Crowdfunding and Cryptocurrency: Renewed Efforts to Smuggle Islamic State Fighters and Their Families from North Syrian Detention Facilities
By Mona Thakkar and Anne Speckhard
A significant escalation in Islamic State’s (IS) attacks in Syria during the first half of the year, combined with a recent surge in prison break attempts by detained IS operatives in Northern Syria allude to the group regaining strength. This was also evidenced by the US backed Kurdish led Syrian Democratic forces’ (SDF) recent arrest of a crucial IS facilitator who aided the escape of foreign IS detainees from a prison facility in Raqqa followed by the recapture of a Libyan and a Russian fighter with other three remaining at large.
This resurgence also coincides with IS and its linked international financial networks ramping up their crowdfunding efforts to now extricate incarcerated senior IS operatives along with female IS detainees and adolescents out of Syrian internment camps. While the SDF under the amnesty deal has regularly released hundreds of local Syrian and Iraqi IS fighters, IS-linked networks have mainly focused on spiriting out third country female and male IS detainees. ICSVE’s monitoring reveals that since July an English IS-linked supporter group has launched a crowdfunding campaign to raise $20,000 in bribes for securing the release of a foreign IS detainee. ( Figure 1). A message, purportedly written by an IS supporter, circulating on his Telegram channel reads, “Disbelievers are willing to release the brother in exchange for significant bribes,” and claims of having already raised the $11,000 out of the required $20,000.
The donations for this crowdfunding campaign were primarily accepted through cryptocurrency transfers, with USDT currency on the Tron block chain being the most preferred medium followed by Western Union transfers. In August, the Tron wallet used by the IS-linked entity for freeing the IS militant processed nearly $34,000, through centralized crypto exchanges like Binance, MEXC, Coinex, and Bybit. (See Figure 2)
Analysis of the transaction chain reveals that the IS-linked Tron wallet address received $11,700 in August routed through an intermediary address (TF…) (figure 2.1) that was traced back to the addresses (TS…)sanctioned by Israel’s National Bureau for Countering Terror Financing (NBCT) in October last year by ASO order 53:23. This USDT address (TS…) along with many other addresses were seized by Israel last year as part of the larger crackdown on Hezbollah’s money laundering network seizing $1.7 M in cryptocurrency. (Figure 2.1). The use of multiple intermediaries, potentially involving unregulated or illegal crypto exchanges has been a common strategy employed by illicit actors to bypass regulatory oversight. Illicit proceeds further from the IS-linked Tron address were also routed to well-known decentralized crypto trading platforms such as Change NOW and XML Gold ( Figure 2.1, 2, 2)
Alongside broader supporter-based networks, Pro-IS English-speaking women within the Al-Hol camp have been raising smuggling capital to orchestrate their escapes. (Figure 3). They direct supporters to channel transfers mainly through PayPal and Western Union transfers to IS-linked intermediaries based in Istanbul, Turkey. For PayPal transfers, senders are cautioned to avoid referencing the purpose of the transfer or using “suspicious” terms such as “Sadaqah,” (Arabic term for righteously and voluntarily giving charity), “Syria,” or “captives” in order to evade scrutiny from law enforcement agencies, claiming that prior PayPal accounts linked to the campaign were suspended or blocked with them not being able to withdraw the transferred funds.
The crime- terror convergence has long been established for groups like IS, al-Qaeda, etc. This proved no different, as an analysis of the transactions directed to the Bitcoin address used by IS-linked financial network reveals a disconcerting intersection between terrorism financing and global criminal enterprises. A substantial portion of these transfers—amounting to thousands of dollars—originated from entities tied to major decentralized Russian darknet drug markets, including OMG OMG, Mega Dark net, Solaris, and Kraken Dark net. (See Figure 4). These transactions were further compounded by a significant influx of funds from coin mixers, such as Bitcoin Wasabi Wallet, a privacy wallet – used to mix Bitcoin from different sources, and conceal their origin. Moreover, the incoming transfers were not limited to narcotics; they also involved entities engaged in ransomware attacks and hacking. Notably, direct transfers from North Korea’s notorious hacking group Lazarus were identified to the Bitcoin address employed by this IS linked network (See Figure 4) underscoring how both militant actors and global criminal enterprises are using the same crypto wallet addresses for obfuscating and laundering their illicit proceeds.
Illicit money is allegedly being used not just for bribes to facilitate the release of IS prisoners in Syria, but also funneled to the IS militants on the battlefield in Syria. In August, an IS linked financial facilitator initiated a crowdfunding campaign, seeking $5,000 for IS operatives in Syria, under the guise of an “agricultural investment scheme” for local farmers. The circulated message on Telegram read: “We are seeking investors to assist our hard-working entrepreneurs in acquiring tools for their diligent efforts in this blessed land of Sham. The investment goal is $4,000.” (See Figure 6). The pro-IS channel referred to the eternal rewards of investment and circulated cryptic imagery to subtly imply that illicit funds were not intended for supporting agricultural activities but to the procurement of weapons for IS fighters. In one notable post, grenades were concealed among a basket of fruits, accompanied by the provocative question, ‘Which one is your favorite fruit?’ (Figure 7.)
The use of centralized cryptocurrency exchanges has become a critical component in the facilitation of illicit transactions for this crowdfunding campaign as evidenced by nearly $120,000 being funneled to the IS-linked Tron wallet address between August and September. Key exchanges include KuCoin, MEXC, OKX, Binance, Bing X, and Bitget, highlighting the significant role of centralized
In addition to these supporter based networks, the Islamic State in Khorasan Province (ISKP) Tajik network had continued to exploit its supporter base by running a crowdfunding campaign to financially aid the families of Tajik IS fighters held in the Syrian camps. However, as
Apart from the English speaking supporter networks, pro-IS Russian networks resurfaced in July to solicit donations worth $2500- $3000 (Figure.12) for each adolescent for smuggling them out of the Al-Hol followed by either being repatriated or joining the terror group. This comes at a time when the women in the discussion channels are infuriatingly complaining about camp authorities’ undertaking heightened security and surveillance measures separating boys as young as 12 from IS women and placing them into
IS-linked entities have also laundered most of their funds via international wire transfers for over a year through what appears to be a shell company, “Aqua Creative Global.” Ostensibly fraudulently registered as a private limited e-commerce site in Hong Kong, the company’s website lists an expired license and a fake office address. The shell company seems to be a part of a complex money laundering scheme and appears to have been channeling funds for IS and other criminal entities through its bank account with Banking Circle SA’ in Copenhagen Denmark, an established European commercial institution, headquartered in Luxembourg.
The findings of this study are consistent with the UNSC’s July monitoring report on IS and Al-Qaeda, which highlights that, while hawala transfers remain the primary method for moving illicit funds, IS has increasingly turned to cryptocurrency exchanges, e-wallets, and stable coins like Tether for fundraising and transferring money and they are also making use of EU based banking system allowing anyone to trace them. Prepaid cards and local digital money transfer apps are also frequently used, with decentralized crypto platforms and services gradually being adopted to further obscure the movement of illicit funds. IS and its financial transnational networks are gradually prioritizing and investing in raising capital for extracting adolescents and high-risk foreign IS detainees owing to the significant operational and propaganda value they have to offer. Many of these detainees are believed to have been freed by paying bribes of $3000 to $10,000 to prison guards and to the SDF administration or Turkish-backed rebels in charge of handling these detention facilities in their areas of control. However, the price for securing the release of foreign fighters is ostensibly much higher ranging from $15,000 to $25,000, as documented above. One Turkish journalist even posed as an seventy year old man from Europe willing to pay to smuggle the IS wife he married over the internet out of the camps into Turkey and further into Europe.
The smuggling of battle-hardened, radicalized foreign fighters and IS women with newly formed international networks out of Syrian prisons pose a grave threat that extends beyond Syria’s borders. There are rising fears that their undetected return to their home countries facilitated by expansive human smuggling networks stretching from Asia to Europe could trigger “blowback” attacks, significantly escalating the risk of domestic terrorism. Many former IS women are now disillusioned and wish to leave, seeing Turkey as a safer option than enduring assaults from IS women in the camps. In contrast, others remain committed believers, expecting the Caliphate to re-emerge. For IS however the foremost priority, above revenge for destroying their territorial Caliphate, remains to recover its lost personnel through successful prison breaks like that of the 2022 January attack on the Al-Sina prison adhering to its “breaking the walls” campaign of coordinated attacks on Iraqi prisons in 2013 freeing scores of its fighters and enabling it to assemble a serious fighting force. In addition to smuggling schemes aimed at extracting loyalist detainees, the recent surge in self-organized prison breaks by IS prison inmates—further underscores the escalating security threat posed by the group as well as the hopelessness and frustration of those imprisoned for years without charges or hopes of facing justice at home. Indeed disillusioned male ISIS fighters told the second author that the longer they were refused repatriation and the chance to face justice at home, the more it caused them to wonder if they had been wrong to turn their backs on the terror organization and if they could ever fit back into Western society, even while being willing to confess and serve prison time at home.
IS and its financial supporter networks on Telegram and other social media platforms have largely evaded rigorous crackdowns, significantly enhancing their fundraising capabilities to support the escape of detainees. The widespread adoption of cryptocurrencies, such as Bitcoin, USDT TRC20 tokens on the Tron block chain and Monero facilitates fund transfers with heightened anonymity and undermines traditional financial regulations. This situation presents considerable challenges for regulatory bodies and security agencies. Likewise, as the security situation in north eastern Syria remains tenuous it behooves all of our countries to rethink refusals to repatriate. As documented, children growing up in the north-eastern Syrian camps are purportedly being smuggled out to the battlefield by IS with scores of radical foreign IS fighters and women dedicated to rebuilding the Caliphate. We must take responsible actions to facilitate the repatriation of IS fighters and their families to their home countries, where they can face justice. This requires a coordinated international response to dismantle IS and its affiliates’ extensive financial infrastructure, including the associated financial networks and supporter groups that aid in escaping the detained IS loyalists. If left unchecked, these financial networks will enable IS to further strengthen its ranks by freeing experienced detained members, contributing to its further resurgence.