The Rise of Monero in Terrorist Financing

Understanding how terrorist organizations are financed is one the first steps to curtailing the influx of resources that help facilitate terror. Over the past decade, the gravitation towards cryptocurrency as a proxy fiduciary has been a seemingly natural progression for terrorist organizations, as traditional banking and financial institutions make it impossible for funds to flow anonymously. Even though cryptocurrency is becoming more regulated and adhering compliance to the global banking framework, terrorist organizations have begun a paradigm shift away from traditional cryptocurrencies to the privacy-centric blockchains, specifically Monero.

1. What is Monero?

1.1 Monero (XMR) Blockchain

In 2013, a research paper (or in the crypto world, aptly known as ‘white paper’) was published by an unknown individual or group of individuals using the pseudonym Nicholas van Saberhagen. This ‘white paper’ conceptualized a privacy oriented cryptocurrency and blockchain, something that would become CryptoNote protocol. While the Bitcoin blockchain had been active for over 4 years, the CryptoNote ‘white paper’ highlighted that anonymity and privacy should be the focus of cryptocurrency, and Bitcoin’s traceability would lead to It’s inevitable downfall. Many who are involved with release of Monero as well as the current Monero Research Lab choose to remain anonymous.

While Monero operates similarly to other cryptocurrencies, with “sending” and “receiving” wallets, the blockchain heavily obfuscates transactions. Each transaction amasses decoy signers, and assigns “stealth” addresses for both the “sending” and “receiving” wallets, as well as hiding the transaction amount.

1.2 Anonymity Enhanced Coins

Monero (XMR) has been a traded and transacted AEC (Anonymity Enhanced Coin) since it’s inception in 2014, but it is not the only privacy centric cryptocurrency. Comparable anonymity focused coins like ZCash, Dash, GRiN, etc. have also been steadfast tokens of choice for those who prefer transaction privacy over profitability. With the investment zeitgeist that ebbs and flows for such flagship cryptocurrencies as Bitcoin and Ethereum in tandem with the penny-stock, rags-to-riches tales of meme-based tokens like Doge and Shibu Inu, contrasting AECs rarely hold any investment value.

As illicit economies financed by Bitcoin and Ethereum attempt to adapt to everchanging OFAC sanctions, law enforcement seizures of mixing/tumbling services, and more cryptocurrency VASP/exchanges becoming KYC/AML compliant, it seems only natural that the gravitation towards AECs remains commensurate with the desire to evade detection and scrutinization. With Monero being the most popular and most utilized AEC in the world, it’s not surprising that illicit and illegal activity subsidized by cryptocurrency is preferential to it.

1.3 Monero and Darknet Marketplaces

Historically, darknet markets have had an unstable relationship with Monero. In 2019, the darknet market “Libertas” collapsed partially due to the adoption of a “Monero Only” policy for purchasing. Adversely, the re-emergence of Alphabay in 2020 and new comer White House Market witnessed great success with only allowing Monero to be utilized on the marketplaces. Maybe a confluence of events attributed to the success. The rise in COVID-19 restrictions resulted in more people using the dark web, and there was also a surge in exchanges that made it easy to buy cryptocurrency, but it still marked a paradigm shift. Monero was now here to stay.

2. Who Needs to Understand the Monero Nexus to Terrorism?

Whether its members of IC, law enforcement, banking institutions who back crypto exchanges, or compliance officers for crypto exchanges, it is important that there is a unilateral understanding of the nexus of Monero to terrorism.

The financing of terrorist organizations with cryptocurrencies is something that has been status-quo since the early 2010s. To evade banking institutions, well-known terrorist organizations had established the infrastructure for crypto donors to support their jihadist causes.

Today preference for Bitcoin in illicit circles remains stagnant for several reasons, whereupon it is the easiest cryptocurrency to purchase, as well as convert back to fiat. However, as we can see from the Islamic State in Pakistan Providences BTC wallet addresses provided above, the visibility of the BTC blockchain allows anybody to see all the transaction history that has taken place: https://blockchair.com/bitcoin/address/1Gziz7Ry8mYgomuobdNCd1jKHBK8cv9YDk | https://blockchair.com/bitcoin/address/17QAWGVpFV4gZ25NQug46e5mBho4uDP6MD . Counter to what one of the donation ads expresses, Bitcoin is NOTcryptocurrency that cannot be traced”. Blockchain analytic tools, utilized by law enforcement, compliance firms, and the internal auditors for the cryptocurrency exchanges themselves, help to mitigate the threat of their users sending funds to sanctioned wallet addresses, or addresses attributed to illegal services.

3. How do we Identify Terrorist Organizations Seeking Monero Donations?

Monero’s rise in popularity for its usage for illegal and nefarious purposes remains unparalleled in the AEC space. However, AECs often find themselves unwelcome in the ever-growing regulated cryptocurrency boom. Compliance and transparency become key issues as countries all over the world adapt to incorporate cryptocurrency as part of their commerce, which often leaves AECs out of the equation. Binance, one of the largest Tier 1 VASPs in the world, opted to delist Monero in February of 2024 sending shockwaves through the Monero community. Coinbase, another VASP utilized throughout the world, chooses not to have Monero purchasable via their platform. This leaves Monero users relying on non-custodial “swapping” services, like ChangeNow, Majestic Bank, and FixedFloat for liquidity or peer-to-peer exchanges like LocalMonero

Terrorist propaganda calling for donors
Terrorist propaganda calling for donors

The preference for Monero in the terrorism sphere has presented itself over the past four years. Most notably, Akbar al-Muslimin changing donations from Bitcoin to exclusively Monero in 2020 as well as ISIS-K published advertisements for Monero donations via al-Azaiam Foundation in 2023. Many darknet hosted sites dedicated to language translations and propagations of jihadist content have Monero only methods for cryptocurrency donations.

Whether its Telegram channels or deep/dark web sites, one is surely to come across a “donation” section. Identifying these Monero addresses is the first step (and often the only step) in the intelligence gather process on correlating specific donation addresses to the terrorist organization.

4.3 Tips and Tricks for Deciphering Monero

Understanding the Monero blockchain can be nebulous, especially for those who do not have a good comprehension of how cryptocurrency transactions take place in the first place. Something of notice for the provided graphics show the difference in the prefixed “4” and “8” Monero wallet addresses. All Monero wallet addresses are 95 alphanumeric characters and will being with a “4”. Subnet addresses, or “shell addresses”, will begin with an “8”, which help conceal the native wallet address. Subnet addresses funds attribute to the native “4” wallet.

One can deduce somebody’s Monero savviness from the wallet addresses being shared, whereas not knowing the sharing of your native wallet address is a Monero faux-paus in the illicit space. A further protection that Monero adds for transactions are visible stealth addresses, whereupon the visible transactions on the blockchain show the assigned stealth addresesses and hide the denomination of the transaction. In short, although the blockchain is open and the every transaction is broadcasted and published, those transactions are heavily obfuscated.

5. What are Common Misconceptions About Monero?

The most common mistake in this space is thinking that you can “trace out” Monero transactions like traditional cryptocurrencies. This is simply not true. While Monero utilizes UTXO (Unspent Transactional Output), and shares cryptographic primitives with liken UTXO coins, the Monero blockchain is designed to protect both the sender and receiver. Whereupon, the receiving wallet cannot view the sending wallet. The most “vulnerable” party to a Monero investigation would be identifying and compromising sending wallet. You would be able to identify all the wallets that funds were sent to, but not be able to identify the wallets that sent funds. In the realm of hypotheticals, identifying and subsequently compromising a Monero wallet associated with terrorist financing would reveal where the Monero is being sent, but not the donating party addresses.

6. Tools and Resources for Investigating Monero

Lets look at these various XMR addresses associated with terrorism related donations in an open Monero blockchain explorer like Explore.Moneroworld.Com. We can see the public keys associated with each wallet address, but nothing further on transaction history: [source 1] [source 2] [source 3]

Insomuch, this drastically different from the Bitcoin wallet addresses we observed previously. In order to see any type of transaction history in an open explorer, it would require knowing a transaction hash, and knowing either the wallet private view key or the transaction hash’s private key. In this specific transaction hash, we can observe the stealth addresses protect both the sender and recipient, and the signatures in the hashes are combined with decoy signers.

This is a process known as RingCT, which became standard for all Monero transactions in 2017. In the three years before this adoption, transactions on the XMR blockchain merely had the option to deploy this protocol. Transactions between 2014 & 2016 on the Monero blockchain do have vulnerabilities for discovery if RingCT was not utilized.

6.1 Wallets

Users of Monero will find themselves likely using a software/self-custody wallet. Lay users will often opt for MyMonero, Exodus, or Cake Wallet. These are rather simple and user-friendly wallets, with Cake Wallet and Exodus having the capabilities of holding multiple coins and offering a built in swapping service to convert Bitcoin to Monero and vice-versa. Some of these wallets offer the ability to create subnet wallet addresses. The more versed users will likely be using the open-source Feather Wallet, which by default creates 10 subnet wallet addresses for the user once a wallet is created. 

Feather wallet also connects into the Monero blockchain via the TOR based Monero nodes, adding a layer of anonymity for the wallet’s synchronization to the blockchain. However, by using the TOR based nodes, it adds a delay in synchronization to the blockchain, thus taking longer for transactions to be verified in the mempool, or colloquially known as the queued transaction pool.

“Feather” Monero wallet - connecting into TOR based Monero nodes
“Feather” Monero wallet – connecting into TOR based Monero nodes

The creating Monero wallets first start with a private seed-phrase, with native CryptoNote seeds being 25 characters. One can easily create Monero wallets via GetMonero.org. Knowing this seed allows user to reconstruct the wallet elsewhere, likely in the aforementioned self-custody wallets.

Offline Monero wallet address generator - public address displayed with private mnemonic seed
Offline Monero wallet address generator – public address displayed with private mnemonic seed

Further reading about Monero and AECs in general can be found here.

6.2 SOCMINT Value

Exactly where the Monero wallet is being shared is also of extreme value in the SOCMINT world. There is a heavy presence of Monero enthusiasts and connoisseurs on such platforms as Monero.town and Monerica. Could it be possible to correlate a Monero wallet being shared along with other cryptocurrency wallets? For example, WikiLeaks accepts multiple cryptocurrencies for donations.

Wikileaks donation page

The Monero wallet address (native “4” address) being shared for donations is: 453VWT5GEkXGc2J9asRpXpRkjoCGKCJr96rndm2VMe5yECiAcUB3h8pFxZ8YGbmbGmVefwWHPXmLR69Vw1sVNWz5TsFqYbK Any attempt to explore donating parties at this address is fruitless, but if we look at the other donation addresses, such as Ethereum and Bitcoin, we can observe the donation activity and associated parties:

Being able to associate other cryptocurrency addresses associated with a Monero wallet address can sometimes be the only investigative avenue to pursue. From looking at the aforementioned Wikileaks donation example, we can observe both the donating parties as well as where the funds are being sent when leaving the wallet. For example, we can see this specific withdraw from the Ethereum donation wallet address: https://ethplorer.io/tx/0x9677c4b333132c4b3025f12bb01f76058e826ea411d15b1850c8ceebf701da66#pageTab=transfers 

Visibility of Wikileaks Ethereum address via Ethplorer.io
Visibility of Wikileaks Ethereum address via Ethplorer.io

 Is Monero the most secure AEC?

While Monero is certainly the most popular, speculatively there are “more” secure AECs. One in particular is ZCash, which employs zk-Snarks protocol to protect the transactions instead of RingCT. Another comparable protocol to RingCT is WimbleNimble, which employed by such AECs as GRiN and LiteCoin.

7.2 Can Monero be exploited?

It would require more “proactive” measures. There are some “well known” Monero exploits that require manipulating the sending of funds, such as “Dusting”, whereas sending a minimal amount of Monero in a multitude of transactions to the same wallet. Another exploit would be running a “honeypot” Monero node, whereas attempting to harvest the IP addresses of the transactions that reach out to the node for transaction verification. Theoretically, it can reveal the IP addresses of self-custody wallets users that are not connecting into TOR or hidden service nodes. 

7.3 Why don’t more illicit services use Monero?

Monero’s liquidity and availability remains an inhibiting factor. As previously mentioned, the ability to easily convert cryptocurrency to fiat is a huge consideration. AECs traditionally are not as potable when it comes to legacy tokens like Bitcoin and Ethereum. In the terrorism realm, many exchanges prohibit users based on location coinciding with U.N. and OFAC sanctions. Iran is a prime example of where many “Tier 1” exchanges prohibit users

7.4 What is the difference between Seeds and Keys?

The way Monero protects both the users and transactions is providing wallets with private and public spend/view keys. Furthermore, XMR transactions provide private transaction keys with the transaction hashes to allow visibility on the blockchain for only those party to the transaction. This is an example of knowing decoding a transaction to reveal the true amount of funds send via knowing the destination wallet address and the transaction private key (different from the transaction hash) which is visible it all observers here:

http://explore.moneroworld.com/tx/93c62924ed9be472c3a5f8a9590f2350997fd5a2ad966b7bc092f46942091a90 

Exploring a Monero transaction on explore.moneroworld.com
Exploring a Monero transaction on explore.moneroworld.com

However, only by knowing the destination wallet address and the private/secret transaction key could the data in the photo be visible on the blockchain. 

By comparison, the private mnemonic seed is essentially the wallet itself. Knowing the mnemonic seed to a wallet can allow you to reconstruct the wallet, giving you access to the funds associated the wallet. Only self-custody wallets provide their users with the private seeds, as opposed to exchange hosted wallets, whereupon the seeds are held by the exchange. 

8. Monero in the News

Monero was in the news in January 2024 as Finland’s National Bureau of Investigation KRP (Keskusrikospoliisi) had purportedly “traced” Monero. In the trial of Julius Aleksanteri Kivimäki, evidence was presented that Kivimäki had swapped Bitcoin funds for Monero and sent the funds to a dedicated Monero wallet. However, it appears that Monero funds were not “traced” in a traditional sense (referred to a on-chain tracing), but rather the Bitcoin funds were traced to the swapping service and the swapping service itself was compelled to be provide the Monero wallet address associated with the swap. 

In Norway, there is an infamous 2018 case that is colloquially known as the Crypto Kidnapping in which Monero & Dash were used to pay a “ransom”. Not a very publicized case outside of Norway, it presented challenges to investigators as it incorporated the dark web on top of AEC payments. Tom Hagen, the tycoon husband, was later charged in 2020 as being complicit in a murder disguised as kidnapping

In February 2023, Dubai banned AECs following a similar action imposed by Japan’s Financial Security Agency in 2018. France had proposed a similar ban in 2019, and exchanges were opting to delist AECs based on geolocation of the users. To date, the countries that have effectively banned AECs are Japan, South Korea, Australia, and Dubai. 

9. Conclusions

The intelligence gaps that exist are not so much about Monero itself, but relevant to how the Monero is being converted to fiat to subsidize terror. While Monero and other AECs offer anonymity in the digital space, ultimately the cryptocurrency has to be liquidated in order to be transacted in the “real world”. With legitimate cryptocurrency VASPs/exchanges gravitating away from supporting Monero, the mechanisms for swapping the Monero for other cryptocurrencies must be the focus. 

The swapping service FixedFloat has purportedly been freezing funds that are determined to be associated with illicit activity. The low KYC/AML compliance of swapping services leaves little redress for those who espouse they’ve been “scammed” when their funds are frozen or seized. The darknet and clearweb based service WizardSwap offers another layer of anonymity for tentative users, but begs the question of who is actually in control of these services and if they are retaining wallet addresses along with other data. With the well reported financing of Hamas’s campaign in Israel via USDT on the TRON network, was the recent ISIS-K terror attack in Moscow principally funded by Monero donations? 

Table of Contents

Related Content

Danish Frogmen: Special Maritime Operators

TYPE:_ Article

Israel-Congo Strategic Partnership: Diamonds are Forever

Location:_ Central Africa

Stuxnet, Beyond the Code: Exploring the Legacy and Impact

TYPE:_ Article
Location:_ MENA

Japanese Red Army: A Communist terror organisation

TYPE:_ Article
Location:_ Far East

Russian Interference in Moldova: A Counterintelligence Report

Location:_ Europe

SFSG: The UK Special Forces Support Group 

TYPE:_ Article
Location:_ Europe

Stay in the loop

Get a free weekly email that makes reading intel articles and reports actually enjoyable.

Log in

Stay in the loop

Get a free weekly email that makes reading Intelligence Reports and Articles actually enjoyable.

Table of Contents

Contact

Contact

"*" indicates required fields

This field is for validation purposes and should be left unchanged.