Tracking Hamas’ Latest Bitcoin Campaign
Updated: Jun 12, 2019
IMPORTANT: As a general policy, we never publish cryptocurrency addresses associated with terrorism or illicit financing. The addresses have been redacted in accordance with this policy.
Earlier this year Hamas’ military wing, Ezzedeen al-Qassam Brigades (Hamas), began soliciting Bitcoin (BTC) donations. After a slew of reports exposed the traceability of the funds, Hamas changed its approach, developing an interface that assigns a unique (and for all intents and purposes, private) receiving address to donors, in lieu of the wallets that they had previously broadcasted publicly. However, these wallets are not actually anonymous. A distinct pattern is identifiable among these “unique” addresses, with the first four address characters recycled for a given date and time. Entities can query these patterns on the blockchain in order to identify addresses sharing these characteristics.
The group’s first (known) publicly advertised attempt at sourcing donations through BTC was relatively rudimentary. BTC transactions and their accompanying addresses are accessible by anyone with a computer, per the public BTC ledger known as the blockchain. Their calls for donations carried the hashtag “Support the Resistance” in Arabic and were disseminated via the below infographics, among others. The advertisements contain two searchable BTC addresses, which many analysts have already traced, with some funds crossing into major exchanges.
The two addresses in question received 0.779 BTC (roughly equivalent to $6,900) and 0.526 BTC (about $6,675) and neither have significant final balances, as of writing and based on the current USD-BTC exchange rate. The wallets’ earliest transactions were on February 1, 2019 and January 31, 2019, respectively, and the most recent were on April 11 and April 9.
Increased exposure and scrutiny of the initial campaign provoked Hamas to change their tactics. Rather than advertising the receiving addresses, the group developed an interface that assigns a unique (and for all intents and purposes, private) receiving address to its donors. As noted, this eliminated starting points for tracing the flow of funds from donor to beneficiary. However, upon analysis of each uniquely generated address, there is a distinct pattern that can be used to trace the flow of BTC.
Each address contains 34 characters, and all are Pay-to-Script-hash (P2SH). A P2SH address begins with a number ‘3’ and is comprised of a unique digital fingerprint, or cryptographic hash. The uniqueness is based on the data it maps, which can include a hash of the sender’s private keys or specific requirements to unlock BTC on the blockchain. Since unique qualities are used to generate P2SH addresses, it is likely that patterns can be observed among these types of addresses.
In the current campaign, the first four characters of each address are the same, as observed in the following list. These addresses were generated on 26 April 2019:
Approximately three weeks later, the process was repeated and the same pattern was observed but with a different set of four unique characters. The following addresses were generated on 19 May 2019:
As shown, the first four characters are always the same for a given set of addresses generated. Over time, these four characters change but the pattern remains. It is unclear how frequent the first four characters change, but active monitoring of the addresses could indicate the frequency. At least one cryptocurrency analytic firm is publicly cited for their ability to track Hamas’ current campaign via “patterns in their unique addresses.” The above pattern may be the same pattern used by that analytic firm.
Based on the patterns observed above, entities may query address prefixes on the blockchain to identify other addresses sharing the same unique characters, given a specific timeframe. Specialized tools, such as Princeton University’s BlockSci  or Google’s BigQuery  can be used to easily search and analyze the blockchain for these types of addresses and the subsequent flow of funds. Otherwise, it is necessary to download the 210+ gigabyte blockchain.
Hamas is likely to alter their current techniques for generating donations via cryptocurrency, in an attempt to stop entities from tracing their funds. There is some potential for Hamas to construct a highly complex funneling operation through which “donations” and other funds could quickly pass, almost certainly obfuscating detection or at the very least necessitating enormous resources to unfurl. Even where funds pass through regulated cryptocurrency exchanges or other regulated entities that have integrated cryptocurrency into their ecosystems, threat actors could, in theory, source enough KYC and supporting material for a network of “legitimate” accounts across numerous transmitters. However, this shift in tactics likely bares more costs than benefits.
Regulatory bodies like the US Office of Foreign Asset Control (OFAC) should ramp-up their sanctioning of cryptocurrency addresses to provide greater clarity to everyone operating in the cryptocurrency industry. Especially for target groups or organizations that have disputed legal statuses, such as militant groups (where the lines between what is acceptable to the international community and what is not are often blurred) or groups that are designated as Foreign Terrorist Organisation by some but not all states, there is bound to be a legal gray area for businesses in the cryptocurrency industry. These questions will undoubtedly come into greater focus in the coming years, but, until then, relevant organisations must start the conversation about this and establish clear positions on how to deal with such grayness or conflicting policies.