Reassessing the Financing of Terrorism in 2025

Introduction and Summary

This Insights Paper is based on a June 2025 workshop held in Brussels to assess the status of terrorist financing (TF) activity and the response of both private and public sectors to a developing TF environment. Key elements of the discussion included:

• The evolving use of virtual assets by terrorist actors and the implications for detection and regulation.
• The exploitation of emerging sectors such as online crowdfunding and online gaming for fundraising purposes.
• The integration of TF into broader hybrid threats, including sabotage, espionage, subversion and organised crime.
• Opportunities to strengthen public–private cooperation and cross-sector intelligence sharing.

Background

The financing of terrorism presents a complex and rapidly evolving threat landscape. Terrorist groups continue to develop new methods of raising, moving, storing and spending funds by exploiting financial infrastructure gaps, regulatory inconsistencies and technological innovation. While traditional channels such as the use of cash, the use of hawala and the abuse of non-profit organisations remain, the increasing accessibility of digital tools and platforms has broadened the range of available financing techniques.

Developments in virtual assets, crowdfunding platforms, instant payments and online gaming have introduced new value transfer mechanisms. These developments operate at speeds and through systems that often outpace regulatory and compliance capabilities, straining the capacity of both public authorities and financial institutions to identify and address TF effectively.

Many jurisdictions have not yet developed the technical or legal infrastructure needed to monitor or disrupt complex cross-border financial flows. As several participants noted, private sector actors, particularly in emerging technologies, may lack both the compliance maturity and investigative capacity required to assess risk without sufficient guidance from public authorities and regulators. As a result, financial intelligence is not always converted into operational intelligence in a timely manner. Both European Commission (EC) President Ursula von der Leyen's Political Guidelines for 2024-2029 and the 2025 European Internal Security Strategy highlighted TF as a priority area. Yet – as previous work from the Centre for Finance and Security (CFS) at RUSI has highlighted – responses to TF often lag, moving ‘from crisis to crisis’. It is time to reassess and update the approaches taken to combat TF by both public and private sectors to reflect the hybrid nature of modern threats, the speed of technological change, and the need for enhanced information sharing frameworks.

Furthermore, NATO recognises terrorism as the most direct asymmetric threat to the security of the citizens of its member states and to international stability. As part of its strategic priorities, NATO has emphasised the importance of understanding how emerging technologies influence terrorist threats, including their role in financing. According to the NATO Policy Guidelines on Counter-Terrorism, NATO coordinates and consolidates its counter-terrorism efforts around three main pillars: ‘awareness’, ‘capabilities and preparedness’, and ‘engagement and cooperation’. These priorities form the foundation of the objectives of CFS’s Project CRAAFT, with the discussion of TF in the context of evolving technologies and hybrid threats reflecting NATO’s focus, as outlined at the workshop, on strengthening early threat detection, building cross-sector resilience and fostering cooperation between public and private sector stakeholders across NATO member and partner countries.

Methodology

Against this background, CFS held a roundtable discussion in Brussels in June 2025, which brought together a diverse set of stakeholders to assess recent developments in TF. Participants included academics and representatives from law enforcement agencies, the traditional banking sector, fintech firms, data providers, crypto exchanges and blockchain analytics companies. The discussion focused on the ways in which terrorist groups continue to adapt their financial activity to exploit new technologies and regulatory gaps, as well as the response needed across public and private sectors to respond to the evolving threat landscape more effectively. The event was funded by the NATO Science for Peace and Security Programme. None of the discussions at the event are attributable and unless otherwise noted, statements made in this paper are based on points raised by participants at the workshop.

Traditional Banking and Emerging Fintech

Traditional banking channels continue to play a significant role in TF. Participants agreed that terrorist groups still rely on bank accounts, cash withdrawals and international transfers to support their activities. TF networks have not abandoned these methods but have instead adapted to exploit them in combination with emerging technologies. Hybrid typologies have thus evolved, blending elements of cash, traditional banking, fintech, crypto assets and trade-based TF.

Fintech has transformed the way financial services are accessed and delivered. While these developments bring benefits to consumers, they also create vulnerabilities that can be exploited for TF. The speed of transactions enabled by fintech firms further challenges CTF efforts. Many fintech firms allow near-instant transfers across borders, currencies and platforms, where real-time screening becomes difficult and funds can be moved and withdrawn before red flags are identified. As a participant pointed out, instant payments do not allow for meaningful intervention before transactions are processed; financial institutions may only detect the issue during post-transaction monitoring, at which point recovery is no longer possible. Terrorist actors can exploit this speed by structuring transactions to fall below detection thresholds and by spreading activity across multiple accounts.

Financial institutions may struggle to identify these flows because the activity often resembles legitimate commerce. Representatives from the banking sector explained that transactions may involve entities that appear to trade in products or services but are in fact engaged in illicit transfers. They also noted that investigators reviewing counterparties have found company websites that are inactive or display inconsistencies, suggesting that the front business is not operational. In some cases, the value of products purchased does not match the funds transferred. This pattern indicates the potential use of online marketing or e-commerce as a cover for TF. However, without indicators linked to individuals or destination jurisdictions, financial institutions may not flag such activity as suspicious.

Another challenge identified by participants is the difference between money laundering and TF in terms of legal and operational identification. While money laundering generally involves criminal proceeds, TF can involve funds from licit sources. This makes detection more difficult, as financial indicators alone are not always sufficient. Investigators must identify the intended use of funds or establish a link to designated individuals or entities. In jurisdictions where the burden of proof is high, successful prosecution of TF cases remains limited. Even with access to tracing tools and advanced analytics, financial investigators require intelligence support, inter-agency cooperation and legal frameworks that enable proactive rather than reactive responses. The overlap with sanctions evasion and other financial crimes further complicates case management and may require multidisciplinary investigation teams.

Representatives from the fintech sector noted that virtual International Bank Account Numbers (IBANs) introduce further complexity. A single legal entity may hold one physical bank account while managing multiple virtual IBANs issued to their customers. These identifiers can be used to collect and distribute funds across networks that operate in different jurisdictions and under varied compliance standards. Without full visibility into the chain of transactions, financial institutions may lose oversight of the funds' origin and destination. This is especially true where firms lower in the chain have limited know-your-customer protocols. Participants added that virtual IBAN reconciliation tools exist, but the effectiveness of these tools depends on stronger private-private cooperation and the maturity of each firm’s compliance framework.

This risk assessment is based not only on technical capability but also on cultural and operational priorities. The broader fintech sector presents challenges in terms of governance and risk appetite, with some firms prioritising customer growth and market penetration, with less emphasis on building robust compliance programmes. The recent fines imposed on Starling Bank and Monzo serve as examples of this pattern. This creates gaps in risk assessment and due diligence. Participants emphasised that cooperation between fintech firms, banks and regulators varies widely. This lack of standardisation leads to inconsistencies in data sharing, and limits the ability of authorities to build a complete picture of the threat.

Virtual Assets

Virtual assets have become increasingly prominent in TF initiatives, as terrorist actors continue to explore new avenues to evade regulatory oversight and conceal their financial operations. Participants highlighted that cryptocurrencies such as Bitcoin (BTC), Ethereum (ETH) and Monero (XMR), as well as stablecoins like Tether (USDT), have been used by terrorist entities to raise, store and transfer funds.

These tools are attractive for users – as well as terrorist financiers – due to their speed, perceived anonymity and accessibility in regions with unstable banking sectors. For example, representatives from the crypto industry explained that Tether, particularly on the Tron blockchain, has gained popularity among donors in jurisdictions facing currency collapse or limited access to banking services.

The cases discussed by participants presented a significant geographic spread:

• In March 2025, the US Department of Justice disrupted a Hamas crypto-financing network that solicited donations reaching $1.5 million via at least 17 cryptocurrency addresses shared in encrypted messaging groups and on the Al-Qassam Brigades’ website. The US seized approximately $200,000 in USDT.
• Islamic State – Khorasan Province (ISKP) also received crypto funds supporting recruitment and operations, including a $1,700 donation in June 2024 linked to a failed plot in Germany.
• A pro-Islamic State (IS) campaign in Tajikistan received around $2 million in USDT on the Tron network in 2022.
• The Indonesian extremist groups Mujahidin Indonesian Timur and Jemaah Islamiyah now use crypto and fintech for covert domestic and cross-border funding, replacing traditional Zakat mechanisms. (Zakat is a charitable contribution mandated by Islam, requiring Muslims to donate 2.5% of their wealth to those in need.) Additionally, Indonesian exchanges were used to transfer over $517,000 in USDT through pro-IS channels in 2022; these exchanges were later sanctioned by the US.

This shift has challenged the effectiveness of existing CTF tools, according to roundtable participants. Unlike traditional bank transactions, which allow for due diligence and the possibility of freezing funds, transactions involving virtual assets are decentralised, rapid and irreversible. Furthermore, representatives of blockchain analytics companies at the roundtable also observed a trend away from publicly traceable cryptocurrencies like Bitcoin, toward more privacy-focused options like Monero. Once funds have been transferred using privacy coins like Monero, or routed through a mixer (which mix together funds from multiple users to keep transactions private), their trail becomes difficult to follow.

This increased sophistication, participants emphasised, is the result of the efforts by terrorist groups to adapt their techniques in response to enhanced enforcement measures, resorting even to hiring external blockchain experts or expanding their in-house technical capabilities to guide their operations and reduce exposure. As noted by private sector analysts and regulatory authorities, terrorist actors often operate below thresholds that would typically trigger red flags in traditional anti-money laundering controls. In addition, the use of layered networks of wallet addresses and intermediary exchanges allows funds to be quickly obscured or integrated into licit flows.

The UN Security Council has also noted that the boundaries between methods are fluid and terrorist actors will use whatever mechanism is most efficient and least detectable, switching between channels as necessary. This flexibility undermines the effectiveness of controls that focus on any single vector. An example shared by participants, as highlighted by recent publications from the Financial Action Task Force (FATF) and Europol, was digital hawala. Hawala facilitates cross-border transfers without involving the formal financial sector. Hawaladars now move funds through both cash and crypto, depending on the need and location, further obfuscating the financial flow.

Blockchain analytics tools can support investigations by identifying links between wallet addresses and known entities. However, a participant from a blockchain tracing company emphasised that this capability depends heavily on access to off-chain data such as account registration information, IP addresses and platform transaction histories. Without cooperation from service providers or authorities, investigators from both public and private sectors may only see a fragmented picture. Furthermore, the ability to trace transactions on public blockchains like Bitcoin does not extend to privacy-enhancing technologies. Monero, for instance, uses ring signatures and stealth addresses, making its transactions effectively untraceable with current tools. While some platforms such as Binance have discontinued support for Monero, others continue to allow such coins, creating inconsistencies in detection and enforcement worldwide.

The FATF recommendations on virtual assets, and specifically Recommendation 15 on new technologies, have not yet been fully implementedacross all jurisdictions, leaving significant regulatory gaps. These conditions have allowed terrorist actors to exploit digital platforms for fundraising and value transfer while remaining largely undetected, underscoring the urgent need for enhanced regulatory alignment, technology-informed supervision and real-time information exchange.

Online Crowdfunding

Crowdfunding has for some time been a common TF methodology, often through requests for donations under the guise of legitimate humanitarian non-profit organisations (NPOs). Online crowdfunding platforms have emerged as key enablers of TF by enabling the replication and expansion of traditional NPO abuse into the digital space. Participants linked the risks related to online crowdfunding to the growing use of cryptocurrencies in TF. The acceptance of virtual assets on many crowdfunding sites allows actors to bypass conventional financial channels and exploit weak onboarding and due diligence standards. FATF has highlighted that many of these platforms now facilitate campaign-based fundraising with the same opacity and flexibility once associated with informal networks.

Participants noted that Hamas expanded its crowdfunding activities after the 7 October 2023 attack. Gaza Now reportedly received nearly $4.5 million in crypto donations via social media, which resulted in the organisation being sanctioned by the US and UK and blacklisted by Tether. The US recently sanctioned another five Hamas-linked NGOs in 2025 for channelling funds and disguising them as humanitarian aid. The UN Security Council has also confirmed that ISKP has shifted away from generating revenue by abduction and extortion and towards fundraising through donations – predominantly using cryptocurrencies for transfers in the tens of thousands of dollars.

However, participants highlighted that this trend spreads across ideologies; right-wing extremist organisations have also engaged in online crowdfunding campaigns. For example, the campaign by Martin Sellner, leader of the Identitarian Movement of Austria, raised almost €10,000 as financial support for a court case through the crowdfunding platform GoGetFunding.

As described by the US Treasury, online crowdfunding combines TF vulnerabilities in relation to the overlap of social media, encrypted messaging platforms, peer-to-peer payments, virtual assets and digitally enabled fundraising platforms. Participants indicated that messaging apps such as Telegram and WhatsApp are used to circulate wallet addresses and direct donors to active campaigns. Participants also emphasised that some groups operate with internal blockchain expertise, enabling them to bypass regulated exchanges entirely. This autonomy allows for greater control over fundraising flows and complicates attribution. Frequent wallet replacement, supported by external expert guidance and the short lifecycle of campaigns, further reduce the effectiveness of monitoring tools and reporting mechanisms.

These developments shift the traditional focus on the non-profit sector into a new hybrid domain. While the exposure of certain NPOs to TF has long been labelled as high-risk, the online environment introduces scale, speed and decentralisation that existing regulatory frameworks have not yet addressed. Blockchain analytics tools may identify suspicious clusters, but linking those patterns to a terrorist purpose once again requires off-chain context, including campaign metadata and platform cooperation, often escaping standard transaction monitoring and falling outside suspicious transaction reporting thresholds.

Online Gaming

Terrorist groups have also expanded their financial activity into the online gaming ecosystem. Participants explained that some terrorist and extremist actors have created bespoke games or game modifications to serve as fundraising tools. These games may carry ideological content or features to generate advertising revenue or solicit donations. Participants noted that while most efforts do not generate large sums, the low risk and decentralised nature of these campaigns make them appealing to actors who wish to avoid detection.

Gaming-adjacent platforms and livestreaming platforms represent another under-regulated area of concern. Individuals aligned with terrorist or extremist causes may use livestreams to solicit donations, either directly through platform features or via linked payment providers. Participants noted that some streamers openly express extremist views, while others avoid explicit content to prevent account suspension. Therefore, these streams may appear innocuous or unrelated to terrorism, which hinders the ability of platforms to act.

In-game economies also offer decentralised and loosely regulated value transfer mechanisms. Some actors have exploited the capacity to conduct micro-transactions and use gaming currencies to move or store value, but participants clarified that this typology is mostly used for money laundering. Participants explained that players can trade digital goods such as ‘skins’ or in-game currency across platforms, with transactions often processed through third-party markets. In one example, the developer of Counter-Strike, Valve, faced scrutiny over the high volume of suspicious activity linked to the resale of virtual goods, and admitted that ‘nearly all key purchases that end up being traded or sold on the marketplace are believed to be fraud-sourced’. Although most transactions are low-value, the aggregate volume can reach substantial figures, with individual cases mentioned by participants having raised up to $300,000 through the exploitation of in-game assets and payment structures.

This activity is difficult to monitor due to the absence of financial institution oversight and the often-anonymous nature of video games. Participants found that voice and video communication features in games further complicate detection. Gaming-adjacent platforms or in-game chat functions allow for real-time communication between users, but these channels are often encrypted and not recorded, so investigators are unable to retrieve voice logs for analysis. This limits the ability of law enforcement to understand how operational instructions or financial details are exchanged. AI tools for voice moderation are being introduced in some major games and platforms but have not yet achieved deployment at a meaningful scale. As a result, in-game communications remain an unchecked vector for planning, recruitment and fundraising coordination. This lack of visibility contrasts with the increasing use of the gaming environment by actors engaged in extremist or terrorist activities.

Finally, participants added that the link between the funding and its end use is often difficult to prove. Payment processors and platforms may not report transactions due to unclear regulatory obligations. Suspicious transaction reports are rarely submitted for gaming- or streaming-related activity, as the link to terrorism is usually not apparent in financial data alone. This results in a gap in the detection chain that is exploited by terrorist actors who understand how to conceal their funding methods in plain sight.

Emerging Hybrid Threats

TF increasingly intersects with broader hybrid threats. These threats, as explained by participants, often include espionage, sabotage, subversion and organised crime. NATO identifies Russia as the most significant and direct threat to Euro-Atlantic security; an area of increasing concern is Russia’s sabotage activity on Allied territory, especially in states that share a border with Russia. Participants noted that the Russian invasion of Ukraine and related activity by the GRU have highlighted the convergence of financial crime with state-linked covert operations. In this environment, financial transactions used to fund sabotage operations may appear similar to those linked to terrorist attacks. Some jurisdictions do not classify sabotage under the terrorism framework, which limits the mandate of agencies like Europol and hinders coordination. Efforts to reframe such activities under the category of hybrid threats aim to address this gap, but operational definitions and legal powers remain inconsistent.

Jurisdictions such as Lithuania have revised their national threat assessments to include Russian sabotage and have even linked it in some cases to TF. These assessments have moved beyond traditional threat models to incorporate new hybrid threats, such as financial flows linked to infrastructure attacks or information warfare. This shift reflects the growing need to identify TF that may not involve physical attacks or overt violence but still aims to destabilise states and societies. Participants added that financial flows into digital propaganda infrastructure, for example, can support radicalisation and recruitment without triggering traditional TF indicators.

However, the legal environment in many jurisdictions continues to limit effective cooperation, including across NATO and EU member states. Representatives from the public sector noted that many law enforcement agencies lack the legal authority to access information collected by intelligence services, further limited by a narrow definition of TF. This restricts the development of actionable cases, even when financial intelligence exists. Data protection rules and the classification of information also limit information sharing both within government and across public and private sectors. Participants agreed that these structural constraints must be addressed through legal reform and updated guidance that reflects the changing nature of the threat. Coordination between national data protection authorities, regulators and investigative bodies is necessary to ensure that CTF responses are both lawful and effective.

Participants added that efforts to improve financial supervision must include both preventive and responsive measures. Supervisory bodies need to update their risk assessments and provide timely guidance to financial institutions, including fintech firms and virtual asset service providers, although participants noted that some bodies have struggled to issue guidance on risks associated with emerging threats, such as hybrid attacks or digital propaganda financing. This reflects a gap between supervisory mandates and investigative capacity. In cases described by participants, central banks oversee compliance frameworks but do not engage in enforcement or case development. Risk-based supervision should be informed by feedback from both frontline investigators and reporting entities. Public–private partnerships and outreach can help address this gap, but institutional coordination must improve.

Public–Private Partnerships

CTF efforts depend on timely and accurate information sharing between public and private sector actors. No single organisation has full visibility over TF networks, especially when these networks cross jurisdictions and operate across multiple platforms. Financial institutions, fintech firms, blockchain companies and law enforcement agencies each hold pieces of the picture. Bringing these pieces together requires structured cooperation and a shared understanding of risk. Some initiatives have sought to address this fragmentation. For example, participants noted that Tether, Tron and TRM Labs have partnered to develop a platform focused on identifying threats linked to the use of virtual assets.

The need for context and further information to identify suspicious transactions has led to the development of forums and taskforces that bring together operational and analytical expertise. Europol launched the Terrorist Identification Task Force (TITF) in 2019, the mandate of which includes cases involving the misuse of virtual assets. Participants explained that the TITF gathers law enforcement officers with investigative powers and invites participation from private sector actors. These private sector actors explained how their platforms operate and support the legal process when requests are made. The TITF provides insight into the capabilities and constraints of different actors, improving cross-sector understanding. This model offers a useful example of how structured public–private cooperation can enhance detection and attribution of TF cases.

Other national models also demonstrate the importance of collaboration. In the Netherlands, the Financial Intelligence Unit (FIU) holds regular meetings with financial institutions, which include discussions on the trends in crypto-related activity and TF flows. These meetings provide a two-way channel for information exchange. As Dutch participants explained, institutions are encouraged to share anomalies and raise concerns, while the FIU can use this feedback to refine typologies and risk indicators. This form of engagement aims to support proactive detection rather than post-incident analysis. Financial institutions also benefit from clearer guidance and a better understanding of how their data contributes to broader national and international efforts.

Participants from both public and private sectors agreed that capacity-building should remain a key priority. Financial investigators must receive the tools and training needed to detect and investigate complex TF cases. This includes understanding how to use blockchain analytics, recognising hybrid typologies and navigating legal frameworks that vary by jurisdiction. While some investigators are well-equipped, others operate without the necessary resources or support. Training programmes, such as those delivered by the EC’s financial investigator network, play an important role in addressing this gap. However, participants emphasised that training must be regular and tailored to evolving threats.

Conclusion

The financing of terrorism in 2025 reflects a fluid and decentralised threat environment. Terrorist actors have diversified their financial methods by exploiting virtual assets, online crowdfunding, fintech platforms and online gaming, while continuing to use traditional tools such as hawala networks and cash. These actors operate across borders, often outside competent jurisdictions, and adapt quickly to enforcement and regulatory developments.

As indicated by participants in the June 2025 workshop in Brussels, regulatory frameworks, supervisory approaches and investigative practices have not yet fully adapted to the speed and complexity of modern TF. Gaps in public–private cooperation, legal constraints on data access and limited capacity across institutions hinder effective responses. Hybrid threats, including sabotage and sanctions evasion, further blur the lines between different forms of financial crime.

To meet these challenges, the CTF community must expand its collaborative efforts, update risk models and strengthen the link between financial intelligence and operational action. A multidisciplinary, intelligence-led and forward-looking approach is necessary to detect and disrupt TF in this evolving landscape.