Countering the financing of terrorism (CFT)

Table of contents

What is countering the financing of terrorism (CFT)?

Countering the financing of terrorism (CFT) refers to policies, regulations, tools, and investigative techniques designed to prevent the flow of money to terrorist organizations or actors. CFT efforts aim to detect, disrupt, and report activities that fund terrorism — often before an attack occurs.

CFT is closely related to anti-money laundering (AML) — but while AML focuses on proceeds of crime, CFT targets the funding of terrorism, which may include both legal and illegal sources.

‍

Why are countering the financing of terrorism (CFT) initiatives critical for public and private sector organizations?

Terrorist financing threatens global security and financial integrity. Unlike other forms of financial crime, terrorist financing doesn’t always involve large sums or illegal funds — a single transaction or small donation from an individual could contribute to enabling an attack or supporting extremist operations.

As digital assets like cryptocurrencies grow in adoption, so do concerns about their use in the cross-border financing of terrorist activity. Financial institutions, regulators, and law enforcement agencies need on and off-chain intelligence to identify and stop these flows — especially as terrorist groups evolve their fundraising efforts.

CFT frameworks are critical to safeguarding the financial system and preventing violence, coercion, and geopolitical instability.

‍

What are some of the standards and activities associated with countering the financing of terrorism (CFT)?

CFT involves a combination of preventive and investigative efforts:

Regulatory compliance: Financial institutions and Virtual Asset Service Providers (VASPs) are required to implement ‍Know Your Customer (KYC) programs, monitor transactions, and report suspicious activity.‍
International standards: The Financial Action Task Force (FATF) sets global recommendations for CFT, including risk assessments and travel rule implementation.‍
Investigations and enforcement: Law enforcement agencies and national security units use blockchain intelligence, open-source data, and cross-border collaboration to trace terrorist financing networks.

While terrorist financing continues to be funded with traditional payment methods, including cash and hawalas, evidence of the growing use of cryptocurrency by terrorist groups is clear. Today, terrorist organizations commonly turn to privacy coins, stablecoins, mixers, or decentralized platforms to raise and move funds.

‍

What are some examples of how terrorist organizations are using digital assets to raise funds?

Sanctions evasion by designated groups: Entities like Hamas or Hezbollah use cryptocurrency to launder and cash-out funds using pseudonymous crypto addresses and wallets, rather than beneficial names.
Exploitation of charitable fronts: Extremist groups have used fake humanitarian causes to solicit donations.
Crowdfunding for violent extremism: Online platforms are used to fundraise for weapons, propaganda, or operations.
Use of mixers and DeFi protocols: Terrorist financiers may leverage privacy-enhancing tools to obscure fund flows and evade detection.

‍

What are the public and private sectors doing to counter terrorism financing?

The fight against terrorism financing is a shared responsibility. Each stakeholder — from law enforcement and national security agencies to crypto-native platforms — plays a distinct role in detecting, disrupting, and preventing illicit financial activity.

Law enforcement and national security agencies

Law enforcement and national security agencies are on the front lines of terrorism financing investigations. These units — including national police, counterterrorism task forces, and intelligence services — use blockchain analytics (also known as blockchain intelligence) to:

Trace illicit crypto flows across multiple chains, wallets, and typologies
Uncover funding networks and link pseudonymous addresses to real-world identities
Coordinate cross-border investigations using shared intelligence and case data
Present blockchain evidence in support of indictments or asset seizure
Identify threat actors or entities by identifying real-world on and off ramps

Tools like TRM Forensics provide visualization, risk indicators, and enriched attribution that help speed up casework and support international collaboration.

Regulators and policymakers

Regulators shape the legal frameworks that enable CFT enforcement. Their role includes:

Mandating compliance standards (e.g. Travel Rule, suspicious activity reporting)
Supervising VASPs and other financial institutions for effective CFT controls
Sharing red flags and typologies with industry through guidance and advisories
Monitoring systemic risk using aggregated blockchain intelligence data

Blockchain analytics tools help regulators:

Identify emerging typologies and trends on illicit volume across blockchains
Evaluate institutional controls to manage high-risk counterparty and indirect exposure
Track trends to inform policymaking and enforcement priorities

Financial institutions

Banks and traditional financial institutions are required to screen for terrorism financing risk under global AML/CFT obligations. With growing exposure to crypto-related activity (e.g. via correspondent banking, VC investments, or retail onramps), they increasingly rely on blockchain analytics to:

Screen counterparties and transaction flows for links to terrorist entities or networks
Meet regulatory expectations for risk-based approaches to mitigate digital asset risk
File timely suspicious activity reports (SARs) with CFT-relevant intelligence

Crypto businesses and exchanges

Crypto-native organizations — including centralized exchanges, DeFi platforms, stablecoin issuers, payment processors, wallet providers, and custody platforms — play a critical role in preventing abuse of digital assets. Their efforts include:

Implementing wallet and transaction screening to detect terrorist-linked addresses
Monitoring user behavior for obfuscation techniques (e.g. multiple small donations to known nodes)
Collaborating with law enforcement on subpoenas and investigations
Enhancing internal compliance programs with real-time blockchain risk data

These platforms also serve as gateways to the financial system — making their cooperation essential to identifying and reporting terrorism financing attempts early.

‍

How does TRM help organizations counter terrorism financing?

Crypto-enabled terrorist financing is often complex, decentralized, and designed to avoid detection. It may involve small donations, anonymizing tools, or cross-border transfers that exploit regulatory gaps. TRM helps public and private sector organizations respond with precision — turning blockchain data into actionable intelligence.

TRM supports terrorism financing investigations and risk management across four key areas.

1. Mapping terrorist financing networks across blockchains

Extremist groups often rely on pseudonymous wallets, layered transfers, and multi-chain hops to obscure fund flows. TRM Forensics allows investigators to:

Trace funds across dozens of blockchains, including mixers
Follow transactions in real time or retroactively across hundreds of hops
Uncover fundraising infrastructure, such as donation addresses linked to sanctioned entities
Link seemingly unrelated wallets through behavioral patterns, timing analysis, and public key hash analysis

Example: Analysts tracing a suspected terrorist wallet could uncover a wider network by identifying shared counterparties, wallet reuse, or repeated funding from the same VASP.

2. Identifying high-risk wallets and exposure in real time

With TRM Wallet Screening, organizations can proactively detect and flag exposure to:

Known or suspected terrorist-affiliated addresses
Sanctioned wallets, jurisdictions, and entities (e.g. under OFAC, UN, or EU sanctions)
Wallets that interact with high-risk services, such as unregistered exchanges or donation platforms tied to illicit campaigns

TRM Wallet Screening is used by exchanges and VASPs to prevent onboarding or payout to high-risk actors.

Example: A crypto exchange may use TRM Wallet Screening to automatically block or freeze transactions linked to wallets under investigation for Hamas-affiliated crowdfunding.

3. Continuously monitoring transactions to detect emerging risk

Terrorist organizations are becoming more sophisticated, using new wallet addresses — which may not have any risk attribution and pass initial screens — to fundraise and transfer funds. TRM Transaction Monitoring enables compliance teams to:

Alert on transactions that meet specific, organization-defined criteria (e.g. transaction volume thresholds, counterparty regions, specific entities)
Automatically monitor prior transactions and counterparty addresses for new risk exposure
Identify high-confidence signals for suspicious behavior

4. Understanding the entities behind the wallets

Terrorist financiers may use front entities, straw donors, or services registered in permissive jurisdictions. TRM Know-Your-Entity (KYE) helps compliance and regulatory teams:

Assess the full risk profile of a wallet or business, including entity connections, ownership structures, and prior exposure
Identify links to state-sponsored activity, extremist groups, or high-risk facilitators
Uncover indirect exposure from transactions passing through many intermediary wallet addresses

Example: A regulator may use TRM Know-Your-Entity (KYE) to assess whether a licensed VASP is indirectly facilitating terrorist financing through third-party processors.

5. Anticipating new tactics and threat actors

Terrorist tactics evolve quickly — from social media-based fundraising to the use of NFTs, stablecoins, or DeFi protocols. TRM’s threat intelligence team continuously:

Monitors extremist channels for crypto fundraising
Analyzes new tools or platforms abused for CFT purposes
Publishes intelligence alerts and typologies to help the ecosystem stay ahead
Works directly with government agencies to share leads, red flags, and deconflicted data

Example: Federal law enforcement reached out for additional information related to attribution of a fundraising address. TRM was able to provide source-of-truth information about the attribution, which enabled the law enforcement agency to secure probable cause to search the subjects’ email — and ultimately led to an arrest and the prevention of a terror attack.

Together, these capabilities allow organizations to detect small but significant threats, trace the financial infrastructure behind terror operations, and proactively defend against abuse of digital assets.

‍

Regulatory relevance: Why does CFT matter for private sector compliance?

Countering the financing of terrorism (CFT) is not just a public safety priority — it's a core regulatory requirement for financial institutions, crypto businesses, and other intermediaries operating across the global financial system.

Failing to detect or report terrorist financing activity can expose businesses to:

Enforcement actions — including license revocation or multi-million-dollar fines
Severe reputational risk — particularly if a platform is named in high-profile cases
De-risking by banks or payment partners — especially if operating in high-risk regions

Why is CFT critical for private sector organizations — including financial institutions, banks, and crypto exchanges?

Expectations are rising

‍Jurisdictions around the world are rapidly updating their AML/CFT regimes to include virtual asset service providers (VASPs), fintechs, and cross-border platforms.

High-risk jurisdictions are being monitored

‍Institutions with operations or counterparties in high-risk or sanctioned regions face enhanced obligations and lower tolerance from regulators and partners.

Example: A crypto exchange operating without adequate wallet screening could unknowingly process donations to a terrorist-linked address — triggering regulatory action in all jurisdictions where it operates.

What are the core CFT frameworks and mandates in place around the world today?

Private sector businesses are expected to comply with domestic CFT laws and international standards, including:

FATF Recommendation 5

‍Requires countries to criminalize terrorist financing, implement preventive measures (e.g. Know Your Customer (KYC) and suspicious transaction reporting), and hold private sector actors accountable for compliance.

UN Security Council Resolutions 1373 and 2462

‍Outline binding obligations on states to suppress terrorism financing, implement targeted financial sanctions, and share information with financial institutions.

US Bank Secrecy Act (BSA) and PATRIOT Act

‍Require financial institutions to implement robust AML/CFT programs, report suspicious activity, and maintain detailed customer due diligence records. Crypto businesses are considered money services businesses (MSBs) and are subject to these laws.

EU AML Directives (AMLD 4, 5, 6)

‍Mandate that VASPs and financial institutions implement CFT programs, conduct beneficial ownership screening, and report activity linked to designated groups or sanctioned actors.

Monetary Authority of Singapore (MAS) Notice PSN02

‍Sets out AML/CFT requirements for digital payment token (DPT) service providers, including exchanges and custodians. It requires ongoing monitoring of customer transactions and source of funds, screening for terrorist financing exposure, timely filing of suspicious transaction reports (STRs), enhanced due diligence for high-risk customers or jurisdictions, and use of analytics tools to assess transaction risk.

United Kingdom (UK) Proceeds of Crime Act (POCA)

‍Criminalizes all forms of property-based crime — including funding of terrorist activity — and imposes disclosure obligations on regulated firms. Under POCA, firms must report any knowledge or suspicion that a transaction may be linked to criminal property, comply with additional obligations under the Terrorism Act 2000, ensure AML/CFT programs extend to crypto transactions, and cooperate with law enforcement and the National Crime Agency (NCA) through timely Suspicious Activity Reports (SARs).

United Arab Emirates – Cabinet Decision No. 10/2019 (AML-CFT Regulations)

‍Federal regulation that outlines the AML/CFT compliance obligations for all financial institutions, DNFBPs (Designated Non-Financial Businesses and Professions), and VASPs operating in the UAE.

What do regulators expect from VASPs and financial institutions when it comes to countering the financing of terrorism?

Generally speaking, regulators expect all crypto businesses, VASPs, banks, and other financial institutions to maintain the following baseline of CFT activities:

Real-time monitoring of crypto transactions for potential terrorist financing patterns
Continuous monitoring of wallet addresses and counterparties for sanctions or terrorism exposure
Prompt suspicious transaction reports (STRs or SARs) when red flags are identified
Participation in information-sharing partnerships, including public-private threat intelligence initiatives

Regulators increasingly expect institutions to leverage blockchain analytics and blockchain intelligence platforms like TRM Labs to meet these requirements. Passive or paper-only programs are no longer considered sufficient in jurisdictions with maturing crypto regulatory frameworks.

‍

Risk considerations: Evolving threats in CFT

Terrorism financing risk is dynamic. As crypto adoption accelerates and global regulations race to catch up, the tactics used by threat actors — and the gaps they exploit — continue to evolve.

Some of key challenges both the public and private sector currently face in CFT include:

False positives vs. real threats

Many terrorism-related transactions are low-value and resemble normal user behavior. This makes it difficult for compliance professionals to distinguish between legitimate activity and illicit financing without contextual blockchain intelligence. Plus, over-reliance on basic heuristics can lead to alert fatigue or missed signals.

Open-source abuse

Extremist groups increasingly leverage public platforms — like Telegram, X (formerly Twitter), or even YouTube — to solicit donations via wallet addresses. These campaigns often evade detection for weeks or months, particularly when wallets are not immediately flagged or linked to designated entities.

Rapid evolution of tools and infrastructure

New technologies — including DeFi protocols, privacy coins, cross-chain bridges, and even AI-generated wallets — are being exploited by bad actors to move funds more discreetly. These tools often lack traditional KYC controls and operate beyond national regulatory reach.

Cross-jurisdictional enforcement gaps

Inconsistent regulations, delayed adoption of FATF standards, and limited cross-border data sharing mean that terrorist financing activity may go unflagged when it crosses legal or national boundaries, making coordinated response challenging.