Five threat intelligence signals to counter terrorist financing flows

Terrorism financing and other national security threats are often supported by typologies like cyber-based financial fraud and layered money laundering schemes.

These crimes allow bad actors to quickly generate capital and pass off ill-gotten funds as legitimate, evading financial oversight and obscuring the source of funds from government analysts and investigators charged with protecting national security.

Typically, when funds flow through a traditional financial system, financial institutions are alerted to potential suspicious activity during know your customer (KYC) checks. To run covert operations, terrorist groups rely on infrastructure such as shell companies, hidden ownership structures, and other evasion tactics to move and disguise capital. Fortunately, this infrastructure may leave signals, or “digital footprints”, in global firmographic data that can help law enforcement agencies (LEAs) trace the locations of their centers of command and the criminals involved.
 

Data-driven intelligence to support law enforcement efforts

Data-driven threat intelligence intercepts and interprets these signals to complement anti-money laundering and counter-terrorism financing (AML/CTF) efforts of law enforcement and national security investigators in dismantling terrorist operations.

Used alone or in combination with other investigative methods and platforms, this form of threat intelligence can potentially be leveraged to detect national security threats and fight financial crime at scale.
 

Five threat intelligence signals in the data that can reveal terrorist financing

1. Multiple companies traced back to the same ultimate beneficial owner (UBO). When criminals build networks of associated companies, they often stack subsidiaries under a parent entity to hide true control by a UBO. Additionally, by spreading companies across jurisdictions and industries, the UBO can evade beneficial-ownership thresholds and obscure who actually directs operations. 
   
   
2. Shell company indicators. If companies have characteristics of a shell company, such as having the same business address registered to hundreds of other companies or lacking corporate filings, this may be a sign that these companies are a front for potentially illicit activity. While there are shell companies used for legal, legitimate purposes, some may be used to evade government sanctions or funnel illicit money. 
   
   
3. Sanctions associated with ultimate beneficial owners. Terrorists can operate as part of complex global syndicates: reviewing firmographic data for potential direct and indirect ownership connections to known, sanctioned terrorists may help law enforcement officials track the financing of terrorism and associated financial crimes. These potential connections to sanctioned entities can be a helpful proxy, as they build upon a well-informed body of investigative work completed by various government authorities. 
   
   
4. Activity in geopolitically higher-risk jurisdictions. Activity in areas with geopolitical instability, especially when combined with the previous indicators—obtuse ownership structures to obscure UBO, shell company risk, and associations with sanctioned individuals—can be a sign of terrorism financing and its associated illegal activity. These geopolitically unstable areas may have fewer financial regulations and/or less regulation enforcement, which may inadvertently lead to the proliferation of terrorist activity. 
   
   
5. Social media intelligence (SOCMINT). Criminal networks often reveal more than they intend on social platforms, whether by interacting with known bad actors or self-incriminating through braggadocio. Account posts, follows, and engagements are all forms of SOCMINT that can reveal relevant information for law enforcement investigations. SOCMINT also supports identity verification and can help confirm or challenge synthetic or fabricated identities commonly used in cyberfraud such as financial grooming. 

Together, threat intelligence signals in firmographic data like ultimate beneficial ownership, shell company risk, sanctioned entity associations, geopolitical risk, and social media activity may reveal potential connections, as well as the nature of connections, to known networks and typologies. It is important to note, however, that while this form of data-driven threat intelligence is relevant to AML/CTF and cybercrime investigations, it is not exclusive to this category of illicit activity. Law enforcement officials may also use these data indicators as a starting point for investigations into tax evasion, drug and human trafficking, weapons proliferation, and more.

Terrorism financing involving cyberfraud and virtual assets like cryptocurrencies may also warrant partnering with non-bank platforms to track non-traditional financial flows.

Real-world example of an international LEA using data-driven intelligence

Public-private partnerships between data intelligence platforms and law enforcement agencies can keep communities worldwide safe. For example, Moody’s threat intelligence platform was recently used by INTERPOL, the world’s largest international police organization, to screen 15,000 individuals and entities in their intelligence operation, which led to the discovery of $260 million in both fiat and virtual currencies potentially linked to terrorism.

Moody’s robust global datasets power its threat intelligence platform, with business record data for over 600 million companies and risk profiles for over 21 million individuals and entities. The threat intelligence platform is designed to support national security and law enforcement professionals by uncovering potential links between individuals and entities associated with risk. Key proprietary data that may be utilized in investigations of illicit financial flows include ownership structures, ultimate beneficial owners, shell company indicators, politically exposed persons (PEPs) tags, sanctions advisories, adverse media sentiment tags, industry classifications, and other risk indicators.

Harness threat intelligence signals to dismantle terrorist networks

By reviewing threat intelligence signals gleaned from global firmographic datasets, law enforcement and national security investigators can uncover the hidden infrastructure behind terrorist financing flows—from shell companies and opaque ownership structures to sanctioned entity networks and high‑risk jurisdictions. The five threat intelligence signals outlined here are not just data points; they can be strong predictors of potential suspicious activity that can lead to the disruption of illicit terrorist networks and their associated typologies.

Moody’s is committed to partnering with government agencies worldwide to turn these signals into decisive action against corruption, financial crime, and threats to public safety. To learn more about how our solutions for the public sector can advance your mission, get in touch with our team today.