This Insight was published as part of GIFCT’s Working Group on Countering the Financing of Terrorism Online (CFTO). GIFCT Working Groups bring together experts from diverse stakeholder groups, geographies and disciplines to offer advice in specific thematic areas and deliver on targeted, substantive projects.
This Insight examines how terrorist financing in Europe is changing in practice, as organised crime and state-backed violent extremism increasingly overlap, and explores the financial logic of what this Insight terms state-cover networks: deniable, modular structures that use criminal intermediaries to fund and carry out attacks across European jurisdictions.
The transnational threat environment in Europe shifted significantly following the February 2026 US–Israeli strikes on Iran. Within days, Europol warned of heightened risks targeting Jewish, Israeli and Western interests. That warning was soon borne out. From 9 March, a series of attacks targeted Jewish sites in Belgium, the Netherlands and the United Kingdom, with responsibility claimed by a previously unknown group, Harakat Ashab al-Yamin al-Islamia (HAYI). ICCT analysis suggests that HAYI operates as a front structure linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) and its Quds Force. Notably, ICCT found no trace of HAYI, online or offline, before 9 March 2026 — an absence that several analysts read as more consistent with a fabricated front engineered for deniability than with an organic movement. As of late April, the Institute for Strategic Dialogue (ISD) has reported at least 17 HAYI-claimed attacks across seven weeks in four countries, targeting Jewish schools and synagogues, as well as US financial institutions and Iranian dissident journalists.
These events should not be seen as an anomaly. Makarenko’s foundational work on the crime–terror continuum (2004, p. 6) identified the progressive fusion of organised crime and terrorism as transnational threats that evolved in the post-Cold War period. Omelicheva and Markowitz (2021, p. 3) refined that framework, demonstrating that state actors play an under-examined orchestrating role: crime–terror intersections are not always spontaneous but often state-directed. The Islamic Revolutionary Guard Corps (IRGC), though a state body, has itself been proscribed as a terrorist organisation by the United States, Canada and Australia, and was added to the EU terrorist list in early 2026. As Malakouti Khah (2024, p. 73) shows in her examination of Iranian counter-terrorism financing law, the structural exemption of national liberation movements from terrorism definitions creates a normative cover for precisely this kind of proxy financing — and Iran’s persistent resistance to FATF compliance flows directly from this constitutional feature. Existing counter-terrorist financing (CTF) frameworks are poorly equipped to respond.
The Crime–Terror Nexus as Strategic Architecture
The use of criminal networks as operational proxies is not incidental to Iranian external operations; it has become the dominant model. The IRGC has adopted an approach proven across multiple jurisdictions, one whose financial architecture is engineered to remain below the threshold of current CTF detection. MI5 Director General Ken McCallum announced in October 2025 that his organisation had “tracked more than 20 potentially lethal Iran-backed plots” in the UK in the preceding twelve months alone, recruiting intermediaries ranging from international drug traffickers to low-level criminals. ICCT’s dataset of 218 Iranian external operations since 1979 identifies 102 such operations — spanning plots, surveillance, and attacks rather than ordinary crime — in Europe, more than half of which have occurred since 2021. In Sweden, criminal organisations, including the Foxtrot and Rumba gangs, were recruited by the IRGC to target Jewish community infrastructure; in Germany, operatives with Hells Angels connections were tasked with synagogue bombings. The Soufan Center has characterised this as a “strategic pivot”: a hybrid model combining state intelligence capacity with the local reach of organised crime.
By outsourcing violence to criminal intermediaries, state sponsors gain operational reach while insulating official actors from attribution. Laurent Nuñez, the French Interior Minister, stated publicly that Iranian intelligence typically operates through a chain of subcontractors — often ordinary criminals — to carry out targeted actions against Jewish communities and opposition figures. The relationship is reciprocal: criminal actors receive state protection and, in some cases, immunity from prosecution in exchange for logistics and operational cover. Farber’s 2025 systematic review (p. 12) identifies this self-reinforcing dynamic as one of the most persistent structural gaps in AML (anti-money laundering)/CTF architecture worldwide. The ISD terms it a “violence-as-a-service” model: a front group in name only, recruiting financially motivated individuals through encrypted platforms.
The model observed in HAYI is not unique to the 2026 escalation. As Khah (2020, p. 915) documents, similar dynamics can be observed in earlier IRGC-linked external operations, where what Khah terms a “war by terror” was operationalised through the Quds Force and structurally insulated from accountability by the absence of a published counter-terrorism policy. The 2026 European attack wave represents the export of that structure to a new operational theatre: the first time this template has been applied across European jurisdictions at scale, rather than in isolated, one-off plots.
Case Study: HAYI and the Anatomy of a State-Cover Network
The HAYI attacks are worth examining, not because they were unique, but because their forensic profile offers insight into how the network appears to operate. Between 9 and 23 March 2026, coordinated incidents targeted Jewish sites in Liège, Rotterdam, Amsterdam and London, causing damage and fear in communities, but no casualties. On 29 April, the stabbing of two Jewish men in Golders Green, London, demonstrated that the network’s activities could also involve direct violence against individuals. Taken together, these incidents point to an operational model that obscures responsibility through the use of intermediaries and indirect support networks. Similar patterns are visible in the network’s financial activity, where fragmented transactions and layered relationships can complicate attribution and disruption.
This use of criminal intermediaries by a state-linked actor fits a pattern that scholars have examined directly: Shaw (2019) highlights the under-studied use of organised crime by state-sponsored terror groups, while Phillips and Schiele (2023) find that groups with state sponsors are among the most likely to cooperate with criminal networks.
According to ICCT’s analysis, the dissemination chain is analytically significant. Four large Arabic-language Telegram channels — each with hundreds of thousands of followers and ties to both pro-Iranian and pro-Russian disinformation networks — published attack reports within minutes of incidents — a pattern consistent with pre-coordinated dissemination rather than opportunistic amplification.
UK Prime Minister Keir Starmer has expressed public concern over proxy attacks supported by “a number of countries”, and the UK Home Office has raised its threat level to “severe” in response to the rising Islamist and extreme right-wing terrorist threat. That institutional escalation has not, so far, been matched by substantive regulatory adaptation.
Comparative Profile: Financial and Operational Signatures
Table 1 maps the distinguishing characteristics of three actor types relevant to the European context. State-enabled hybrid cells occupy a distinct space that current CTF frameworks are not designed to detect — the State-Enabled Hybrid Cell category (third column below) into which HAYI itself falls.
| Dimension | Organised Crime | Classical Terrorist Group | State-Enabled Hybrid Cell |
| Transaction volume | High (sustains enterprise) | Variable; often significant | Low — typically €500–1,000 per operative |
| Primary funding source | Criminal proceeds | Donations, diaspora, NGO misuse | Criminal proxy revenues; off-book state budget |
| Financial traceability | Moderate — launderable through fronts | Moderate — trackable via bank records | Very low — cash, hawala, in-kind support, crypto |
| Attribution risk | High (financial records expose hierarchy) | Medium (ideological trail aids attribution) | Very low — plausible deniability by design |
| CTF detectability | Partly addressed by AML frameworks | Partly addressed by dedicated CTF rules | Poorly addressed — falls between AML and CTF |
Table 1: Comparative profiles. Sources: author’s analysis drawing on Makarenko (2004); FATF Comprehensive Update on Terrorist Financing Risks (2025); Europol IOCTA (2024); ISD Global Dispatch (2026).
Deniable Financial Architecture: Low-Visibility and Fragmented
State-cover networks are defined as much by what they do not do financially as by what they do. In the cases documented so far, they typically rely on none of the classic financing channels — no crowdfunding, no diaspora donation cycle, no NGO misuse in the conventional sense. Payments to individual operatives fall in the €500–€1,000 range — the same figure documented by the Soufan Center in the Paris plot above, and corroborated by French prosecutors, below standard suspicious-transaction thresholds by design rather than constraint. Financing is embedded in criminal economies, drawing on drug trafficking revenues, hawala transfers and off-budget security expenditure. The Council of Europe’s MONEYVAL has documented that contemporary terrorist financing increasingly originates from illegal activities — from petty crime to organised trafficking — a pattern the HAYI case replicates at the level of small, individually low-value transactions.
Khah (2024, pp. 73–76) identifies the structural reason: Iran’s constitutional requirement to support “oppressed peoples”, operationalised through IRGC-QF proxies, makes genuine FATF integration improbable. The national liberation movement exemption — which formally covers Hezbollah, Hamas and the operational logic behind HAYI — is written into Iranian law. The Supreme Leader’s characterisation of FATF as a tool of Western pressure is not rhetorical; it reflects a constitutionally grounded policy position.
Davis (2022, p. 7) highlights the core gap: frameworks designed to detect structured financial flows through formal institutions produce limited results against dispersed, informal, unrecorded support chains. Stringer, Urban and Mackay (2023, p. 45) term this “counter threat finance for strategic competition”: state adversaries deliberately design financial architecture to exploit the boundary between AML and CTF jurisdiction. The HAYI model reflects a clear application of that principle.
Regulatory Gaps and the Technology Dimension
The current EU and member-state CTF architecture was built for a previous generation of threats. Existing frameworks assume terrorist actors raise and manage funds independently; they do not account for a state that systematically finances criminal networks providing operational cover. Financial links to a sponsoring state may be routed through diplomatic transfers, trade finance or humanitarian aid, all outside standard tracking mechanisms. The EU’s 2016 Action Plan on terrorist financing acknowledged the crime–terror link but produced limited operational output: the EU Anti-Money Laundering Authority (AMLA), originally mandated for 2023, did not become operational until 2025 — a two-year delay that illustrates the institutional tempo gap between threat evolution and regulatory response.
The FATF Comprehensive Update on Terrorist Financing Risks (2025) is explicit: 69% of the 194 participating jurisdictions have “major or structural deficiencies” in investigating, prosecuting and convicting terrorism financing cases. Its dedicated section on state sponsorship (Section 1.7) acknowledges that state adversaries design financial architecture precisely to exploit the AML–CTF boundary. The Europol IOCTA similarly documents the growing digital infrastructure shared by criminal and extremist networks. Yet state-sponsored financing through criminal proxies remains regulatorily underspecified in both frameworks.
On the technology side, the HAYI case is more nuanced than a simple cash/crypto binary. Payments to foot soldiers were largely cash-based, falling below Customer Due Diligence thresholds — the Metropolitan Police’s counter-terrorism lead has described recruits as “taking quick cash for their crimes”. But, as the New Statesman reports, Iran, in some cases, transferred cryptocurrency to operatives conditioned on submission of an attack video — merging payment, operational verification and propaganda in a single digital workflow. Dual-use e-commerce presents a parallel challenge: Europol’s IOCTA notes that operatives can procure surveillance equipment, prepaid SIMs and incendiary materials through ordinary online retail, with peer-to-peer payments below KYC thresholds. The detection challenge lies in recognising patterns across platforms — something current monitoring systems still struggle to do effectively.
Conclusions and Recommendations
Closing the conceptual gap between anti-money-laundering and counter-terrorist-financing rules is the most urgent step. Suspicious-transaction thresholds must be recalibrated for the low-value, repeated cash payments characteristic of hired operatives. The forthcoming AMLA framework should explicitly address state-sponsored financing through criminal intermediaries as a distinct risk category, not a sub-variant of standard organised crime. FATF’s 2025 Update provides the analytical basis; what is missing is binding operationalisation.
A second front concerns virtual assets, where FATF guidance on service providers should be applied on a binding, harmonised basis. Cryptocurrency exchanges and virtual-asset service providers across EU member states must implement terrorism-specific transaction monitoring, including detection of mixing services, P2P transfers to flagged entities, and the attack-video-for-payment model documented in HAYI operations. Voluntary frameworks have proven insufficient.
Procurement patterns, too, demand attention: pattern detection for dual-use purchases should be mandated at platform level. Major e-commerce and payment platforms should be required to develop API-level monitoring for procurement patterns consistent with small-cell operational preparation: combinations of prepaid cards, surveillance equipment, specific chemicals and SIM cards across short timeframes. This requires regulatory cooperation between financial intelligence units and the digital economy sector — cooperation that is currently largely absent.
None of this works, however, without stronger public–private intelligence sharing on hybrid threat finance. Joint task forces combining financial analysts, platform security teams and counter-terrorism officers are better placed than any single agency to detect the cross-domain signatures of state-cover networks. FATF’s private-sector engagement framework provides a basis; it requires institutional teeth, formalised OSINT integration and dedicated resourcing within Europol and national FIUs.
The AML–CTF regulatory seam is precisely where state-cover networks are engineered to operate. Closing it requires the changes outlined above — and the political will to treat terrorism financing not solely as a law enforcement question, but as a financial intelligence, digital platform and hybrid warfare challenge simultaneously. Historically, European states were slow to adapt to the Russian hybrid threat; the evidence reviewed here suggests the window for a faster response to Iran’s equivalent model is already narrowing.
–
Fabrizio Minniti is an international security expert with extensive experience in strategic analysis and field advisory. As a researcher for the Military Centre for Strategic Studies, he authored key reports on intelligence, international terrorism, nuclear doctrine, and European defence policy. His operational background includes serving as an External Consultant for EUBAM-Rafah and as a Political Advisor within the NATO Resolute Support Mission in Afghanistan.
–
Are you a tech company interested in strengthening your capacity to counter terrorist and violent extremist activity online? Apply for GIFCT membership to join over 30 other tech platforms working together to prevent terrorists and violent extremists from exploiting online platforms by leveraging technology, expertise, and cross-sector partnerships.