Overview#
An ISIS-affiliated network operating across three countries moved funds through a rotating set of cryptocurrency wallets, routed proceeds through a mixing service within 48 hours of receipt, and converted the residual into cash through unregulated exchange points. The financing was hidden in plain sight: small donations solicited via social media, no single transaction large enough to trigger automated reporting thresholds. Disrupting it required connecting wallet attribution, on-chain transaction graph analysis, social media OSINT, and exchange account intelligence into a single operational picture.
Argus Terrorist Financing Intelligence provides counter-financing capabilities for financial intelligence units, counter-terrorism agencies, and joint task forces working to detect, map, and disrupt the financial networks that sustain terrorist organisations. The module covers hawala and informal value transfer detection, charity abuse, cryptocurrency-based financing, and sanctions screening, with structured workflows for JTTF financial intelligence coordination.
Open Standards#
- STIX 2.1 (OASIS): Intelligence on terror financing networks, threat actors, and indicators of compromise is exported and ingested as STIX 2.1 Structured Threat Information Expression bundles, enabling structured sharing with JTTF partners, Europol, and Interpol-aligned networks.
- TAXII 2.1 (OASIS): The platform implements an async TAXII 2.1 client supporting collection discovery, paginated object polling, and bundle push, providing the transport layer for STIX intelligence feeds to and from partner agencies.
- Traffic Light Protocol (TLP) / FIRST: All outbound intelligence packages carry STIX-encoded TLP marking-definitions (WHITE/GREEN/AMBER/AMBER+STRICT/RED) that govern dissemination boundaries for financial intelligence shared across multi-agency environments.
- FATF Recommendations (Financial Action Task Force): Typology detection, red flag indicators, AML/CFT risk scoring, and beneficial ownership thresholds are aligned to FATF Recommendations, including the 25 per cent ownership/control criterion for identifying shell-company evasion.
- EU Anti-Money Laundering Directives (4AMLD/5AMLD/6AMLD): Sanctions screening and entity persistence are explicitly framed against EU AML Directive compliance requirements, covering mandatory screening obligations for financial institutions operating under EU law.
- FollowTheMoney (FtM) data model / OpenSanctions: Bulk sanctions data from OpenSanctions is ingested and transformed from the FollowTheMoney newline-delimited JSON entity format, which aggregates OFAC SDN, UN Security Council, EU, UK HMT, and allied sanctions lists into a unified entity schema.
- ISO 17442 / GLEIF Legal Entity Identifier (LEI): LEI codes are extracted from OpenSanctions bulk data and resolved via the GLEIF API for authoritative legal entity identification when screening corporate structures for sanctions evasion.
Last Reviewed: 2026-02-04 Last Updated: 2026-04-14
Key Features#
Terror Financing Pattern Recognition#
Automated detection of terror financing typologies across transaction data, entity registrations, and operational indicators. The system matches against known financing patterns while flagging novel structures through anomaly detection, reducing dependence on investigators recognising patterns manually from high-volume data.
Hawala and Informal Value Transfer Detection#
Hawala networks move substantial sums annually outside formal banking channels. Detection in the absence of transaction records requires behavioural analysis, network reconstruction from fragmented indicators, and cross-border intelligence coordination. The platform identifies hawala-linked behavioural signatures including: cash deposit and withdrawal velocity mismatches, account activity spikes during known settlement periods, and geographic clustering near areas with high hawala operator density.
Charity Abuse Detection#
Millions of registered charitable organisations globally create substantial surface area for diversion risk. Terror financing through charity abuse includes operational control of boards, fund redirection to non-charitable purposes, and beneficiary misrepresentation. The module cross-references charity registration data, financial flows, and beneficiary records against known indicators, flagging organisations exhibiting diversion risk patterns for investigation.
Cryptocurrency Terror Financing#
Foreign terrorist organisations exploit cryptocurrency for anonymity, cross-border reach, and financial system independence. ISIS, Al-Qaeda, Hezbollah, and Hamas have all conducted cryptocurrency fundraising operations. The module provides:
- Wallet clustering and attribution linking addresses to known FTO-affiliated accounts
- Transaction graph mapping tracing donation flows through mixing services to cash-out points
- Cross-chain analysis across 15+ blockchain networks to detect chain-hopping evasion
- Social media OSINT integration linking campaign wallets to propaganda accounts
- Exchange subpoena target identification for accounts receiving funds after mixing
Sanctions Screening#
OpenSanctions integration provides real-time, automated screening against:
- OFAC SDN and Consolidated Lists
- UN Security Council consolidated sanctions lists (ISIS, Al-Qaeda, Taliban, proliferation regimes)
- EU restrictive measures
- UK HM Treasury financial sanctions
- Canadian, Australian, and allied sanctions programmes
Retroactive screening runs automatically when lists update, identifying previously undetected matches across historical transactions and entity records.
JTTF Intelligence Coordination#
Joint Terrorism Task Forces coordinate counterterrorism investigations across FBI, DHS, local law enforcement, and intelligence agencies. Financial intelligence sharing requires secure data exchange, deconfliction, and joint investigation support. The module provides STIX/TAXII-compatible intelligence exports for sharing with participating agencies and supports classified and unclassified operating environments.
Use Cases#
Cryptocurrency Fundraising Network Disruption. Trace cryptocurrency fundraising campaigns linked to designated organisations from initial wallet attribution through mixing services to exchange cash-out points. Build exchange subpoena packages and support asset seizure proceedings with complete transaction graph documentation.
Hawala Network Investigation. Identify informal value transfer networks through behavioural pattern analysis when formal transaction records are unavailable. Map network participants, estimate transfer volumes, and coordinate cross-border enforcement with partner financial intelligence units.
Charity Diversion Investigation. Detect and investigate charities being used as fronts for terror financing through financial flow analysis, governance review, and beneficiary verification. Build evidence packages supporting revocation proceedings and criminal referral.
Sanctions Evasion Detection. Identify designated entities and their associates attempting to access the financial system through nominees, front companies, and layered transactions. Generate retroactive screening alerts when new designations match existing account or transaction records.
Integration#
- Automated ingestion and screening against OFAC, UN, EU, UK HMT, and allied sanctions lists
- Retroactive screening of historical transactions and entities when designation lists update
- Connects with banking and financial institution transaction monitoring systems
- Integrates with financial intelligence unit databases for SAR and CTR correlation
- Links to cryptocurrency blockchain analysis platforms for on-chain investigation
- Works with JTTF case management systems for multi-agency financial investigation coordination
- Supports secure intelligence sharing via STIX/TAXII for Europol and Interpol-aligned networks
- Compatible with social media monitoring platforms for cryptocurrency campaign attribution
- Feeds into national counterterrorism financial intelligence frameworks