Assessing Terrorist Use of Virtual Asset Intermediaries

What investigators need to watch

Terrorist groups have not abandoned traditional finance, but they are testing how virtual assets can be integrated into existing funding operations. This integration is not uniform or widespread, yet it raises new investigative challenges because intermediaries that convert virtual assets to fiat – or that provide hybrid services – can simplify transfers and in some cases obfuscate the trail. This article summarises recent findings on intermediary use in terrorism financing, illustrates key operational patterns from documented cases, and highlights the data and investigative angles authorities should prioritise.

Understanding the broader picture – why virtual assets matter, but do not replace cash

Reports from multilateral bodies and national authorities show that cash couriers and informal value transfer systems such as hawala remain the dominant channels for organisations like Islamic State, Hamas and Hezbollah. Several factors explain why many groups remain reluctant to shift fully into virtual assets – price volatility for many tokens, transparency on major blockchains that risks exposure, and limited local on-ramps for converting crypto into reliable fiat in many operating areas. That said, stablecoins and select token types reduce volatility concerns and are increasingly attractive where conversion pathways exist.

The key change is not wholesale replacement of cash, but selective integration – using virtual assets to move value quickly or to reconcile cross-border flows, and then converting to fiat through intermediaries. That hybrid approach can accelerate transfers, complicate attribution and create novel entry points for exploitation by illicit actors.

Bastian Schwind-Wagner _Follow

"Terrorist groups continue to rely mainly on cash and informal networks, but the selective use of virtual assets and intermediary conversion services creates new vulnerabilities that investigators must prioritise. Mapping the links between small conversion providers, OTC brokers and larger exchanges is essential to reveal how on‑chain activity translates into real‑world cash flows.

Strengthening AML/CFT requirements for OTC and small cash‑out services, combined with timely information‑sharing between blockchain analysts, financial institutions and law enforcement, will improve detection and disruption. Practical, targeted regulation that brings these intermediaries into compliance is more effective than blanket prohibitions that drive activity underground."

Intermediaries that convert funds – typologies and red flags

Small-scale conversion services and over‑the‑counter (OTC) brokers are repeatedly identified in investigations as intermediary nodes through which virtual assets move before reaching exchanges or cash-out points. These services range from informal kiosks advertising cash delivery in return for wallet transfers, to operators offering peer-to-peer matching and OTC trades that settle via domestic bank transfers or third‑party money-transfer services.

Key operational features and risks:

⚠️ Some intermediaries operate by routing customer flows into accounts held on high-volume exchanges, effectively using those exchanges as liquidity providers. This common practice creates an important investigative link between small conversion operations and larger licensed platforms.

⚠️ Operators may use single-use or frequently rotated deposit addresses and require communications through the same contact channels to complete transfers. This can be a deliberate tactic to hamper tracing or to limit visibility for investigators.

⚠️ Small conversion services often advertise via social media, messaging apps or local storefronts. Images showing QR codes, desk displays or application screenshots are common and can be valuable open-source leads.

⚠️ Not all OTC brokers are criminal. Many provide legitimate services for savers or startups seeking liquidity. The investigative challenge is distinguishing ordinary commerce from facilitation of terrorist finance – which requires combining blockchain analytics with local financial-intelligence and open-source indicators.

Documented case examples – what investigations reveal

Case 1 ¦ Hamas cyber-linked solicitations

Open-source and blockchain-analytic investigations found Telegram channels soliciting donations to military units with explicit wallet addresses and email-based instructions. The addresses solicited USDT on the TRON network – a stablecoin offering lower fees and faster settlement than some alternatives. Investigators observed operational practices such as single-use deposit addresses and frequent rotation, and traced transactional patterns consistent with OTC cash-to-crypto businesses. These findings illustrate how an online solicitation can be tied to intermediary conversion activity that then pushes value into broader liquidity channels.

Case 2 ¦ Lebanon-based conversion services

Israeli seizure orders and blockchain-tracing highlight Lebanese services offering cashout and exchange capabilities. Archived websites and application listings for a service called Cashout.lb showed explicit claims to withdraw funds and deliver cash locally. Tracing identified an address that had thousands of inbound micro-transactions and hundreds of outgoing transfers predominantly to a high-volume exchange – a footprint consistent with a small conversion business using exchange accounts to provide liquidity. Additional seizures linked other wallets and presented images of physical kiosks and QR codes used by operators, underscoring the offline-online nexus.

Case 3 ¦ nested platforms and institutional integration

Blockchain analysis identified peer-to-peer platforms allegedly domiciled in one country, claiming operations in others, and relying on third‑party money-transfer services and, in some cases, plans to integrate card networks. Such integrated offerings create new conversion corridors that can channel virtual assets into mainstream payment rails and cash-out mechanisms, elevating the need to map cross-jurisdictional links.

Where fragmentation and diversification complicate detection

A recurring theme is diversification of income and services among facilitators. Actors implicated in suspicious flows sometimes engage in multiple virtual asset activities – from small-scale exchange services to speculative token schemes. This range of activities can dilute initial red flags and make cases appear innocuous unless compliance teams and investigators pursue deeper pattern analysis. Informal value transfer systems like hawala have also adopted digital tools and stablecoins for reconciliation, increasing complexity for tracing and evidencing movement between crypto and cash.

Investigative priorities – what to collect and analyse

Investigators and compliance teams should focus on the following areas to improve detection and disruption:

• Map conversion chains end-to-end: link deposit addresses, payment rails and fiat recipients. Identify whether small conversion services deposit into large exchange accounts, and follow outbound flows from those exchange accounts to custody or mixing points.
• Track communications and operational procedures: harvest messages, emails and channel posts that instruct donors on wallet addresses or specify single-use addresses and rotation practices. Reconstructing the operational playbook often reveals mechanisms for evasion.
• Identify money‑transfer connectors: establish which third‑party remittance providers or local bank accounts are used to move fiat that corresponds to crypto inflows. Patterns of frequent small remittances into specific accounts can indicate coordinated cash-out operations.
• Monitor stablecoin usage and token choices: stablecoins such as USDT on networks with lower fees are attractive for operatives seeking low-cost transfers. Recognise that token choice affects traceability and the types of blockchain explorers or analytic tools needed.
• Use open-source imagery and app listings: screenshots of apps, websites and storefronts – including QR codes and logos – can link online wallet addresses to physical points of cash-out, enabling targeted asset seizure or local enforcement actions.
• Assess the scale and compliance posture of OTC networks: quantify transaction volumes attributed to OTC brokers and probe whether these providers maintain adequate AML/CFT controls and customer due diligence. Regulators should prioritise policies that bring these services into compliance rather than forcing them underground.

Policy and operational implications

Regulation that brings OTC and small conversion services into the formal compliance perimeter will generate more useful data for investigators. Where formal oversight is absent, prohibitions may simply push activity underground and reduce visibility. Authorities should therefore balance restrictive measures with incentivised pathways for registration, KYC and transaction monitoring.

Cross-sector collaboration matters: public authorities, licensed exchanges, blockchain-analytic firms and local enforcement must share indicators and contextual intelligence. Blockchain analytics can reveal transactional patterns and address clusters, but local banking and remittance data, social-media artefacts and physical surveillance supply the counterfactual evidence needed to show intent and to link on-chain patterns to real-world actors.

Conclusion – practical steps for investigators

Terrorist financing today remains rooted in cash and informal systems, but virtual assets and conversion intermediaries are increasingly woven into the tapestry. Investigations should therefore combine blockchain tracing with traditional financial-intelligence discipline and open-source investigation techniques. Prioritise mapping intermediary networks, identifying money-transfer connectors, and obtaining communications that explain rotation and deposit practices. Require OTC and small cashout services to be subject to basic AML/CFT controls, and pursue cross-border cooperation to address operators that use multi-jurisdictional footprints. By understanding how intermediaries function and where they sit between crypto and cash, authorities can better detect and disrupt the evolving interplay between modern payment technologies and terrorist financing.

Dive deeper

• Research ¦ Allison Owen, Assessing Terrorist Use of Virtual Asset Intermediaries, Project craaft, Research Briefing No. 2, published in 2025 by the Royal United Services Institute for Defence and Security Studies ¦ Link ¦ licensed under the following terms, with no changes made: CC BY-NC-ND 4.0