt to monetize personally identifying information (PII), including social security numbers (SSNs) and other key identifiers, stolen from organizations and individuals. The TransUnion report found that data breaches in the U.S. “increased 15% year over year in 2023, with 54% of consumers across 18 countries and regions reportedly targeted in online, email, phone call or text messaging fraud attempts from September to December of last year.”

Thus, SIF schemes and broader non-synthetic credit card fraud (carding) financing streams represent another typology where Fis could benefit from leveraging Resecurity-powered CyFI. This capability can help financial intelligence units (FIUs) identify customer accounts that may be at higher risk of fraud-enabled TF activity.

Humanitarian Fraud

FinCEN also noted that ISIS supporters occasionally “disguise fundraising campaigns as humanitarian relief efforts, taking advantage of relief efforts for natural disasters or conflicts in regions where ISIS is prevalent to divert humanitarian assistance.” ISIS often executes these schemes by mimicking the “fundraising campaigns of non-profit organizations (NPOs), but these fraudulent charitable appeals are most commonly made without the involvement of a registered NPO,” according to FinCEN.

The Financial Action Taskforce noted in 2023 that the NPO sector has “taken numerous measures around governance, transparency, and accountability to mitigate risks” since TF risks were first identified two decades ago. However, ISIS’ and other terrorist organizations' exploitation of online charity impersonation scams change that risk calculus entirely. As noted by FinCEN, this “method enables funding groups to cast a wide net to raise funds online, either through social media or dedicated crowdfunding websites.”

Charity scams, which can be perpetrated via a broad range of domain squatting, brand impersonation, phishing, and other cyber-enabled means, represent another use case for CyFI. By leveraging this type of digitally native financial intelligence, which incorporates the full spectrum of digital fingerprints and forensic identifiers generated by web resources into fraud and AML risk-scoring oracles, Fis can better identify fictitious and terror-nexus charity operations.

ISIS supporters also “frequently initiate fundraisers to benefit displaced persons in the al-Hol and Roj camps in northeastern Syria,” according to FinCEN. These fundraising campaigns “generally avoid expressing overt support for ISIS but use specific religious terminology and imagery to signal affiliation with the group,” FinCEN said. These campaigns are primarily “promoted in Arabic and English but have appeared in other languages such as Russian, German, and French,” according to FinCEN.

FinCEN also said that ISIS sympathizers “in over 40 countries have sent money to ISIS-linked individuals in these camps. Additionally, funds “generated from these campaigns typically make their way to the camps in Syria via cash couriers or the hawala system.”

Banks, Hawalas, and other MSBs

In some cases, “ISIS directly leverages the regulated financial system to move money internationally, taking advantage of jurisdictions with weak AML/CFT controls to launder funds,” according to FinCEN. FinCEN cites ISIS- Somalia as an example of this modus operandi, as the affiliate has used banks to launder funds. FinCEN also said that the terror group had exploited bank accounts in South Africa to transfer funds to ISIS in Central Africa.

But “ISIS relies much more heavily, however, on both registered and unlicensed money service businesses (MSBs), especially hawala,” according to FinCEN. FATF defines hawalas and other similar service providers (HOSSPs) as “money transmitters, particularly with ties to specific geographic regions or ethnic communities, which arrange for transfer and receipt of funds or equivalent value and settle through trade, cash, and net settlement over a long period of time.”

FinCEN noted that the Treasury has “sanctioned several hawala operators and MSBs in Africa and the Middle East, often owned and operated by ISIS members, that have played key roles in moving funds internationally on behalf of the organization.” Furthermore, these hawala operators “serve as key hubs in ISIS’s international financial facilitation networks stretching from the Middle East to South Asia,” according to FinCEN.

Alarmingly, these hawala networks also “facilitate weapons trafficking and human smuggling for the organization,” FinCEN said. Hawalas are also a “key way in which funds make their way to ISIS members in the displaced persons camps in Northern Syria, where they are used to free ISIS sympathizers and recruit on behalf of the organization,” according to FinCEN.

In al-Hol camp alone, “ISIS supporters have received up to $20,000 per month via hawalas, with the majority of those funds transfers originating outside Syria or passing through neighboring countries such as Türkiye,” FinCEN said. Highlighting another immediate compliance use case for CyFI, “ISIS also makes use of online payment providers, including some social media companies, to move funds,” according to FinCEN.

FinCEN said that some of these online payment service providers (PSPs) “operate as unregistered MSBs in the United States.” ISIS also makes use of MSBs that have “incorporated digital assets into their business models, many of which also operate as unregistered MSBs,” according to FinCEN. The use of social media-hosted online PSPs represent another avenue for FIs to leverage the power of WEBINT-powered CyFI.

This type of financial intelligence can analyze social media profiles and cross-reference related identifiers like IP addresses, email addresses, cookies, linked bank card accounts, and more to cross-reference payers and payees with databases of confirmed TF activity and terror supporters.

Houthi Funding Techniques

The Houthis are a prolific, Iran-backed terrorist group based in Yemen. The group has shot to global notoriety for their attacks on international shipping in the Red Sea corridor following the eruption of war between Israel and Hamas. The terrorist group has demonstrated exceptional sophistication in its weaponization of drone warfare, illustrating its technological superiority to ISIS. The Houthis first emerged as a threat in 2015, as they have been engaged in a civil war against “Yemen’s internationally recognized government, its backers, and other anti-Houthi forces” since that time, according to U.S. Naval Institute news.

According to blockchain intelligence firm TRM Labs, the “Houthis were originally designated as a terrorist organization on January 10, 2021, then removed from that list in February 2021, and re-designated on February 16, 2024.” While there are some overlaps in funding methodologies operationalized by ISIS and Houthi networks, these groups operate differently and have different objectives.

Most importantly, the Houthis are an Iran-nexus terrorist organization and are theologically aligned with the Shia branch of Islam. ISIS, on the other hand, follows the Sunni branch of Islam. Another vital distinction is that Houthi TF activities are more professionalized and operate at a significantly larger scale of value transfer than ISIS.

While ISIS is highly reliant on small donations and fundraising campaigns to fund its operations, Houthi financial networks regularly oversee the illicit transfer of millions of dollars worth of commodities via trade-based money laundering (TBML) schemes. A recent OFAC announcement speaks to this manner of terror funding.

In April, OFAC announced a new set of designations against a “network of Houthi financial facilitators and procurement operatives working in coordination with Sa’id al-Jamal, a senior Houthi financial official backed by Iran’s Islamic Revolutionary Guard Corps-Qods Force (IRGC-QF),” according to a press release.

OFAC said this network “procured tens of millions of dollars’ worth of commodities from Russia, including weapons and sensitive goods, as well as stolen Ukrainian grain, for onward shipment to Houthi-controlled Yemen.” Notably, OFAC also “identified eight digital asset wallets used by the Houthis to transfer funds associated with their activities,” according to the press release.

The reliance on Russia as a trading partner also marks a notable distinction between the Houthis and ISIS. While ISIS is actively waging jihad against Russia, as evidenced by the 2024 Crocus Hall terror attack, the Houthis are collaborating with Vladimir Putin’s regime.

The OFAC announcement named “Russia-based Afghan businessman Hushang Ghairat (Hushang) and his brother, Russia-based Afghan businessman Sohrab Ghairat (Sohrab)” as co-conspirators who “assisted Sa’id al-Jamal with Houthi commercial initiatives in Russia, including arms procurement.” OFAC further elaborated that in the Summer and Fall of 2024, “Hushang and Sohrab, at Sa’id al-Jamal’s direction, orchestrated at least two shipments of stolen Ukrainian grain from Crimea to Yemen on board the Russia-flagged AM THESEUS.”

The OFAC announcement further noted that “Hushang, Sohrab, and Sa’id al-Jamal use financial facilitators to conduct financial transactions in support of the Houthis’ trade ventures involving Russia, including the aforementioned grain shipments.” Specifically, “Turkiye-based Iranian money launderer Hassan Jafari (Jafari) has worked with Hushang and Sa’id al-Jamal to launder dollars on behalf of Sa’id al-Jamal’s network, enabling the network’s sanctions evasion schemes,” according to OFAC. The sanctions watchdog also said that “Jafari also arranged payments worth millions of dollars in support of shipments benefiting the Houthis.”

The mention of Jafari is notable due to his operating base in Turkey. Again, the OFAC announcement underscores the central role that the Turkish region plays in global terror finance, both Sunni and Shia. Furthermore, a TRM Labs report on these sanctions designations noted that two of the sanctioned crypto addresses were previously linked to Al-Jama. “Other designated addresses have ties to entities identified by Israel’s National Bureau for Counter Terror Financing (NBCTF) as involved in terrorist financing,” according to TRM Labs.

TRM Labs blockchain analysis of the eight designated cryptocurrency addresses pointed to “millions of dollars in volume flowing to other high-risk and OFAC-sanctioned entities,” including al-Jamal and Garantex, as well as to “addresses identified by TRM as belonging to manufacturers and sellers of both unmanned aerial vehicles (UAVs) and anti-UAV equipment connected to China and Russia.”

Regardless, these transactions again highlight the elevated levels of value transfer associated with Houthi-nexus transactions relative to ISIS’ financial activity. At the same time, TRM Labs’ analysis reveals both organizations' preferences for loosely regulated VASPs like Garantex.

TRM Labs further noted that the “Houthi financial apparatus relies heavily on money service businesses under their control to circumvent international sanctions and funnel large sums of money to their operations.” Al-Jamal’s network, for instance, has “leveraged entities such as Mohammed Ali Al Thawr Exchange and Al Hazmi Exchange to channel millions of dollars into Yemen,” according to TRM Labs.

More pertinent to CyFI applications, however, TRM Labs highlighted how the Houthis have leveraged “cryptocurrency mining as part of their financial strategies amid the ongoing civil conflict.” TRM Labs said there are indications that the Houthis have been “involved in mining decentralized cryptocurrencies since at least 2017.”

The Houthis crypto-mining initiatives aim to “generate revenue and establish financial autonomy, circumventing traditional banking systems and international sanctions,” according to TRM Labs. However, the blockchain intelligence firm noted that the terror organization has been unable to leverage crypto-mining operations at any meaningful scale.

CyFI is Essential to Mitigate Next-Generation TF Risks

As the Middle East reemerges as the focal point of international military conflict and as groups like ISIS reconstitute and resurge, the mitigation of counter-terrorism financing (CTF) risks has assumed higher priority for FIs globally. America’s shifting defense priorities in the Red Sea corridor and throughout the broader Middle Eastern region have similarly projected financial industry regulatory enforcement priorities in related areas of AML and CTF compliance.

In this threat landscape, the history of regulatory and civil penalties and lawsuits targeting FIs and VASPs that neglected proper CTF screening and monitoring is illustrious enough to make all financial services firms reevaluate their risk exposures.

From the $2 billion-dollar fine levied against a multinational London-based bank by the DoJ in 2012 to the $4.3 billion settlement reached by the largest cryptocurrency exchange in the world in 2023 with U.S. prosecutors, the $4.2 billion lawsuit filed by 9/11 insurers against two Saudi banks in 2017—and most recently – the record $3 billion settlement paid out by a New Jersey-based bank in 2024, the consequences for AML/CTF compliance violations can wreak havoc on institutional balance sheets.

FIs, VASPs, MSBs, and PSPs must also consider rising criminal liabilities for officers and executives that turn a blind eye to illicit financial activity. Furthermore, covered firms should factor the reputational risks associated with high-profile AML and CTF scandals.

With TF typologies becoming increasingly cyber-enabled, leveraging social media, encrypted messaging technologies, crowdfunding sites, digital assets, online charity scams, and sophisticated credit card and loan frauds, FIs must elevate their financial intelligence collection capabilities.

Resecurity’s CyFI solution set is purpose-built to help FIs navigate the 21st-century AML and CTF metaverse. Resecurity CyFI incorporates AI-powered WEBINT, blockchain analytics, device fingerprinting, computer vision, natural language processing (NLP), malware detection, link analysis, dark web intelligence, and more to parse through terabyte streams of big data and identify bad actors before they cause harm.

In the fight against terrorism, the financial services industry cannot stay neutral. Resecurity CyFI arms institutions with cutting-edge financial intelligence to combat a new generation of cyber-enabled TF tradecraft.