By April 2021, Islamic State Mozambique Province (ISMP, also known as al-Shabaab or Ansar al-Sunnah) had reached the zenith of its territorial expanse. Following years of kidnappings, raids, and escalating offensives, the group had seized key towns and transport routes across Mozambique’s Cabo Delgado province. That month, ISMP’s assault on Palma, a town near a US $20 billion international liquefied natural gas operation, forced the project’s suspension and the evacuation of hundreds of personnel.
By July 2021, Mozambique, Rwanda, and other international partners had launched a counterinsurgency campaign that degraded ISMP’s territorial holdings, reducing its fighting capacity by roughly 90 percent. By conventional standards, the campaign achieved important successes, with ISMP losing control over key revenue streams, its ability to amass fighters disrupted, and its territorial footprint pushed back. Moreover, the United States, the European Union and others issued sanctions against the organisation. Additional sanctions targeted core leadership figures, including Tanzanian national Abu Yasir Hasan (aka Sheikh Hasan) and Mozambican national Bonomade Machude Omar (aka Ibn Omar), who was reportedly killed in a 2023 battle with Mozambican forces.
Yet the group did not collapse. Recent reporting suggests that ISMP activity is increasing, with conflict-related deaths in northern Mozambique up 51 percent in 2025. Moreover, a January report by Armed Conflict and Event Location Data (ACLED) notes that ISMP has been expanding its revenue and operating capacity through ransom-taking, mobile-money-enabled payments, mining-site extortion, weapons seizures, and regional facilitation networks. This raises the question: why has ISMP continued to regenerate after years of sustained military and sanctions pressure?
The answer is not simply that these measures failed. The deeper problem is that the applied pressure targeted ISMP’s fighters, territory, and leadership figures, while its regeneration depended on a different capacity: a digital trust network operating across propaganda, finance, and transnational facilitation layers.
The Islamic State’s online ecosystem is therefore not merely a messaging apparatus, but a networked infrastructure functioning as a recognition layer that keeps distributed actors aligned under a shared organisational identity. In this model, propaganda preserves the banner; the banner sustains trust; trust enables distributed financial adaptation; and financial adaptation restores operational capacity. This Insight applies that framework to ISMP as a granular case study, showing how online recognition, trust-node formation, and distributed financial adaptation can help an Islamic State affiliate regenerate after territorial disruption.
From Territorial Disruption to Distributed Resilience
After counterinsurgency pressures began in 2021, ISMP made media production and propaganda validation more central to its operations. Prior to this, ISMP’s coherence was rooted more heavily in territorial control, smuggling corridors, and kinetic activity across Cabo Delgado. Once militarised operations disrupted that spatial substrate, the group increasingly depended on the global Islamic State propaganda ecosystem to preserve visibility, validate attacks, and maintain coherence among dispersed actors operating under the same banner.
This media-based adaptation increased the importance of trust nodes. Although Islamic State-linked media remains present on Facebook, Instagram, TikTok, and X, moderation has pushed much of the mainstream ecosystem toward an outer layer of redirect pathways. In this way, mainstream platforms often serve as a discovery layer, exposing users to fragments of content, supporter accounts, or coded references. The deeper trust architecture forms across less accessible and less moderated channels on platforms such as Telegram, Rocket.Chat, Element, online archival sites, and Google Drive repositories. There, access depends less on discovery than on trusted navigation: users must rely on trusted nodes for access to links, channels, files, accounts, and distribution pathways after takedowns, suspensions, or migration.
The Mozambique case reflects a shift in priority toward this online ecosystem. A 2024 report published by the Hudson Institute found that global Islamic State social media outlets were initially slow to post about events in Mozambique, which the authors suggest indicated “limited communication between fighters on the ground and central coordinators.” By late 2023, however, the authors note that attack attributions from Mozambique were usually published within two days of occurrence, suggesting that ISMP’s connection to the global Islamic State media system had become more functional during the post-intervention period.
Hansen and Bary similarly show the extent to which ISMP became visible inside the global Islamic State propaganda ecosystem after the 2021 intervention. Between May 2022 and May 2023, ISMP received thirty-seven front-page articles in Al-Naba, the Islamic State’s online weekly news publication. Of the 208 Al-Naba articles carrying African themes during this period, roughly 20 percent focused on Mozambique. In March 2024, Caleb Weiss further noted that ISMP led global Islamic State affiliates by total media output by that point in the year. In this way, ISMP became significantly more visible in the online space despite the severe degradation of its local operational capacity.
The results of this online expansion are tangible, with the recruitment of regional and global fighters into ISMP ranks demonstrating the reach of the group’s media footprint. A March 2024 report from the Soufan Center noted that the group had attracted fighters from across much of Africa, including the DRC, Kenya, Rwanda, South Africa, and Tanzania. In May, a French court convicted six men who attempted to travel to Mozambique with the stated intention of joining ISMP, highlighting the group’s global visibility. These recruitment patterns show that ISMP’s trust-based online ecosystem does not merely broadcast narratives, but also makes the group legible to dispersed audiences as a viable destination.
Taken together, these indicators suggest that ISMP’s post-2021 adaptation cannot be understood primarily through military or territorial metrics. As counterinsurgency pressure fragmented the group’s operating environment, propaganda became part of the infrastructure through which ISMP remained recognisable, validated, and operationally coherent. Its media footprint helped build and maintain the trust nodes needed for dispersed actors to continue operating as part of the same Islamic State project.

Figure 1. Issue 365 of al-Naba featured an editorial celebrating the founding, history, and current activities of the ISMP in November, 2022.

Figure 2. An infographic by pro-IS media outlet Halummu from 2022, showing ISMP’s resilience despite counterinsurgency efforts at the time.

Figure 3. Another infographic from 2022, with largely similar content as above, but produced in Arabic.
Financial and Operational Resilience
ISMP’s post-2021 revenue model is a distributed system of local coercion made resilient by a shared online recognition ecosystem. The group generates value through roadblock extortion, mobile-money payments, mining-site pressure, timber and mineral flows, weapons seizures, cash-out collaborators, and broader facilitation pathways. Local trust, weak identity controls, mobile money, and regional facilitation explain how value moves; the online ecosystem keeps scattered coercive acts, payment chains, resource sales, and operational outputs coherent as Islamic State activity.
Ransom activity illustrates this model. Payments move through mobile-money services such as M-PESA, e-Mola, and mKesh, with victims instructed to transfer funds to accounts controlled by ISMP collaborators in urban areas. Reports indicate that ISMP has targeted buses and commercial vehicles on the N380, where passengers can quickly raise payments through mobile-money accounts, generating ransoms of up to US $600 per passenger. Zitamar News reported that such payments are enabled by weak know-your-customer (KYC) protocols, fake identities, and cash withdrawals without proof of identity. This chain separates the coercive actor, account holder, cash-out collaborator, and ultimate recipient.
Royal United Services Institute (RUSI) fieldwork reinforces the limits of transaction-led analysis. Payments to fighters’ family members were only legible once analysts identified sender-recipient relationships, while mobile-money operators also identified small, precise transfers that appeared to function as covert communications between insurgents. These findings illuminate partial mechanisms—kinship, coded transfers, weak KYC, and cash-out infrastructure—but not how dispersed financial, coercive, and facilitation actors remain part of a coherent insurgency. In a system spanning roadblocks in Cabo Delgado, urban cash-out points, cross-border corridors through Tanzania and South Africa, and recruitment networks reaching as far as Europe, in-person or kinship-based coordination alone cannot explain ISMP’s financial continuity. The online ecosystem is therefore the clearest explanation for how separated actors continue to treat these activities as valid parts of the same Islamic State project.
A 2025 African Security Analysis report, citing Mozambique’s financial intelligence unit, estimated that ISMP moved roughly US $7 million through fragmented deposits, structured withdrawals, and layered banking and mobile-money transfers between 2017 and 2024, involving mobile-money agents, traders, cash withdrawals, public-sector conduits, and cross-border corridors. This scale and diversity make clear that ISMP’s financial system cannot be reduced to kinship transfers or coded mobile-money signals. Those mechanisms help explain how some values and messages move; they do not explain how a geographically dispersed system of coercion, cash-out infrastructure, resource conversion, and regional facilitation remains connected to the Islamic State project under sustained pressure.
The same logic applies to resource extraction and battlefield resourcing. ISMP has increased pressure around artisanal gold and gemstone mining, including forced contributions and demands for access to resources. Authorities estimate the group has generated US $30 million from pilfered ruby sales alone, suggesting that the US $7 million in identified banking and mobile-money flows captures only a conservative slice of a wider value-conversion system. ACLED notes that there is no evidence that ISMP directly controls mining operations, pointing instead to distributed value conversion rather than formal extractive administration. Weapons seizures close the loop: captured materiel reduces procurement needs, while Islamic State media converts battlefield resourcing into proof of capability.
External connectivity is what turns this local adaptation into a wider risk. Islamic State funding to Mozambique has historically flowed through the Somalia-based al-Karrar office, using hawala services, physical cash deliveries from South Africa and Tanzania, and mobile-money transfers to support ISMP’s local operations. This places ISMP’s revenue adaptation inside a regional financial architecture dependent on trusted brokers, couriers, transfer channels, and recognition from the wider movement.
That architecture matters because Cabo Delgado’s gold and gemstone deposits, rare timbers, hydrocarbon investment, and on- and offshore smuggling routes create significant revenue opportunities for a group already expanding through local illicit economies. ACLED notes that ISMP may no longer rely as heavily on external IS support, raising the possibility that it could evolve from a recipient node into a contributor to the global IS project. The shift would invert the conventional affiliate model: ISMP would no longer be understood mainly as a peripheral branch requiring external support, but as a resource-rich node capable of generating value for wider Islamic State networks through al-Karrar-linked or successor facilitation structures.
ISMP’s propaganda ecosystem, therefore, sits upstream of the transaction. It need not carry every payment, signal, or instruction directly; it preserves the recognition layer through which payments, routes, accounts, resource claims, weapons seizures, and coercive actions remain intelligible as Islamic State activity. In this model, propaganda sustains recognition; recognition sustains trust; trust enables distributed finance; and distributed finance restores operational capacity.
Figure 4. ISMP fighters pose with captured weapons, munitions and explosives in July 2022. The image contains the IS media watermark and other elements used to authenticate content within the movement’s online ecosystem at the bottom.
Figure 5. ISMP militants pose with rocket-propelled grenade launchers and their black standard in July-August, 2023. The image contains the same IS media watermark and other elements used to preserve consistent branding across the global media ecosystem.
Recommendations
First, authorities should distinguish mapping thresholds from enforcement thresholds. ISMP-related financial infrastructure should not be mapped only after a suspicious transaction, designation, or request for private data. Analysts should begin with open-source and platform-visible indicators: propaganda archives, channel migration, claim timing, route references, broker mentions, donation language, account reuse, and recurring facilitation signals. These indicators may not be actionable on their own, but they can build structured confidence around where trust nodes, payment pathways, and regional facilitation are forming.
Second, platforms, FIUs, and counterterrorism analysts should use these open-source indicators to construct AI-assisted trust-node maps before seeking more intrusive data access. FIU outputs – suspicious transaction reports, mobile-money anomalies, structured withdrawals, account churn, coded transfers, and cash-out points – should be compared against observable online behaviour. Where the same corridors, actors, accounts, or facilitation routes recur across both environments, they should be treated as pre-transactional indicators of network resilience rather than coincidental overlap.
Third, this model should operate within existing legal frameworks rather than bypass them. Under rights-based regimes such as GDPR, behavioural risk mapping should be structured around necessity, proportionality, data minimisation, human review, and clear purpose limitation. The point is not to treat behavioural analytics as a shortcut to enforcement, but to use corroborated, lower-intrusion indicators to justify whether further access, lawful sharing, FIU escalation, or network-level disruption is warranted.
Fourth, Mozambique’s mobile-money vulnerabilities should be treated as operational chokepoints. Weak KYC protocols, fake identities, and cash withdrawals without proof of identity allow coercive actors, account holders, and cash-out recipients to remain separated across jurisdictions. Mozambican regulators and relevant regional partners should focus on KYC floor requirements for mobile-money agents in Cabo Delgado and adjacent provinces, reporting thresholds for structured withdrawals, and SADC-region FIU coordination around flows through Tanzania and South Africa.
Finally, authorities should monitor how al-Karrar-linked facilitation adapts after pressure or disruption. When pressure falls on a facilitation node or its operating environment, the network must often reconstitute through new brokers, corridors, account clusters, and authentication channels. Those replacement patterns can reveal more than a single transfer, post, or account. Recurring overlap between online recognition, behavioural signals, cash-out infrastructure, and regional facilitation should therefore be treated as evidence of successor-node formation.
—
Adam Rousselle is a researcher focused on threat finance, weapons technology, macroeconomics, and geopolitics. His work has been cited by the Financial Action Task Force (FATF), the United States Senate, the U.S. Department of Defence, the United Nations, and leading policy journals. He has been published by GNET, the Hudson Institute, Nikkei Asia, Small Wars Journal, the New Lines Institute, the Jamestown Foundation, and The Diplomat, and is the founder of www.btl-research.com.
—
Are you a tech company interested in strengthening your capacity to counter terrorist and violent extremist activity online? Apply for GIFCT membership to join over 30 other tech platforms working together to prevent terrorists and violent extremists from exploiting online platforms by leveraging technology, expertise, and cross-sector partnerships.