Assessing Terrorist Financing Through the Lens of the Terrorist Attack Cycle

As we move through 2018, we continue to witness the evolution and devolution of different terrorist organizations. For example, when the Islamic State of Iraq and Syria (ISIS) established their caliphate by taking over and ruling much of Iraq and Syria in 2014 and through the fall of 2017, they evolved into one of the wealthiest and most dangerous global terrorist threats. In 2017, as their caliphate was lost through battlefield defeats on all fronts in Iraq and Syria, ISIS devolved from a state into an insurgency. Consequently, their wealth and power was greatly reduced. Nonetheless, even in their diminished state, ISIS represents a formative terrorist threat.

In contrast, as ISIS was evolving into the primary global terrorist threat, al-Qaeda, the core group, was devolving from the organizational threat they were on 9/11 into a more benign threat. However, as 2017 progressed, al-Qaeda reemerged as a more dangerous organization. They have been quietly transforming themselves under the emerging leadership of Hamza bin Laden, Osama bin Laden’s favorite son.

Regardless of the evolution or devolution of terrorist groups, the threat of Islamic terrorist-inspired or directed attacks remains a primary global concern. Terrorist tactics and tradecraft never stop changing. They constantly evolve to respond to external forces that enable, constrain and shape them. The main drivers of Islamic terrorism are ideology and terrorist theory, political and economic development, counterterrorist efforts, technology and media coverage. Not one of these factors operates in isolation. They are all interconnected and work together to help transform terrorist dynamics. They also factor into the mindset of terrorists in selecting targets and planning attacks.

In the aftermath of every terrorist attack, there are lessons to be learned from both security and financial perspectives. From a security perspective, lessons to be learned include:

  • What was the purpose or motivation for the attack?
  • How were security controls circumvented?
  • How were the terrorists able to avoid detection?
  • Were law enforcement and intelligence agencies aware of the terrorist operatives responsible for the attack?

From a financial perspective, lessons
to be learned include:

  • How was the attack funded?
  • How much money was required?
  • What was purchased to support the attack?
  • Could the funding have been detected as suspicious through anti-money laundering (AML) filters or through proactive and prescriptive AML surveillance?

This is where assessing terrorist attacks through the lens of the terrorist attack cycle becomes critically important. By assessing the financing of specific attacks and by comparing them to similar attacks, financial commonalities can be identified. This can lead to the development of financial typologies and the establishment of proactive and “urgently” reactive investigative and analytical mechanisms. AML and terrorist financing monitoring and identification are inherently reactive processes. Anything we can do to become more proactive and/or “urgently” reactive enhances possible detection. Key steps in facilitating this assessment process are to understand the threat environment and the terrorist attack cycle.

Threat Environment

In a hearing before the U.S. Congress House Judiciary Committee on December 7, 2017, FBI Director Christopher Wray stated: “Preventing terrorist attacks remains the FBI’s top priority. The terrorist threat against the United States remains persistent and acute. From a threat perspective, we are concerned with three areas in particular: 1) those who are inspired by terrorist propaganda and act out in support; 2) those who are enabled to act after gaining inspiration from violent extremist propaganda and communicating with members of foreign terrorist organizations who provide guidance on operational planning or targets; and 3) those who are directed by members of foreign terrorist organizations to commit specific acts in support of the group’s ideology or cause. Prospective terrorists can fall into any one of these three categories or span across them, but in the end, the result is the same—innocent men, women, and children killed and families, friends, and whole communities left to struggle in the aftermath.”1

During his testimony, FBI Director Wray went on to state that ISIS and homegrown violent extremists were the main terrorist threats to the U.S. He also commented about the threat of returning foreign fighters and noted that: “These threats remain the highest priority and create the most serious challenges for the FBI, the U.S. intelligence community, and our foreign, state and local partners.”

In comparing terrorist attacks that were similar to each other, to identify commonalities, categorizing the attacks in accordance with FBI Director Wray’s three areas of concern (inspired by, enabled by or directed by terrorist groups) would simplify the assessment process.

Terrorist Attack Cycle

In line with FBI Director Wray’s three areas of terrorist threat concern, there has been a constant stream of global attacks carried out by individuals who were inspired, enabled and/or directed by terrorists and/or terrorist propaganda. In March and June 2017, London was victimized by attacks inspired by terrorists. In addition, in October and December 2017, New York City was also victimized by attacks inspired by terrorists or terrorist propaganda. In August 2017, a group that evolved into a cell and whose leaders likely had contact with terrorists, attacked tourists in Barcelona and Cambrils, Spain. This year will mark the 17th anniversary of the 9/11 terrorist attack. There is no greater example of a directed terrorist attack than 9/11. Unfortunately, and tragically, there are all too many examples of inspired, enabled or directed terrorist attacks from which to draw.

Regardless of whether a terrorist attack is carried out by individuals who were inspired, enabled or directed by terrorists and/or terrorist propaganda, they all invariably follow a form of the terrorist attack cycle.

Stratfor, a geopolitical intelligence platform, describes the terrorist attack cycle as a six-step process including target selection, planning, deployment, attack, escape and exploitation. It is important not to interpret or apply the concept of the terrorist attack cycle too rigidly. The six-step process of the terrorist attack cycle should be considered as flexible guidance, and it should not be viewed as a static process. Terrorists are extremely adaptable and each terrorist and terrorist group is different. The level of tradecraft and experience they possess affects their planning and execution. Each potential terrorist attack will present one or more unique opportunity or challenge. Complex attacks, like 9/11 or Mumbai, take months or years to plan and execute. More simplistic attacks like the recent New York and London attacks take days, weeks or months to plan and carry out.

In any event, some variation of the terrorist attack cycle will be followed. Regardless of how the cycle plays out, it will require funding. Whether it is a complex attack (requiring greater funding consideration) or a simple attack (requiring minimal funding), financing will be necessary. Financing is one of the greatest vulnerabilities confronting terrorists and terrorist organizations. Every terrorist attack tells a financial story. Law enforcement investigations of terrorist incidents are usually driven by the financial clues identified at the outset of the crime scene investigation.

The public and private sector must be aware of commonalities and warning signs consistent with the terrorist attack cycle, in order to best identify suspicious activity and behavior. Terrorist operatives and cells are most vulnerable to detection during target selection surveillance, then the deployment stage and lastly the planning stage. Target selection, planning and deployment are the points in the terrorist attack cycle we must focus on to detect, disrupt and prevent attacks. This requires situational awareness. As discussed in the ACAMS Today  article   Assessing the Catalonia Terrorist Attacks and Placing Them in an AML Context, “Situational awareness is being aware of one’s physical surroundings for safety and security and signs of danger or suspicion.”2 This concept can also be applied to financial information. Being aware of and understanding the financial flows that support terrorist attacks can lead to the identification of suspicious activity, the disruption of the funding flow and the prevention of a potential terrorist attack.

Terrorist Funding Streams

As discussed in the ACAMS Today  article Developing Terrorist Financing Typologies for AML Programs, there are primarily three funding streams terrorists rely on:

  1. The funding flow from the point of origin or source of funds to the organization
  2. The funding flow from the organization to support an operation
  3. The funding flow from the operation to the operatives

The third funding stream has taken on a new variation in the form of a reverse flow. “Instead of the money flowing down from the organization, the money is being generated directly by the operatives through their employment income, government assistance, proceeds of criminal activity, family donations and other sources.”3

The reverse funding stream, or self-funding, is more apt to occur in situations where homegrown violent extremists are inspired by (but not directed by) terrorist organizations. Enabled attacks will most likely be self-funded but could receive funding from a terrorist group. Directed attacks, which are led by terrorist groups, are more likely to be funded, in whole or in part, by the terrorist group.

Gaining Perspective by Assessing Funding Requirements Following the Terrorist Attack Cycle

It is important to visualize the funding stream or flow required to support a terrorist attack. In this regard, we want to follow the funding flow back from the point of attack to the point of origin. Thus, it is incumbent to go from the third funding stream (funding to the operatives), back to the second funding stream (funding from the organization to the operation), back to the first funding stream (funding to the organization).

In all probability, the first funding stream (funding to the organization) will not be able to get linked to a terrorist attack. It is more likely that in a directed attack, money can be traced from the organization to the operation through facilitators who serve as conduits between the organization and the attack team. For attacks inspired by terrorist groups (but not directed by the group), which is referred to as the leaderless model, funding will come in its entirety through the third funding stream. It will be generated by the attackers or their supporters through their normal wage income, contributions from family members or supporters, through government entitlement money or from criminal activity. For attacks inspired and enabled by terrorist organizations, funding might flow from the organization to the operators. However, it is more likely that funding will be generated directly by the operatives similar to inspired and leaderless attacks. In these instances, it is more likely that the terrorist group provides guidance but not funding.

For comparative purposes, list the six steps of a terrorist attack cycle and determine the funding required to accomplish each step.

During target selection:

  • Was travel required to select a target and to conduct surveillance activity?
    • If so, how frequently and by whom?
    • If so, how far and by what means?

During planning:

  • Were weapons purchased?
  • Were additional surveillances necessary?
  • Were vehicles purchased, rented or stolen?
  • Were there needs for safe houses or other logistical support that would require financing?

During deployment:

  • Were travel, lodging, food and/or communications expenses required?
    • If so, for how many and for how long?

During the attack:

  • Were expenses required for command and control?
  • Were expenses required for communications devices?

During the escape:

  • What travel or lodging expenses were necessary?
  • Were they necessary for attackers and/or support elements of the attack?

For exploitation:

  • Were there internet and media expenses or other communications requirements?
  • Was exploitation driven by a core group, an affiliate or the operatives?

In addition to assessing the funding requirements for each step of the terrorist attack cycle, it is important to determine if the attack was an inspired leaderless attack conducted by one or more homegrown violent extremists, an attack that was inspired and enabled or guided by a terrorist group but carried out by homegrown individuals or cells, or an attack that was directed by a terrorist group and conducted by group operatives. This is where understanding and visualizing the three funding streams terrorists rely on should be factored into the assessment. In all terrorist incidents, the third funding stream (funding for operatives), will be required. In leaderless-inspired attacks conducted by homegrown violent extremists, all funding will come through the third funding stream. In most directed attacks and in some enabled attacks, funding will flow back to the second funding stream, which is from an organization to operations.

Comparing Similar Attacks to Develop Commonalities

AML and terrorist financing monitoring filters are inherently reactive. Terrorist financing is particularly challenging to identify. “It is virtually impossible to develop and implement monitoring systems to identify the full gamut of terrorist financing.”4 By focusing on and comparing similar terrorist attacks to each other, common themes and common funding requirements can be identified through analysis. By developing common patterns of activity, more innovative monitoring and detection mechanisms will evolve. From an AML perspective, by assessing common terrorist attacks consistent with the terrorist attack cycle, “financial institutions should be able to identify funding flows and fragments of financial intelligence in the use of financial mechanisms and spending patterns needed to facilitate such activity.”5

FBI Director Wray’s congressional testimony from December 7, 2017, offers a good gauge for categorizing similar terrorist attacks for assessment purposes. As previously mentioned, they should be categorized and compared to each other by whether they were inspired, enabled or directed. From those three basic categories, they can be broken down further. For example, take inspired attacks. Were they attacks involving explosives or firearms or were they attacks involving vehicles and knives? Take attacks like Paris, Belgium, Manchester and Barcelona. They range from being enabled to directed, but have many commonalities that warrant comparison. Then, assess the directed attacks that took years to plan and execute, and compare them to the 9/11 and Mumbai attacks.


The more we can understand about the terrorist attack cycle and the three funding streams used by terrorists, the more likely we can detect and disrupt terrorist financing. The more we can be innovative and proactive, the more likely we can detect and disrupt terrorist financing. The more we are “urgently” reactive to terrorist incidents, the more likely we can contain the situation.

In most instances, we react to a terrorist event that has occurred. The more “urgently” reactive we respond, the better we support terrorist investigations to resolve specific incidents. From the standpoint of lessons learned, by comparing and assessing similar terrorist attacks, we can develop innovative and proactive mechanisms that can be used for more targeted purposes as disruptive mechanisms to prevent future attacks. One thing that resonates throughout AML compliance is that AML professionals are extremely dedicated and strive to identify signs of money laundering and terrorist financing.

Finance and communications are the biggest vulnerabilities for terrorists

For as many terrorist attacks that the world has encountered, many more have been prevented by law enforcement. This is where financial institutions and dedicated AML professionals can play a pivotal role. Finance and communications are the biggest vulnerabilities for terrorists. When we can assess financial intelligence in new or different innovative ways, such as assessing the financial requirements of the terrorist attack cycle and recognizing financial commonalities, more suspicious activity can be identified and reported. How rewarding would that be for AML professionals?

Dennis M. Lormel, CAMS, internationally recognized CTF expert, president & CEO, DML Associates LLC, Lansdowne, VA, USA,

For more information on how to identify and mitigate terrorist financing, please visit

  1. Christopher A. Wray, “Statement of Christopher A. Wray Director Federal Bureau of Investigation Before the Committee on Homeland Security and Government Affairs United States Senate at a Hearing Titled, ‘Threats to the Homeland,’” Department of Justice, September 27, 2017,
  2. Dennis Lormel, “Assessing the Catalonia Terrorist Attacks and Placing Them in an AML Context,” ACAMS Today, September 7, 2017,
  3. Dennis Lormel, “Developing Terrorist Financing Typologies for AML Programs,” ACAMS Today, March-May 2017,
  4. Ibid.
  5. Dennis Lormel, “Assessing the Catalonia Terrorist Attacks and Placing Them in an AML Context,” ACAMS Today, September 7, 2017,

Leave a Reply