Global Disruption of Three Terror Finance Cyber-Enabled Campaigns

The Justice Department on Thursday announced the dismantling of three terrorist financing cyber-enabled campaigns, involving the al-Qassam Brigades, Hamas’s military wing, al-Qaeda, and Islamic State of Iraq and the Levant (ISIS).


Largest Ever Seizure of Terrorist Organizations’ Cryptocurrency Accounts

The Justice Department on Thursday announced the dismantling of three terrorist financing cyber-enabled campaigns, involving the al-Qassam Brigades, Hamas’s military wing, al-Qaeda, and Islamic State of Iraq and the Levant (ISIS). 

This coordinated operation is detailed in three forfeiture complaints and a criminal complaint unsealed today in the District of Columbia.  These actions represent the government’s largest-ever seizure of cryptocurrency in the terrorism context.

These three terror finance campaigns all relied on sophisticated cyber-tools, including the solicitation of cryptocurrency donations from around the world.  The action demonstrates how different terrorist groups have similarly adapted their terror finance activities to the cyber age. 

Each group used cryptocurrency and social media to garner attention and raise funds for their terror campaigns.  Pursuant to judicially-authorized warrants, U.S. authorities seized millions of dollars, over 300 cryptocurrency accounts, four websites, and four Facebook pages all related to the criminal enterprise.

Funds successfully forfeited with a connection to a state sponsor of terrorism may in whole or in part be directed to the United States Victims of State Sponsored Terrorism Fund (http://www.usvsst.com/) after the conclusion of the case.

“It should not surprise anyone that our enemies use modern technology, social media platforms and cryptocurrency to facilitate their evil and violent agendas,” said Attorney General William P. Barr.   “The Department of Justice will employ all available resources to protect the lives and safety of the American public from terrorist groups.  We will prosecute their money laundering, terrorist financing and violent illegal activities wherever we find them.  And, as announced today, we will seize the funds and the instrumentalities that provide a lifeline for their operations whenever possible.  I want to thank the investigators from the Internal Revenue Service, Department of Homeland Security, Federal Bureau of Investigation, and the prosecutors from the D.C. United States Attorney’s Office and National Security Division for their hard and innovative work in attacking the networks that allow these terrorists to recruit for and fund their dangerous actions.”

“Terrorist networks have adapted to technology, conducting complex financial transactions in the digital world, including through cryptocurrencies. IRS-CI special agents in the DC cybercrimes unit work diligently to unravel these financial networks,” said Secretary of the Treasury Steven T. Mnuchin.  “Today’s actions demonstrate our ongoing commitment to holding malign actors accountable for their crimes.” 

“The Department of Homeland Security was born after the September 11, 2001 terrorist attacks and, nearly 20 years later, we remain steadfast in executing our critical mission to safeguard the American people, our homeland, and our values,” said Acting Secretary of Homeland Security Chad F. Wolf.  “Today’s announcement detailing these enforcement actions targeting foreign terrorist organizations is yet another example of the Department’s commitment to our mission. After launching investigations that identified suspected online payments being funneled to and in support of terrorist networks, Homeland Security Investigations skillfully leveraged their cyber, financial, and trade investigative expertise to disrupt and dismantle cyber-criminal networks that sought to fund acts of terrorism against the United States and our allies.  Together with our federal law enforcement partners, the Department will utilize every resource available to ensure that our Homeland is and remains secure.”    

“These important cases reflect the resolve of the D.C. United States Attorney’s Office to target and dismantle these sophisticated cyber-terrorism and money laundering actors across the globe,” stated Acting United States Attorney Michael R. Sherwin.  “While these individuals believe they operate anonymously in the digital space, we have the skill and resolve to find, fix and prosecute these actors under the full extent of the law.” 

“IRS-CI’s ability to trace funds used by terrorist groups to their source and dismantle these radical group’s communication and financial networks directly prevents them from wreaking havoc throughout the world,” said Don Fort, Chief, IRS Criminal Investigation.  “Today the world is a safer place.”

“As the primary law enforcement agency charged with defeating terrorism, the FBI will continue to combat illicit terrorist financing regardless of platform or method employed by our adversaries,” said FBI Director Christopher Wray. “As demonstrated by this recent operation, the FBI remains committed to cutting off the financial lifeblood of these organizations that seek to harm Americans at home and abroad.”

“Homeland Security Investigations continues to demonstrate their investigative expertise with these enforcement actions,” said ICE Deputy Director and Senior Official Performing the Duties of the Director Matthew T. Albence.  “Together with law enforcement partners, HSI has utilized their unique authorities to bring to justice those cyber-criminal networks who would do us harm.”

Al-Qassam Brigades Campaign

The first action involves the al-Qassam Brigades and its online cryptocurrency fundraising efforts.  In the beginning of 2019, the al-Qassam Brigades posted a call on its social media page for bitcoin donations to fund its campaign of terror.  The al-Qassam Brigades then moved this request to its official websites, alqassam.net, alqassam.ps, and qassam.ps.

The al-Qassam Brigades boasted that bitcoin donations were untraceable and would be used for violent causes.  Their websites offered video instruction on how to anonymously make donations, in part by using unique bitcoin addresses generated for each individual donor.   

However, such donations were not anonymous.  Working together, IRS, HSI, and FBI agents tracked and seized all 150 cryptocurrency accounts that laundered funds to and from the al-Qassam Brigades’ accounts.  Simultaneously, law enforcement executed criminal search warrants relating to United States-based subjects who donated to the terrorist campaign. 

With judicial authorization, law enforcement seized the infrastructure of the al-Qassam Brigades websites and subsequently covertly operated alqassam.net.   During that covert operation, the website received funds from persons seeking to provide material support to the terrorist organization, however, they instead donated the funds bitcoin wallets controlled by the United States.

The United States Attorney’s Office for the District of Columbia also unsealed criminal charges for two Turkish individuals, Mehmet Akti and Hüsamettin Karataş, who acted as related money launderers while operating an unlicensed money transmitting business.   

Al-Qaeda Campaign

The second cyber-enabled terror finance campaign involves a scheme by al-Qaeda and affiliated terrorist groups, largely based out of Syria.  As the forfeiture complaint details, these terrorist organizations operated a bitcoin money laundering network using Telegram channels and other social media platforms to solicit cryptocurrency donations to further their terrorist goals.  In some instances, they purported to act as charities when, in fact, they were openly and explicitly soliciting funds for violent terrorist attacks.  For example, one post from a charity sought donations to equip terrorists in Syria with weapons:

Undercover HSI agents communicated with the administrator of Reminder for Syria, a related charity that was seeking to finance terrorism via bitcoin donations.  The administrator stated that he hoped for the destruction of the United States, discussed the price for funding surface-to air missles, and warned about possible criminal consequences from carrying out a jihad in the United States.

Posts from another Syrian charity similarly explicitly referenced weapons and extremist activities:

Al-Qaeda and the affiliated terrorist groups together created these posts and used complicated obfuscation techniques, uncovered by law enforcement, to layer their transactions so to conceal their actions.  Today’s complaint seeks forfeiture of the 155 virtual currency assets tied to this terrorist campaign.   

ISIS Campaign

The final complaint combines the Department’s initiatives of combatting COVID-19 related fraud with combatting terrorism financing.  The complaint highlights a scheme by Murat Cakar, an ISIS facilitator who is responsible for managing select ISIS hacking operations, to sell fake personal protective equipment via FaceMaskCenter.com (displayed below)

The website claimed to sell FDA approved N95 respirator masks, when in fact the items were not FDA approved.  Site administrators claimed to have near unlimited supplies of the masks, in spite of such items being officially-designated as scarce.  The site administrators offered to sell these items to customers across the globe, including a customer in the United States who sought to purchase N95 masks and other protective equipment for hospitals, nursing homes, and fire departments.

The unsealed forfeiture complaint seized Cakar’s website as well as four related Facebook pages used to facilitate the scheme.  With this third action, the United States has averted the further victimization of those seeking COVID-19 protective gear, and disrupted the continued funding of ISIS. 

The claims made in these three complaints are only allegations and do not constitute a determination of liability.  The burden to prove forfeitability in a civil forfeiture proceeding is upon the government.  Further, charges contained in criminal complaint are merely allegations, and the defendants are presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.

IRS-CI Cyber Crimes Unit (Washington, D.C.), HSI’s Philadelphia Office, and FBI’s Washington D.C., New York, and Los Angeles field offices are investigating the case. Assistant U.S Attorneys Jessi Camille Brooks and Zia M. Faruqui, and National Security Division Trial Attorneys Danielle Rosborough and Alexandra Hughes are litigating the case, with assistance from Paralegal Specialists Brian Rickers and Bria Cunningham, and Legal Assistant Jessica McCormick.  Additional assistance has been provided by Chainalysis and Excygent.

Blogs to Follow:

Justice.gov (August 2020) Global Disruption of Three Terror Finance Cyber-Enabled Campaigns

CISA Releases Guide for America’s Election Administrators

The Cybersecurity and Infrastructure Security Agency (CISA) released the Guide to Vulnerability Reporting for America’s Election Administrators. The guide walks election officials through the steps of establishing a vulnerability disclosure program.


Federal authorities say one of the gravest threats to the November election is a well-timed ransomware attack that could paralyze voting operations. The threat isn’t just from foreign governments, but any fortune-seeking criminal.

As a result, the Cybersecurity and Infrastructure Security Agency (CISA) released the Guide to Vulnerability Reporting for America’s Election Administrators. The guide walks election officials through the steps of establishing a vulnerability disclosure program. 

Vulnerability disclosures can be an effective way for organizations to benefit from cybersecurity expertise without having it resident to their organization.  

CISA released two new assessments and infographics on Election Infrastructure Cyber Risk and Mail-in Voting in 2020 Infrastructure Risk.

Each method of voting carries risk that you, as election officials, manage.

These assessments and infographics are voluntary resources intended to help the Federal Government and election officials understand and manage risks to election infrastructure and operations.

“Election officials have spent years beefing up security to their systems and closing these vulnerability gaps to keep our elections safe and secure,” said CISA Director Christopher Krebs. “Cybersecurity researchers can be great and responsible partners in this effort and we are creating this guide as a way to help state and local election officials understand the support they can offer and how to work with them in our collective, whole of nation effort to protect our elections.”  

The guide aims to help election officials understand the role that the cybersecurity research community can play in helping officials keep systems secure so that the American public’s voice can be clearly heard.

The guide includes a number of best practices for improving and addressing vulnerabilities within election systems, and offers a step-by-step guide for election administrators who seek to establish a successful vulnerability disclosure program.  

Accordingly, an electoral process that is both secure and resilient is a vital national interest and one of CISA’s highest priorities.

CISA is committed to working collaboratively with those on the front lines of elections—state and local governments, election officials, federal partners, and vendors—to manage risks to the Nation’s election infrastructure. CISA will remain transparent and agile in its vigorous efforts to secure America’s election infrastructure from new and evolving threats.

While ultimate responsibility for administering the Nation’s elections rests with state and local governments, CISA offers a variety of free services to help states ensure both the physical security and cybersecurity of their elections infrastructure.

Additionally, election infrastructure’s critical infrastructure designation enables CISA to provide services on a prioritized basis at the request of state and local elections officials.

Blogs to Follow:

CISA.gov (August 2020) CISA RELEASES GUIDE TO VULNERABILITY REPORTING FOR AMERICA’S ELECTION ADMINISTRATORS; ELECTION INFRASTRUCTURE SECURITY

Three Individuals Charged for Alleged Roles in Twitter Hack

The Northern District of California, U.S. Attorney’s Office has announced on Friday that three individuals have been charged today for their alleged roles in the Twitter hack that occurred on July 15, 2020.


The Northern District of California, U.S. Attorney’s Office has announced on Friday that three individuals have been charged today for their alleged roles in the Twitter hack that occurred on July 15, 2020.

Mason Sheppard, aka “Chaewon,” 19, of Bognor Regis, in the United Kingdom, was charged in a criminal complaint in the Northern District of California with conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer.

Nima Fazeli, aka “Rolex,” 22, of Orlando, Florida, was charged in a criminal complaint in the Northern District of California with aiding and abetting the intentional access of a protected computer.

The third defendant is a juvenile.  With exceptions that do not apply to this case, juvenile proceedings in federal court are sealed to protect the identity of the juvenile.  Pursuant to the Federal Juvenile Delinquency Act, the Justice Department has referred the individual to the State Attorney for the 13th Judicial District in Tampa, Florida.

Twitter Hack Charging Announcement – Northern District of California, U.S. Attorney’s Office

“The hackers allegedly compromised over 100 social media accounts and scammed both the account users and others who sent money based on their fraudulent solicitations,” said Acting Assistant Attorney General Brian C. Rabbitt of the Justice Department’s Criminal Division.  “The rapid investigation of this conduct is a testament to the expertise of our investigators, our commitment to responding quickly to cyber-attacks, and the close relationships we have built with law enforcement partners throughout the world.”

 “There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence,” said U.S. Attorney David L. Anderson for the Northern District of California.  “Today’s charging announcement demonstrates that the elation of nefarious hacking into a secure environment for fun or profit will be short-lived.  Criminal conduct over the Internet may feel stealthy to the people who perpetrate it, but there is nothing stealthy about it.  In particular, I want to say to would-be offenders, break the law, and we will find you.”

“Upon opening an investigation into this attack, our investigators worked quickly to determine who was responsible and to locate those individuals,” said San Francisco FBI Special Agent in Charge John F. Bennett. “While investigations into cyber breaches can sometimes take years, our investigators were able to bring these hackers into custody in a matter of weeks. Regardless of how long it takes us to identify hackers, we will follow the evidence to where it leads us and ultimately hold those responsible for cyber intrusions accountable for their actions. Cyber criminals will not find sanctuary behind their keyboards.”

“Weeks ago, one of the world’s most prolific social media platforms came under attack.  Various political leaders, celebrities, and influencers were virtually held hostage as their accounts were hacked,” said Kelly R. Jackson, IRS-Criminal Investigation (IRS-CI) Special Agent in Charge of the Washington D.C. Field Office.  “The public was confused, and everyone wanted answers.  We can now start answering those questions thanks to the work of IRS-CI cyber-crime experts and our law enforcement partners. Washington DC Field Office Cyber Crimes Unit analyzed the blockchain and de-anonymized bitcoin transactions allowing for the identification of two different hackers. This case serves as a great example of how following the money, international collaboration, and public-private partnerships can work to successfully take down a perceived anonymous criminal enterprise. Regardless of the illicit scheme, and whether the proceeds are virtual or tangible, IRS-CI will continue to follow the money and unravel complex financial transactions.”

“Today’s announcement proves that cybercriminals can no longer hide behind perceived global anonymity,” said Thomas Edwards, Special Agent in Charge, U.S. Secret Service, San Francisco Field Office. “The Secret Service remains committed to pursuing those responsible for cyber-enabled fraud and will continue to hold cyber criminals accountable for their actions.  This investigation is a testament to the strong partnerships between the Secret Service, the U.S. Attorney’s Office, the FBI, the IRS, as well as our state, local and international law enforcement partners.”

“Our identities and reputations are sacred. We will continue to aggressively defend and protect individuals, companies, and other entities from new-age cyber-fraud, especially those who scheme to hack, defraud and wreak havoc on U.S. citizens across the country,” said Caroline O’Brien Buster, Special Agent in Charge, U.S. Secret Service, Orlando Field Office. “The Secret Service believes that building trusted partnerships between the private sector and all levels of law enforcement is the proven model for success. I commend the exceptional work conducted by our law enforcement partners and the U.S. Attorney’s Office who worked diligently to hold these defendants accountable.”

As alleged in the complaints, the Twitter attack consisted of a combination of technical breaches and social engineering.  The result of the Twitter hack was the compromise of approximately 130 Twitter accounts pertaining to politicians, celebrities, and musicians.

The hackers are alleged to have created a scam bitcoin account, to have hacked into Twitter VIP accounts, to have sent solicitations from the Twitter VIP accounts with a false promise to double any bitcoin deposits made to the scam account, and then to have stolen the bitcoin that victims deposited into the scam account.  As alleged in the complaints, the scam bitcoin account received more than 400 transfers worth more than $100,000. 

This case is being investigated by the FBI’s San Francisco Division, with assistance from the IRS-Criminal Investigation Cyber Unit; the U.S. Secret Service, San Francisco and Headquarters; the Santa Clara County Sheriff’s Office and their REACT task force and the Florida Department of Law Enforcement.

The case is being prosecuted by Senior Counsel Adrienne Rose of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorneys William Frentzen and Andrew Dawson of the Northern District of California.

Additional assistance has been provided by the U.S. Attorney’s Office for the Middle District of Florida; the State Attorney for the 13th Judicial District in Tampa, Florida; the Criminal Division’s Office of International Affairs and Organized Crime and Gang Section; the United Kingdom’s Central Authority and National Crime Agency; Chainalysis and Excygent.

The allegations of a criminal complaint are merely an allegation.  All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

Blogs to Follow:

Justice.gov (July 2020) Three Individuals Charged for Alleged Roles in Twitter Hack

UK Condemns Russian Intelligence Services over Vaccine Cyber Attacks

On Thursday, the UK has called for an end to irresponsible cyber-attacks by the Russian Intelligence Services, who have been collecting information on vaccine development and research into the COVID-19 virus.


The Foreign Secretary has called out Russia’s unacceptable cyber attacks against COVID-19 vaccine developers.

On Thursday, the UK has called for an end to irresponsible cyber-attacks by the Russian Intelligence Services, who have been collecting information on vaccine development and research into the COVID-19 virus.

This follows a joint advisory today (16 July) by the UK’s National Cyber Security Centre (NCSC), the US and Canada on how to protect against these attacks.

The Foreign Secretary, Dominic Raab said, “It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic, while others pursue their selfish interests with reckless behavior, the UK and its allies are getting on with the hard work of finding a vaccine and protecting global health.”

“The UK will continue to counter those conducting such cyber-attacks, and work with our allies to hold perpetrators to account”, Raab said.

The UK shared some details:

  • The actors responsible are known and tracked in open source as APT29, Cozy Bear and The Dukes.
  • NCSC are almost certain (95%+) that APT29 are part of the Russian Intelligence Services. APT29 has targeted medical research and development organizations. NCSC assess it is highly likely (80 – 90%) that this activity was to collect information on COVID-19 vaccine research or research into the COVID-19 virus itself.
  • Find further details on the framework used by the UK government for all source intelligence assessments, including the probability yardstick.
  • NCSC advice on how to protect against this threat is available.

The UK released the report, “APT29 targets COVID-19 vaccine development” in which the report details recent Tactics, Techniques and Procedures (TTPs) of the group commonly known as ‘APT29’, also known as ‘the Dukes’ or ‘Cozy Bear’.

The report provides indicators of compromise as well as detection and mitigation advice.

The United Kingdom’s National Cyber Security Centre (NCSC) and Canada’s Communications Security Establishment (CSE) assess that APT29 (also known as ‘the Dukes’ or ‘Cozy Bear’) is a cyber espionage group, almost certainly part of the Russian intelligence services. The United States’ National Security Agency (NSA) agrees with this attribution and the details provided in this report.

The United States’ Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA) endorses the technical detail and mitigation advice provided in this advisory.

The group uses a variety of tools and techniques to predominantly target governmental, diplomatic, think-tank, healthcare and energy targets for intelligence gain.

Throughout 2020, APT29 has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines.

APT29 is using custom malware known as ‘WellMess’ and ‘WellMail’ to target a number of organizations globally. This includes those organization’s involved with COVID-19 vaccine development. WellMess and WellMail have not previously been publicly associated to APT29.

Blogs to Follow:

NCSC.gov.uk; Gov.UK (July 2020) Advisory: APT29 targets COVID-19 vaccine development; UK condemns Russian Intelligence Services over vaccine cyber attacks

CISA RELEASES NEW STRATEGY TO IMPROVE INDUSTRIAL CONTROL SYSTEM CYBERSECURITY

The Cybersecurity and Infrastructure Security Agency (CISA) released a strategy to strengthen and unify industrial control systems (ICS) cybersecurity for a more aligned, proactive and collaborative approach to protect the essential services Americans use every day.


The Cybersecurity and Infrastructure Security Agency (CISA) released a strategy to strengthen and unify industrial control systems (ICS) cybersecurity for a more aligned, proactive and collaborative approach to protect the essential services Americans use every day.

The strategy, Securing Industrial Control Systems: “A Unified Initiative is intended to help architects, owners and operators, vendors, integrators, researchers, and others in the ICS community build capabilities that lead to more secure ICS operations”.

Ultimately, it strives to move CISA and the ICS community beyond reactive measures to a more proactive ICS security focus.

“In recent years, we have seen industrial control systems around the world become a target for an increasing number of capable, imaginative adversaries aiming to disrupt essential services,” said Christopher Krebs, Director of CISA. “As attackers continue trying to exploit vulnerabilities in ICS, we need to make sure we’re staying ahead of them. Together with our partners in the ICS industry and the security community, this strategy will lead us to new, unified initiatives and security capabilities that will markedly improve the way we defend and secure ICS.”

Although ICS owners and operators manage their own security, CISA’s mission is to assist through delivery of a broad portfolio of ICS security products and services, especially when exploitation may threaten people or property or undermines confidence in critical infrastructure safety and reliability.

The CISA ICS initiative is a five-year plan that builds on the collaborative work already done and the existing support CISA provides to the community.

It also elevates ICS security as a priority within CISA, coalescing CISA’s organizational attention around the implementation of a unified, “One CISA” strategy.

The initiative organizes our efforts around four guiding pillars:

Pillar 1: Ask more of the ICS Community, deliver more to them.

Pillar 2: Develop and utilize technology to mature collective ICS cyber defense.

Pillar 3: Build “deep data” capabilities to analyze and deliver information that the ICS community can use to disrupt the ICS cyber kill chain.

Pillar 4: Enable informed and proactive security investments by understanding and anticipating ICS risk.

The CISA ICS Strategy can be found at www.cisa.gov/ICS.

Blogs to Follow:

Cisa.gov (July 2020) CISA RELEASES NEW STRATEGY TO IMPROVE INDUSTRIAL CONTROL SYSTEM CYBERSECURITY