New Trends in Terrorist Financing: Fragmentation, Digital Channels and the Role of Gatekeepers

04 November 2025

New Trends in Terrorist Financing: Fragmentation, Digital Channels and the Role of Gatekeepers

FIU Warnings: Digitalized, Fragmented Methods Intensify Risk

Recent months have reinforced that terrorist financing is evolving rapidly: methods are becoming more fragmented, hybrid and digital, while perpetrators exploit legal gaps in crowdfunding, virtual asset services and long chains of intermediaries. Financial Intelligence Units (FIUs) have flagged the same themes seen across Europe and globally — small recurring payments, peer‑to‑peer transfers, mixed use of informal value transfer systems and crypto, and the use of legitimate‑looking organisations and platforms as conduits. These developments increase the risk that seemingly benign transactions will form parts of broader financing networks. For professionals who sit on the financial system’s front line, the challenge is twofold: spot patterns that fragment and conceal funding, and adopt proportionate, focused measures that stop funds in time without blocking legitimate humanitarian or social activity.

Recent European and global developments

Across Europe, law enforcement and FIUs reported a high number of attempted attacks and related arrests, while typologies show diversification in who receives support: jihadist groups remain a priority, but far‑right and separatist forms of violent extremism are increasingly relevant. The common thread is that funding flows are frequently small, distributed and mixed across channels: cash, informal transfer systems historically labelled “hawala”, payment apps, crowdfunding, layered corporate structures, and virtual assets. Digitalization increases speed and opacity — small amounts cross multiple wallets or chains, are routed through mixers and bridges, and then enter the banking or payment system via multiple intermediaries. This hybridization enables actors to avoid triggering conventional AML/CFT red flags while still aggregating meaningful sums.

Key typologies and funding sources

The most consistent patterns are fragmentation and rapid movement. Donor flows often consist of many low‑value transfers from networks of individuals, sometimes using emotive humanitarian narratives and unregulated crowdfunding platforms. Such platforms may lack robust KYC, audited reporting or controls and often use third‑party payment providers, creating long opaque chains. Virtual asset service providers (VASPs, sometimes called CASPs) are a particular vulnerability: peer‑to‑peer trading, on‑chain mixers, cross‑chain bridges, and decentralized finance constructs make detection harder. Perpetrators also use shell companies, residency or e‑residency vehicles, ostensibly legitimate businesses (including events, trade companies and small clubs) and NGOs to disguise flows. Petty crime and organized crime proceeds remain exploitable sources in some jurisdictions.

Why small amounts matter Fragmentation is not just a technicality.

Many compliance programs are tuned to detect larger suspicious flows or standard laundering typologies; they struggle to identify networks of low‑value transfers that, when combined, support extremist activity. Small, rapidly processed transactions exploit gaps in real‑time monitoring and in the practical application of enhanced due diligence. On the crypto side, the speed of transfers and the layering of wallets reduce the window for intervention; service providers often only flag suspicious activity retrospectively, after the funds have dispersed.

Bastian Schwind-Wagner
Bastian Schwind-Wagner "Terrorist financing is increasingly fragmented and digital, exploiting small-value transfers, unregulated crowdfunding and complex chains of intermediaries. Financial institutions and VASPs must adopt TF‑specific scenarios, improve phrase‑aware screening and use graph/on‑chain analytics to detect coordinated funding before it disperses."
Risk picture and useful lessons

Countries assess their national terrorist financing risk as low, but with clear vulnerabilities — especially because of cross‑border transit risk and exposures linked to virtual assets. A low incidence of domestic attacks does not remove the need for a mature, demonstrable countering terrorist financing framework: national risk assessments must be continuously maintained, and private‑sector gatekeepers need concrete, scenario‑based controls tailored to terrorist financing (TF), not only money laundering (ML). The experience shared by FIUs highlight several points that apply broadly:

  • A small number of donors sending recurring small transfers to the same beneficiaries abroad can create a pressing red flag. Even if amounts are trivial individually, pattern analysis often reveals coordination.
  • Crowdfunding and social media appeals are increasingly used as pretexts. Platforms that facilitate payments outside regulated rails may fall outside AML/CFT frameworks and therefore require extra attention from providers that touch those flows.
  • Long chains of VASPs, payment institutions and other intermediaries make “know your customer” very difficult in practice. When clients in one jurisdiction route funds via multiple service providers in others, supervisors and private firms must assume that weakest‑link compliance will be exploited.
  • Some VASPs process transactions even when on‑chain indicators show mixing or prior exposure to bridges and mixers — indicating gaps in tool use, training or policy.
Practical red flags and detection techniques

Certain indicators recur across jurisdictions and product types:

  • repeated small crypto transfers to many addresses that are then consolidated;
  • short‑lived payment channels that switch quickly when detected;
  • identical or region‑specific donation phrasing;
  • chains of third‑party payment providers; and
  • seemingly legitimate organisations that rapidly change payment rails.

Moving beyond single word screening to phrase and context‑aware detection increases precision: many donation campaigns use specific slogans, regionally meaningful tokens or recurring narrative phrases that better distinguish legitimate aid from covert fundraising.

On the analytic side, graph analysis and on‑chain heuristics are essential: fragmentation patterns, address clustering, bridge and mixer usage, and cross‑platform flows must be modeled to detect that a set of small transactions is actually an integrated funding network.

Operational recommendations for gatekeepers

Financial institutions, payment service providers, VASPs and non‑financial businesses that act as gatekeepers should adopt proportionate, risk‑based measures focused on the TF threat:

  • Maintain and regularly update a national and global understanding of TF typologies. Reading public reports and enforcement actions (for example, detailed releases explaining why wallets or entities were sanctioned) provides actionable indicators.
  • Develop a small set (three to four) of TF‑specific scenarios and red‑flag profiles tailored to your products, clients and jurisdictions. These scenarios must be operational — mapped to systems, alerts and escalation paths — not just theoretical exercises.
  • Enhance screening from single keywords to phrase and context detection for donation appeals, region‑specific language and membership payment descriptions. Combine these with behavioural and network analytics.
  • Operationalize on‑chain and graph analytics for crypto: flag mixers, bridges, frequent address churn, consolidation patterns and small recurring transfers across multiple wallets. Ensure VASP compliance teams review and act on these indicators in near real time.
  • Prioritize pre‑training with real TF examples and continuous feedback loops on suspicious transaction reports (STRs). SAR/STR quality and feedback help refine detection and reduce false positives.
  • Map correspondent and service provider chains and include questions about partners’ AML/CFT and sanctions compliance, their approach to travel rule obligations, and whether they routinely process mixed or bridged activity.
  • Keep humanitarian safeguards proportionate. Recognize legitimate aid needs and avoid blanket refusals that punish genuine donors. Where risks exist, apply enhanced due diligence and structured oversight rather than wholesale prohibition.
  • Prepare operational capabilities for rapid action, including, if adequate, weekend processes for freezing and escalation. Sanctions lists and target wallets can be published at any time; firms must be able to respond promptly.
Why supervision and multi‑agency action matters

A country with low TF incidents still must demonstrate capacity and readiness. Supervisors distinguish TF oversight from general AML supervision and ensure that law enforcement has prosecutorial capability and a clear strategy to pursue cases when they arise. National risk assessments should lead to five‑year action plans that allocate resources, training, and public‑private cooperation. FIUs and supervisors should continue to share typologies with the private sector and work jointly on scenario exercises — this builds confidence that, if a real case emerges, the system will act effectively.

Conclusion

Terrorist financing is not static. Fragmentation, digitalization and hybrid use of informal and formal channels have created a landscape where many small, fast transactions and long intermediary chains can conceal dangerous funding. The private sector remains the system’s primary gatekeeper: banks, payment providers, VASPs and non‑financial entities must adopt, where adequate, TF‑specific scenarios, deploy phrase/context screening, use graph and on‑chain analytics, and keep proportionate humanitarian safeguards in place. National authorities should continue to translate risk assessments into concrete, sustained action plans and ensure law enforcement and supervisory arrangements can act effectively when new patterns are detected. Targeted analytics and pragmatic cooperation are the best defense against a funding model designed to hide in plain sight.

Further reading

To understand these trends in depth, study recent FIU and law enforcement case reports, national TF risk assessments and detailed enforcement releases that explain asset seizures and sanctions designations. The U.S. Treasury and Europol publications on TF, along with national FIU typology notes and specific enforcement cases (for example, recent crypto seizure press releases), contain operational indicators that compliance teams can adapt into scenarios and detection rules.

The information in this article is of a general nature and is provided for informational purposes only. If you need legal advice for your individual situation, you should seek the advice of a qualified lawyer.
Did you find any mistakes? Would you like to provide feedback? If so, please contact us!
« EBA ¦ Draft RTS on Customer Due Diligence under Article 28(1) of Regulation (EU) 2024/1624
CoE ¦ MONEYVAL Annual Report 2024 »
Bastian Schwind-Wagner
Bastian Schwind-Wagner Bastian is a recognized expert in anti-money laundering (AML), countering the financing of terrorism (CFT), compliance, data protection, risk management, and whistleblowing. He has worked for fund management companies for more than 24 years, where he has held senior positions in these areas.

Newsletter

Your registration could not be saved. Please try again.
We have sent you an e-mail to confirm your subscription.

We use Brevo as a marketing platform. By submitting the form, you agree that the personal information you provide will be transferred to Brevo for processing in accordance with Brevo's privacy policy.

What else?

What else?