Over the past decade, terrorist organisations have repeatedly demonstrated their ability to adapt to disruption in the digital environment. As mainstream social media platforms, financial and tech companies have tightened enforcement against terrorist financing and propaganda, these actors have increasingly migrated towards alternative technologies, some with less oversight. While considerable attention has been given to cryptocurrency-linked fundraising and crowdfunding abuse on both conventional and encrypted messaging platforms, less attention has been paid to the problems generated by micropayments and digital goods ecosystems.
This Insight looks at how terrorist groups have begun to exploit in-app currencies and creator economy tools, as they look for alternative ways to fundraise and exploit under-moderated platforms. By examining a Hamas-linked Telegram channel and its use of Telegram Stars, along with tracing an ecosystem of al-Shabaab-linked Substack profiles, this Insight outlines how products not typically considered candidates for abuse are being exploited by these groups.
While the noted platform abuse remains limited in scope, the activity to date indicates resilience, with insufficient moderation. Once Telegram Stars are converted and redeemed off-platform, this becomes difficult to trace. Therefore, these methods are increasingly appealing to terrorist groups seeking new ways to exploit platform vulnerabilities, even as moderation improves and greater measures are implemented to counter the financing of terrorism. This Insight underscores the importance of factoring in alternative currencies and creator economies into any full-fledged counterterrorism plan.
Micropayments and Digital Goods: A Developing Threat
Micropayments are small transactions for digital goods, typically in cents or pennies, and are purchased as items on digital platforms. These virtual gifts or in-app currencies are common across many social media and gaming platforms, including but not limited to Telegram and Substack.
Transactions typically take place when users buy ‘premium content’ or wish to tip/reward a content creator, usually as a method of support.
Micropayments are not marketed as alternatives to traditional financial transaction services; for example, PayPal and similar money transfer platforms do not compete with them.
However, micropayments transactions between violent extremist or terrorist actors often do not raise red flags and would likely fall outside any monitoring team’s scrutiny.
This has resulted in terrorists exploiting micropayments to their benefit. Their appeal includes:
- Small donation opportunities: As with mainstream crowdfunding, many small donations add up.
- Lack of oversight: At this time, there is minimal scrutiny or infrastructure in place to examine donors and accounts that solicit.
- Plausible deniability: Difficult to prove malice on the part of donors who could argue they were just rewarding content creators.
- Supplementary method: This type of fundraising could prove agile if primary methods (online donation, publicised cryptocurrency) are interrupted.
While micropayments remain in their infancy, they remain attractive to terrorist groups looking to experiment with their capabilities.
Telegram Stars
Telegram Stars are an example of in-app digital currency. They can be used on Telegram to pay for premium bots and games and to support user-generated content. Users purchase Stars in various packages and denominations, after which they can be transacted on the platform.
Telegram Stars can be redeemed for cash value by the content creators who receive them. There is a minimum threshold (1000 stars) and a waiting period (21 days) after which Stars can be converted to TONcoin (TON). Toncoin is the cryptocurrency of The Open Network (TON), providing a high degree of privacy and anonymity through tools available via the TON ecosystem.
From the counterterrorism financing angle, this type of transaction is of note for the following reasons:
- Financial trail obscured: Without the publication of a TON address, which the contributor cannot see (Stars are converted and cashed out by the content creator), there is no visibility for the Toncoin wallet address on the blockchain.
- Privacy-related issues: Complicating matters further, TON has enhanced privacy and a decentralised infrastructure, resulting in limited oversight, even by cryptocurrency standards.
- Indirect: Stars are seen as support for creators (likes and engagement) rather than as a method of payment or financial transfer; therefore, they appear “innocent.”
While not the intended use of Stars (the vast majority of which are legitimate), these capabilities extend Telegram Stars not just as a platform feature but also as a potential step between mainstream payment systems and hard-to-trace cryptocurrency ecosystems.
Abuse of Telegram Stars by Hamas-Linked Channels
An examination of a Hamas-linked Telegram channel provides evidence of Stars’ misuse and appropriation by its owners. Some of the main, longstanding Hamas channels have been blocked or restricted in the West over the past year, leading to a number of ‘mirror channels.’ Unlike non-official channels that are independently managed and may contain additional propaganda, Hamas ‘mirror channels’ replicate only content issued by the core channels. A mirror channel replicates the content from a blocked channel into a new channel, allowing users to view the blocked content via a bypass method.
Among the posts appearing in Hamas channels are typical news reports, photo essays and videos from the terrorist group. Several times a month, Hamas also actively solicits funding for its mujahideen (warriors). While in the past this involved sharing Bitcoin and other cryptocurrency addresses, this practice has been discontinued for several years in light of authorities gaining access to and seizing several such wallets on the blockchain.
Figure 1: A screenshot captured (July 2025) depicts a Hamas poster soliciting funds for its so-called warriors.
Presently, in order to donate to the terrorist group, one must respond to an email address posted in the Telegram channel. Hamas cautions against publicly sharing cryptocurrency wallets in channels.
However, in one Hamas-linked ‘mirror channel’, an option to donate via Stars has been available since at least early 2024. The same posts containing Hamas solicitations for funding also include a footnote or follow-up post stating, “Brothers and sisters who are unable to send donations via email, you can send your donations by interacting with the channel’s posts by liking them with stars.” Additional messaging around Stars consistently frames them as a solution for supporters who are “unable to donate through other means”.
Separately, GazaNow, a media outlet now designated and sanctioned by authorities in the US and UK over links to Hamas, has encouraged supporters to “donate by purchasing Stars and sending them”.
Figure 2: A screenshot captured (October 2024) shows a Gaza Now Telegram channel promoting contributions via Telegram Stars.
Analysis of Star interactions on posts in this Hamas channel demonstrates measurable, repeated use:
- April 2025: a single fundraising post exceeding 24,000 Stars
- September 2025: approximately 78,160 Stars
- October 2025: approximately 37,500 Stars
- November 2025: approximately 42,505 Stars
- December 2025: approximately 27,000
Figure 3: A screenshot captured (April 2025) shows over 24,000 stars on a post-fundraising arms for Hamas.
At present, Stars cost roughly $0.015 ( €0.013) to purchase and can be redeemed for approximately $0.013 ( €0.011). (NB – The disparity between the $0.015 purchase price and the $0.013 redemption rate may be an additional reason this method is not prioritised.)
While these figures amount to relatively modest sums, they do show the deliberate exploitation of the Stars/Micropayment system at the level of the Hamas ecosystem.
September’s total of 78,000+ Stars is equivalent to roughly $1016, €875, or £762.
Note: A ceasefire between Israel and Hamas came into effect on October 10, 2025, bringing an end to two years of hostilities. The US claims Hamas will disarm as part of this agreement. As a result of the ceasefire, fundraising across Hamas channels has been less pronounced and can perhaps account for the slowing of Star contributions.
Stars as a Backup Method
There is a financial benefit for Hamas or other terrorist groups to liquidate Telegram Stars and digital goods on various platforms, but it comes at a price:
- The exchange rate is tipped towards Telegram, taking a commission of the digital good’s value (crypto commissions can be extremely low).
- A somewhat lengthy wait time to cash out on earnings- especially if a channel admin is worried about losing a channel to censorship (a possibility for Hamas, higher for other terrorist groups).
However, the price to pay and the delay in waiting for such funds may seem worth it, especially when considering such a method as a backup rather than a full-blown revenue stream.
This is also reflected in the messaging emanating from these terrorist groups, clearly soliciting these methods only when other methods are not an option.
Obscuring the TON address could also be a strategic choice; these wallets may serve a broader function than merely facilitating the exchange of Telegram Stars.
In App Conversions: Trail Goes Dark
As mentioned, tracking Telegram Star awards and redemptions off-platform is difficult. Stars can be redeemed for Toncoin, but no publicly available wallet addresses are available unless the content creator shares them (such as through a post on their Telegram channel). Toncoin is also a blockchain with substantially reduced transparency when compared, for example, to Bitcoin.
Figure 4: A screenshot captured (April 2025) shows accounts contributing Stars.
There are limited options for visibility of Stars that have been donated, such as hovering over Star awards and right-clicking, but even these can be obscured if the donor chooses to remain anonymous.
The Hamas channel in question has not publicised a Toncoin wallet – meaning it is not possible to determine how and if the Stars have subsequently been exchanged. Given that many wallets have been disrupted, the Toncoin wallets could also be in use with active wallets used to transact funds, in addition to those procured from Telegram Stars.
However, the fact that these options exist and this process can be followed shows the opportunity, albeit unintentional, that beckons for terrorist groups.
Creator Platforms and Unforeseen Risks: The Case of Substack
Although Telegram Stars constitute a prevalent form of exploitation, other platforms remain open and vulnerable to similar abuses. An especially relevant example is a platform that hosts multiple terrorist accounts with seemingly little moderation.
Figure 5: A screenshot captured (November 2025) shows an Al-Shabaab-linked Substack account.
The authors’ recent discovery of an Al-Shabaab-linked ecosystem of accounts operating on the Substack platform demonstrates the potential for terrorist groups to leverage creator-economy tools for audience building and online influence.
The Substack “freemium” model allows publishers to create newsletters or posts that are sometimes offered for free in part, with a subscription enabling access to the full content or to separate premium content. Subscriptions are compatible with external payment processors, and content creators can accept payment in cryptocurrency. Some of these accounts have subscribers numbered in the thousands.
There is no direct evidence of Al-Shabaab-linked accounts soliciting or accepting payments on Substack. However, the mechanisms in place would easily facilitate such exploitation, especially while the terrorist ecosystem lingers.
During the course of this research, we found:
- Multiple al-Shabaab-linked Substack accounts maintained a presence online, with limited removal of some of the more obvious ones.
- Al-Shabaab accounts, like so many terrorist linked accounts, very often rely on a ‘relay-method’ linking to spaces on other platforms, including Telegram, RocketChat, Signal and more – with the idea being that not all platforms will delete simultaneously. This allows for new links on the deleted platforms to be created and shared via the surviving accounts.
- Substack’s subscription and payment infrastructure could, technically, support cryptocurrency payments via third-party processors such as OpenNode.
Figure 6: A screenshot captured (January 2026) shows Al-Qaeda linked website post sharing links to terror group affiliate on multiple platforms.
This does not indicate current financial abuse but rather a vulnerability to which the platform is exposed. However, past patterns of abuse show social media ecosystems occupied by terrorist groups are often built out, and once established, look to exploit the platform resources for their benefit.
The Wider Picture
The Telegram Stars and the Substack scenario are not isolated cases. Rather, they are examples of a growing trend in which platforms reward content creators. These digital goods are products that can be exploited by terrorist groups.
Furthermore, creator tools simplify the process of showing appreciation for content creators. However, like all digital products, they are vulnerable to abuse, even if they are not generally considered practical for misuse (given withdrawal thresholds, wait times, and the absence of genuine content creation). Terrorist actors may hope such activity slips past moderators’ monitoring.
Implications for Counterterrorism Officials & Platforms
While in the past, terrorist financing has been about seized land, oil resources, and taxation of local populations, current trends focus very much on crowdfunding and smaller donation methods. The examples cited in this Insight underline the fact that actors in the terrorist financing space are examining lower-profile products with smaller rewards as regulations associated with larger revenue streams are increasingly tightened. Micropayments may not suffice for the larger terrorist networks’ needs, but they help terrorist networks diversify and have a plan-b.
Several considerations for policymakers and tech platform owners include:
- Digital financial products should be assessed the same way as any financial transaction.
- Anything that involves cashing out to a cryptocurrency wallet should include the same KYC safeguards implemented by many wallets.
- Social media platforms that are under-moderated carry a higher risk of future abuse by other methods, even non-financial ones.
Addressing these issues requires collaboration from a wide sector of professionals, including those from tech companies, financial regulators and counterterrorism practitioners. Focus should be on curtailing such activity, anticipating these problem areas to become a bigger focus, rather than reacting to occurrences once they have happened.
Conclusion
Terrorist organisations are increasingly struggling to maintain an online presence in an online environment increasingly hostile to their activities. Micropayments and their exploitation by terrorists are at an early and opportunistic stage. But they are occurring with transactions happening on an ongoing basis. The observations from studying the Hamas channels collecting Telegram Stars demonstrate how in-app currencies can function as a fallback method for terrorist groups. The lack of detection of such behaviour shows the potential for further abuse of these products.
With terrorist networks facing greater oversight and sanctioning by tech companies, monetisation products that are built around creator economies will become more appealing while remaining under the radar as far as monitoring is concerned. Addressing these grey areas is vital in preventing the next generation of vulnerabilities from being played out in the digital space.
—
Laurence Bindner is the co-founder of the JOS Project/Jihadoscope and an expert in the analysis of violent extremist propaganda and radical speech. Her research focuses on the dynamics of propaganda dissemination and its rhetoric.
Raphael Gluck is a founding partner of the JOS Project/Jihadoscope. With a background in web development and social media marketing, he has spent recent years researching terrorist and hate-group abuse of the internet and social media platforms.
Together, they have consulted with Trust & Safety teams across major web platforms, helping to identify, track, and stem the spread of terrorist propaganda online. Their work includes mapping the digital strategies of jihadist and hate groups, tracking app development, and monitoring activity across the surface, deep, and dark web.
—
Are you a tech company interested in strengthening your capacity to counter terrorist and violent extremist activity online? Apply for GIFCT membership to join over 30 other tech platforms working together to prevent terrorists and violent extremists from exploiting online platforms by leveraging technology, expertise, and cross-sector partnerships.