Telegram Groups Hold the Secrets of ISIS-K’s Cryptocurrency Wallet

$2525 was withdrawn from the wallet immediately after the attack, IStories uncovered. According to the detainees, they managed to receive payment of the same amount onto a card.

28 Mar 2024
Telegram Groups Hold the Secrets of ISIS-K’s Cryptocurrency Wallet
Heavy police presence at Crocus City Hall the day after the terrorist attack / AFP

IStories have identified the crypto wallet associated with the Islamic State – Khorasan Province (ISIS-K) from which an amount equivalent to that declared by Crocus City Hall terrorism suspect, Shamsidin Fariduni, was withdrawn immediately after the attack.

We have discovered an entire network of Telegram chat groups which, according to several indicators, are affiliated with the Tajik wing of the ISIS terrorist group, ISIS-K. With assistance from a native Tajik speaker, as well as orientalist Ruslan Suleymanov, we were able to familiarize ourselves with some of the content.

In these chats, sympathizers of the Islamic State communicate with each other in a poorly written, as noted by the native speaker, mixture of Tajik and unconventional slang. Ruslan Suleymanov noted that the ISIS adherents use Tajik in conjunction with Russian, Farsi, and Arabic. Members of these groups listen to online sermons conducted by individuals associating themselves with ISIS-K.

Following the arrest of the Crocus terror attack suspects on 23 March, Fariduni stated that after listening to several sermons on Telegram, an unknown person contacted him with the offer of committing a mass murder, paying him 250,000 rubles out of a promised 500,000 in the process.

In early March, a member of a similar Telegram chat, presumably involved in recruiting militants, posted a link to collect cryptocurrency donations for “the families of those in captivity” (i.e., detained ISIS terrorists). He later deleted his account. The Telegram channel promoting the collections is administered in Russian and Tajik, with Russian-language Islamist propaganda also being published there.

ISIS-K’s wallet transactions and a post about fundraising found in an affiliated Telegram channel
ISIS-K’s wallet transactions and a post about fundraising found in an affiliated Telegram channel

The USDT wallet was created on 14 March at 10:24 AM MSK. The first tranche of $550 was received immediately, followed by $325, two installments of $550, and $1100 (a total of $2525) — which were received and withdrawn on the day of the terrorist attack, 22 March, between 7:20 to 18:55 UTC (from 10:00 to 21:55 MSK). The funds were withdrawn to wallet number TU4vEruvZwLLkSfV9bNw12EJTPvNr7Pvaa, which is officially registered to ByBit — one of the few cryptocurrency exchanges still operating in the Russian Federation.

According to the Investigative Committee, the militants left Crocus at 8:11 PM MSK. Road camera data shows that the suspects were eventually detained at around 12:00 AM MSK. This means that the funds were withdrawn sometime during this time period. On the same day, the wallet activity ceased.

The wallet address can be found on the ByBit website
The wallet address can be found on the ByBit website

Shortly after the publication of the original Russian article, IStories noticed that the administrators of the ISIS affiliated Telegram channel collecting donations had been cashing out the funds in Syrian pounds from at least early March. It additionally became apparent that ISIS had previously collected part of the donations through the Russian payment service YooMoney onto cards registered at the U.S bank, University First. Sberbank accounts also made donation payments to these foreign cards, which were presumably stolen.

Photo taken from the ISIS donation report
Photo taken from the ISIS donation report

The Investigative Committee reported the detention of another suspect in connection with the Crocus terrorist attack, who, according to the investigation, was involved in the “terrorist financing scheme.” Investigators stated that during the investigation they received “evidence that the perpetrators of the terrorist attack received significant amounts of money and cryptocurrency from Ukraine, which were used in preparation of the crime.”

No mention of any Ukrainian connection was made during the interrogation of the detainees. Considering that the transactions of the Islamic State – Khorasan Province militants were carried out through the ByBit exchange, the receipt of funds from Ukraine into the accounts of the accused cannot serve as evidence of Ukraine's involvement. Moreover, Russian law enforcement agencies likely have the technical and operational capabilities to connect a specific person to the wallet from which the funds were initially transferred.

One of the accused, Dalerjon Mirzoyev, told law enforcement officers that 10-12 days before the attack, he connected with someone named Abdullo on Telegram. This same Abdullo allegedly bought a car for 250,000 rubles, which the militants presumably used to arrive at Crocus and hide from law enforcement. Investigators from Radio Liberty highlighted that Fariduni held numerous social media accounts under the pseudonym Abdulloh. According to investigators, the vehicle was purchased by Fariduni.

Translated by Sasha Molotkova