Click here to read our latest report: Going Dark: The Inverse Relationship between Online and On-the-Ground Pre-offence Behaviours in Targeted Attackers

Online Extremist Funding Campaigns: COVID-19 and Beyond

Online Extremist Funding Campaigns: COVID-19 and Beyond
24th August 2020 Chelsea Daymon
In Coronavirus, Insights

On 5 August 2020 the United States District Court for the District of Columbia filed a criminal complaint for forfeiture in a civil action against defendant properties (in rem). These include a website and four Facebook accounts allegedly associated with Islamic State (IS) fundraising. Although racketeering and extortion are not new to IS, what is noteworthy about this case is its linkage with the Coronavirus (COVID-19).

Since the beginning of the pandemic, IS and extremist movements across multiple spectrums, have used COVID-19 to their advantage, whether to enhance narratives, goals, promote conspiracy theories, or wage attacks while countries and security forces deal with restrictions and burdens caused by the pandemic. In online environments IS and its supporters have used COVID-19  as a communication tool to promote themes and narratives and offer advice to supporters, while dehumanising their perceived enemies. However, the criminal complaint marks a new turn in IS’s exploitation of the pandemic, with elements of the group actively running a personal protective equipment (PPE) scam. As the U.S. Department of Justice displays, worldwide COVID-19 fraud has become a major issue.

FaceMaskCenter.com, (see Figure 1) now seized by U.S. law enforcement, (see Figure 2) claimed to sell hard-to-find, FDA-approved PPE, such as N95 masks, goggles, gloves, Tyvek suits, and other protective gear. The four Facebook accounts involved in the criminal complaint promoted the website, run by so-called experts in hygiene. The website also claimed to be founded in 1996 when in actuality, the domain was registered on 26 February 2020 (see Figure 3).

Figure 1: Homepage of FaceMaskCenter.com

Source: U.S. Department of Justice

Figure 2: Seizure notice of FaceMaskCenter.com

Figure 3: Domain information for FaceMaskCenter.com

Source: ICANN Lookup

According to the criminal complaint, the defendant properties subject to seizure and forfeiture are linked to a known IS facilitator using the alias Murat Cakar. The complaint lists Cakar as a manager of a number of IS hacking operations, along with receiving $100,000 from an American by the name of Zoobia Shahnaz, who in 2018 pleaded guilty to laundering money for IS through bitcoin and other cryptocurrencies.

The criminal complaint does not state if purchases from the website were delivered to buyers, however it does note that N95 masks sold on the site were produced in Turkey and not approved by the Food and Drug Administration or the National Institute for Occupational Safety and Health (FDA/NIOSH). Additionally, the complaint highlights that when a U.S. costumer contacted the website to purchase N95 masks and other PPE for emergency and healthcare facilities, a Syrian national in Turkey responded to the enquiry claiming that products were certified and the company was able provide 100,000 N95 masks. Further claims by FaceMaskCenter.com included being able to supply large quantities of Tyvek suits and other PPE under severe shortages, pointing to fraudulent activities.

While this case is interesting because of its links to COVID-19, it marks a bigger campaign by the United States Department Justice (DOJ) to disrupt three different terrorist financing schemes, in what the DOJ claims to be the largest appropriation of cryptocurrency in the context of terrorism. The two other schemes involve online efforts by the Izz al-Din al-Qassam Brigades (IQB), the military wing of Hamas, and another online operation linked to al-Qaeda (AQ) and jihadist affiliates, involving the use of bitcoin.

Bitcoin manages transactions using peer-to-peer technology employing blockchain, which utilises computer networks to maintain digital records allowing transactions to evade banks or other central authorities. As Brill and Keene argue, due to its purported anonymity, bitcoin has become a desired payment system for criminal networks, including those involved in terrorism.

The IQB campaign used social networking platforms, including Telegram, and three websites to request bitcoin donations for IQB fundraising efforts (see Figure 4). These websites also featured an instructional video on how to make anonymous contributions to IQB through bitcoin.

Figure 4: Image from the splash page of a Izz al-Din al-Qassam Brigades website

Offering instructional advice to supporters is a common element found in online content linked to terrorist and extremist groups. As Gabriel Weimann notes, videos and posts on various social networking sites offer advice on hacking techniques, along with the construction of explosives devices, while Alastair Reed and Haroro Ingram demonstrate the long history of instructional material in jihadist magazines, many of which are available online.

Pro-IS Telegram channels have shared an array of instructional material, much of which is recirculated or repurposed from AQ and other jihadist groups. This material includes advice on what Bennett Clifford describes as “low-tech attacks” involving vehicular assault, arson, knife attacks, among other techniques; explosive construction; and cybersecurity and operational security (OPSEC) advice. Consequently, offering a video on the use of bitcoin, would fall into the OPSEC category of informational material online. However, it is clear that the OPSEC advice offered through IQB’s bitcoin video, was not on par because the ‘anonymous’ donations were traceable, allowing U.S. law enforcement to seize 150 cryptocurrency accounts laundering funds.

The AQ campaign also involved bitcoin money laundering using social networking platforms, including the encrypted messaging platform Telegram, to solicit donations. Some of these schemes were under the guise of so-called charities working to help the mujahidin (those who engage in jihad) of Syria. Similar appeals for charitable funds are also prevalent in online pro-IS channels and chats on multiple platforms.

One of the main fundraising issues found on pro-IS Telegram channels and other platforms favoured by the group and its supporters, like Hoop Messenger and Rocket.Chat, surround female detainees in internally displaced person (IDP) camps located in northern Syria and under the jurisdiction of the Syrian Democratic Forces (SDF). Numerous posts and channels are dedicated to sharing news, photos, and pleas from alleged “sisters” inside the camps, while also providing contact details to donate to female detainees and their families. “Justice for Sisters,” launched in 2019 and one of the more prominent campaigns to aid women in the al-Hol camp, is reported to have raised over €3,000 through several PayPal Money Pool accounts. Thus fundraising, whether through fraudulent or overt means, is a common feature found in online messaging of extremist groups.

What is important to note from all of these cases, is that virtual environments and cryptocurrencies offer new ways for extremist groups to capitalise off of willing, as well as unsuspecting, individuals. In the case of FaceMaskCenter.com, uncertified PPE was being sold, creating possible real-world harm to individuals purchasing products, while also unknowingly funding IS. Though not a new occurrence, these cases also display the use of multiple websites and social networking platforms to spread information and fundraising campaigns, offering insights on how centralised and decentralised networks utilise virtual environments for their communication efforts.

Even though the fundraising campaigns of IQB and AQ were fairly straight-forward, with individuals knowing who they were donating to, one could argue that the FaceMaskCenter.com case is more nefarious, since it plays off of people’s fears over PPE shortages due to the pandemic. Although it is inevitable that extremist groups and other criminal networks will continue using cryptocurrencies to fundraise, with groups like IS further monopolising off of COVID-19 for their benefit, it is yet to be seen if the case of FaceMaskCenter.com is a singular occurrence, or if IS will attempt additional PPE scams as anxieties over of a second wave of COVID-19 loom.