A Canadian Cryptocurrency Caper in the Sri Lanka Attack? Unlikely

6 May 2019

By Jessica Davis

In early May, media reports circulated stating that the Sri Lankan terrorist attacks in April 2019 had been “funded by Bitcoin” and that the transaction had been processed through a Canadian company. These reports are highly misleading, so let’s have a look at what actually happened and what it means for the Canadian financial sector and national security writ large.

What really happened

In early May, an Israeli private intelligence firm (Whitestream) announced that it had traced Islamic State Bitcoin transactions, saw many interesting transactions, and loosely connected those transactions to the terrorist attacks in Sri Lanka. Media reporting subsequently announced that the terrorist attacks had been “funded by Bitcoin.”  According to the researchers at Whitestream, the Islamic State used a Canada-based company called Coinpayments to convert bitcoin to fiat currency. The researchers had apparently identified an Islamic State Bitcoin wallet through social media posts / calls for donations and monitored transactions associated with it. The information linking the transaction to the Easter attack was the timing of the transaction: according to Whitestream, “On the day before the Sri Lanka terror attacks, we identified two relatively big transactions at this address with bitcoins worth about $9,800.”

The media reporting (and to a lesser extent, statements by Whitestream) are misleading, so let’s walk through it:

1)       First of all, it is highly inaccurate (in most cases) to say that a terrorist organization or operational cell was funded by Bitcoin. Bitcoin is a method of moving funds from one location to another. Those funds are donated by individuals who purchase Bitcoin and send it to the Islamic State-linked wallet. In some (rare) cases, terrorists may invest in Bitcoin (or any other commodity or currency) in the hopes that its price may increase, and then sell it for a profit. Terrorist fundraising schemes involving commodity or currency speculation rarely succeed.

2)       While the timing of the transaction is interesting in terms of the attack, it is highly unlikely that this transaction would have funded it - terrorists raise and use funds for weeks, months, and sometimes even years in advance of their terrorist attack.

3)       The amount of money involved in the transaction would also have likely been insufficient to fund the attack in its entirety. The operational expenses of such a coordinated terrorist attack (the chemicals and other components for the device, safe houses, transportation costs, possibly salaries or payments to families, travel and training, operational security measures such as phones, etc) will likely add up to significantly more than $9,800.

Fundamentally, we don’t know much about this transaction. It does appear to be linked to the Islamic State which is a concern even though it is unlikely to have funded the terrorist attacks in Sri Lanka.

What is interesting is the amount of the transaction - $9800 (in either Canadian or US dollars - reporting is unclear). This amount is just below reporting thresholds for various transactions in both the United States and Canada to be reported to Canadian or American financial intelligence units (responsible for preventing and detecting terrorist financing and money laundering). And this brings us to the Canadian connection:

Implications for Canada

Generally speaking, entities involved in moving money are considered to be money services businesses in Canada. At the moment, this is not the case for much of the cryptocurrency landscape. Coinpayments (and other payments processors and cryptocurrency exchanges) will soon be considered MSBs under regulations that were drafted in 2018 and will be coming into force in the fall of 2019.

Under the new regulations, Coinpayments would not have to report this transaction to FINTRAC (Canada’s financial intelligence unit) given that it was below the reporting threshold of $10,000. But the company would have to confirm the identity of individuals and entities related to this transaction. Under the regulations, they would need a “full compliance program,” be registered with FINTRAC, and would have record-keeping and reporting obligations (as per other money services businesses). Based on my understanding of cryptocurrencies, this seems unlikely to succeed, and how it would work in practice, and if it will be enforceable, remains a mystery.

Canada’s financial technology sector has been hugely innovative, but there have been significant concerns about the exploitation of financial technology by threat actors, not least of which includes terrorists.

While much of this concern has been overblown, there are clear cases of terrorists using financial technology, including Bitcoin, to finance their activities (particularly in the movement of funds). As such, Canada’s financial sector may be particularly vulnerable to terrorist financial tradecraft adaptation, given the dominance of our fintech sector. This will place the integrity of Canada’s financial sector in the crosshairs of groups like FATF (the Financial Action Task Force, an international body established to set regulations and norms to combat money laundering and terrorist financing), but could also make Canada’s financial sector appealing to those that want to finance illicit activity.