The dark web, often portrayed as a nebulous and shadowy corner of the internet, serves many purposes ranging from the innocuous to the illicit. The dark web plays a critical role for individuals in oppressive regimes, offering a platform for free expression and access to unfiltered information, while in more open societies, it supports whistleblowing and privacy. A significant portion of dark websites offer legitimate services such as forums, chat rooms, and marketplaces. One computer security firm’s study in 2016 found that more than half of the domains they examined were legal. Furthermore, the Onion Router (Tor), an open-source network that facilitates anonymous browsing on the dark web, is used by major organizations such as leading newspapers, Facebook, and even the CIA, to emphasize their commitment to privacy and secure communication channels.

However, the dark web also presents opportunities for misuse. This primer explores key reasons terrorists use the dark web, as well as its role in financing terrorist organizations and operations.

Main Terrorist Uses of the Dark Web

Identity Protection and Secure Communication

One main reason terrorists use the dark web is to protect their identities and evade detection. By leveraging the anonymity mechanisms that the dark web offers, terrorists can explore, purchase, and communicate on websites without the risk of easy detection. For example, in August 2013, the US National Security Agency intercepted encrypted communications between al-Qaeda leader Ayman Al-Zawahiri and Nasir Al-Wuhaysi, the head of Yemen-based al-Qaeda in the Arabian Peninsula. This intercept revealed that al-Qaeda had been using the dark web for regular communication between its leaders worldwide for a decade. That said, secure messaging platforms like Telegram have emerged as more accessible alternatives for terrorists, bypassing the need for the technical knowledge required to navigate the web through the Tor browser.

Propaganda Repository and Presence Mirroring

Another use of the dark web by terrorists is as a repository for propaganda. Unlike surface websites, which are vulnerable to being removed by law enforcement or platform providers, the dark web offers more stability in hosting propaganda materials. For instance, ISIL has turned to the dark web to post news and propaganda. Following the November 2015 attacks in Paris, the hacktivist group ‘Anonymous’ launched an operation that led to the takedown of hundreds of ISIL-associated websites. In response, ISIL's media outlet, Al-Hayat Media Center, pivoted to posting content on the dark web. The group also shared links and guides on an ISIL-associated forum on how to access their new dark website.

Some terrorist organizations regularly post duplicate content on both the surface and dark web to serve as a backup and ensure their online activities can continue even if their main websites are taken down. However, a direct dark web presence among terrorist groups is not overly common. A study tracking 200 terrorist domains found that only 10 had a mirrored presence on the dark web. This suggests that although the dark web is used by terrorist groups for purposes such as securing communication channels and disseminating propaganda, it is not their primary means of establishing an online presence.

Financing Specific Uses

Soliciting Donations Through Cryptocurrency Transactions

Criminals often leverage the anonymity that digital currencies such as Bitcoin, Monero, and other coins offer. These currencies are particularly appealing for conducting transactions on the dark web. Terrorist organizations have recognized this potential and increasingly turned to cryptocurrencies to solicit and receive donations discreetly.

In 2015, IS posted its Bitcoin address on the dark web, allowing sympathizers to send funds directly. The trend continued in November 2017, when the Akhbar al-Muslimin website, known for publishing news from IS, initiated an online fundraising campaign. This campaign explicitly requested donations in Bitcoin, directing supporters to a dedicated donation page on CoinGate, a Bitcoin trading site. Each article on the site was accompanied by a link encouraging donations, with a note advising not to use zakat funds.

Figure: 2015 IS Dark Web Bitcoin Donation Campaign Image

To facilitate the adoption of the dark web as a fundraising platform, specific instructional documents are often disseminated on the surface web. For example, a PDF document entitled “Bitcoin and the Charity of Violent Physical Struggle” was circulated in July 2014. Although the group affiliation of the document is unknown, it provided instructions on using the dark web to financially contribute to a campaign to support Jihad.

There are also anecdotal reports of crowdfunding platforms on the dark web being explored as potential channels for other terrorist groups, potentially from the far-right, to finance their activities. However, concrete details and official information on this aspect remain limited, highlighting the challenges in monitoring and combating the use of digital currencies for illicit fundraising on the dark web.

Sale of Illicit Goods and Services

The dark web is infamous for its marketplaces where illegal goods and services can be bought and sold with a degree of anonymity. Terrorist groups have reportedly exploited the dark web to sell drugs, weapons, human organs, looted antiquities, stolen oil, and even services such as hacking. The marketplaces could also enable terrorist organizations to advertise recruitment incentives, such as salaries and benefits, to attract new members.

In addition to selling or advertising illicit goods, terrorists use the dark web to procure items crucial for their operations, ranging from instructional manuals and fraudulent documents, to firearms and their components. For example, the perpetrator of the 2016 Munich Shooting executed the attack using a weapon purchased from a dark web marketplace. However, the trade in weapons on the dark web is not as common as for electronic products like stolen identities—due largely to the logistical challenges of smuggling physical items. Terrorists have instead shown interest in acquiring blueprints for 3D-printed weapons to circumvent some of the challenges associated with transporting conventional arms.

Although there are instances of terrorists both making sales and purchases on the dark web, it is challenging to verify the associated transactions. An inability to establish the origin of illicit goods sold on the dark web adds another layer of complexity to the challenge of disrupting the activities.

Access to Money Laundering Techniques and Financial Facilitators

The dark web not only facilitates the sale and purchase of illicit goods and services but also acts as a hub for financial crimes, including money laundering. By offering both instructional resources and access to individuals skilled in obscuring the origins of illegally obtained money, the dark web has become a tool for terrorists looking to launder their funds.

One of the primary methods used for money laundering on the dark web involves cryptocurrency mixing and tumbling services. These services anonymize transactions by blending the digital currency of multiple users, making it difficult to trace the funds back to their source. This anonymity is particularly appealing to terrorists seeking to disguise the financial trails of their operations. In early 2023, the US Department of Justice took down ChipMixer, a dark web mixing service that processed over $3 billion in unlawful transactions, some of which could have been tied to terrorist activity.

Additionally, some dark web marketplaces sell fraudulent documentation that can assist criminals in setting up shell companies, which can then be used to funnel illicit funds through seemingly legitimate businesses. Potential terrorist exploitation of the shell company resources complicates law enforcement efforts to track and intercept illicit financing.

Access to stolen identities is another crucial aspect of money laundering facilitated by the dark web. Terrorists can use these identities to create bank accounts or acquire financial products, further obfuscating the movement of funds. This tactic not only aids in laundering money but also contributes to a broader spectrum of financial crimes, including fraud and identity theft. For instance, a Jihadist group in Indonesia used the dark web to solicit donations in Bitcoins from both national and international supporters. After leveraging a stolen identity obtained from the dark web, the group then hacked a foreign exchange. trading site to steal points from a member, ultimately amassing $600,000 for their operations.

Although there is limited evidence available, the dark web could also act as a marketplace for hiring corrupt financial service providers. These individuals or entities could be willing to overlook legal requirements in exchange for compensation, providing services such as unauthorized bank transfers, false accounting, and other methods of laundering funds. Their expertise and willingness to participate in illegal activities would make them valuable for terrorists aiming to integrate their funds into the global financial system without detection.

Responses to Terrorist Use of the Dark Web

Efforts to dismantle terrorist operations on the dark web, such as taking down specific sites, often resemble a "whack-a-mole" exercise—challenging and not necessarily effective in the long run as new replacements inevitably pop up. The Silk Road takedown, for example, highlighted the possibility of disrupting dark web activities but also emphasized the difficulties in eradicating such platforms altogether.

Additionally, while the dark web offers some advantages for terrorist organizations, the lack of regular search capabilities and the technical expertise needed by users can make it less appealing. Terrorists are more inclined to use tools such as VPNs to hide their identities while operating on the surface web, where they can achieve greater visibility and impact. Consequently, counter-terrorism strategies focused more on the surface web, where terrorist propaganda, recruitment, and fundraising efforts have the potential to reach a far wider audience, are likely beneficial.

However, as technology progresses, creating tools and methods to track terrorist activities on the dark web remains necessary. Initiatives such as the Defense Advanced Research Projects Agency's MEMEX program, designed to better index the deep web, and the European law enforcement's DANTE program, which aims to identify and link various online actions to possible terrorist operations and fundraising activities, are important disruption efforts. These initiatives also emphasize the value of conducting further research to better understand and mitigate the terrorist use of the dark web for financing activities.

Did you find this post insightful? Share it with a colleague!

Share

Don’t forget that our Terrorist Financing Analysis eLearning course is open for new enrolments. Learn more about how terrorists use various technologies for financing purposes by signing up today.

© 2024 Insight Threat Intelligence Ltd. All Rights Reserved.

This newsletter and its contents are protected by Canadian copyright law. Except as otherwise provided for under Canadian copyright law, this newsletter and its contents may not be copied, published, distributed, downloaded or otherwise stored in a retrieval system, transmitted or converted, in any form or by any means, electronic or otherwise, without the prior written permission of the copyright owner.