Warning: Europe Terrorist Explosive Stockpiles

Posted on May 25, 2016May 25, 2016 by Denise Simon

Terrorists likely stockpiling explosives in EU, says Europol

The threat of terrorists attacks in the EU remains the top national security concern among member states, with some 211 foiled plots last year alone, according to a top EU security official.

The threat of another attack similar in scale to the Paris attack in November last year or in Brussels this past March has national authorities on edge. Manuel Navarrete Paniagua, the head of the European Counter Terrorism Centre at the EU police agency Europol, told euro-deputies on Monday (23 May) that terrorist cells in the EU were likely stockpiling explosives for later use.

“We have some information reported by the member states that terrorists groups are trying to establish large clandestine stockpiles of explosives in the European Union to be used eventually in large scale home attacks,” he said.

Related: EU Terrorism Situation and Trend Report

Paniagua was briefing MEPs in the civil liberties committee on the yet-to-be published EU Terrorism Situation & Trend Report (TE-SAT) compiled by Europol and member states.

The report is set for publication in a few weeks’ time.

Paniagua cited figures and broader conclusions due in the report, noting that “jihadist terrorism” remains the top threat to security in the European Union.

The latest attacks in the EU suggest much better coordination among the terrorists than previously thought. He said their combined use of explosives and firearms was also a novelty and a threat that is evolving rapidly.

Authorities have yet to nail down any single profile of a home-grown terrorist or foreign fighter.

But he said many have petty criminal backgrounds. He pointed out a significant proportion of foreign fighters have also been diagnosed with mental problems.

More than 4,000 so-called foreign fighters have been identified in the EU and entered into a Europol database.

“Using the terrorist financial tracking programme, we provided last year more than 2,700 leads regarding foreign terrorist fighters to the member states,” he said.

Some 1,057 people were also arrested last year on terrorism-related offences, he said.

He said there are also unconfirmed reports that some jihadist militants have set up training camps in the Western Balkans and some EU states.

Terrorists and migration flows

Other concerns related to terrorists exploiting the migration flows from Turkey and elsewhere to enter the European Union.

“We found no evidence of the systematic of using this flow to infiltrate terrorists into the European Union. But they do, they use it, we have some cases, some of the people that perpetrated the Paris attacks were eventually disguised in this immigration flow,” he said.

Paniagua said migrants were being victimised twice as result. First they flee terrorists and then again when the same attempt to infiltrate the EU by hiding among the refugees, he said.

“Again, we have no indication that this systematic,” he said.

Earlier this month, Europol announced it would deploy some 200 counter-terrorist and other investigators to migrant arrival centres known as hotspots in Italy and Greece.

Related: Implementing the European Agenda on Security:
EU action plan against illicit trafficking in and use of firearms and explosives.

Of those, Europol said it would dispatch around 50 “at key points on the external border of the EU” to track down and help identify suspected criminals and terrorists.

A European Commission report earlier this month noted that Turkey is suspected to have around 1,300 Turkish citizens fighting alongside Islamic militant groups in Syria and Iraq.

It noted that the plan to lift visa restrictions on Turkish nationals “could potentially have an impact on the terrorist risk in the EU”.

*****

For the United States, the Warning from DHS in 2011

(U//FOUO) DHS Warning: Terrorists Making Explosives With Commercial Products

November 2, 2011

Terrorist Acquisition of Commercial Products for Improvised Explosive Device Production(U//FOUO) Recent plots and attacks in the Homeland and overseas demonstrate a continuing terrorist focus on acquiring commercially available materials and components that can be used in constructing improvised explosive devices (IEDs). Heightened public and state and local official awareness, as well as tightened legal controls, have made it more difficult to purchase certain products that contain explosive precursors in bulk quantities or concentrated forms. Operatives are now more likely to use surreptitious, though legal, methods—such as multiple purchases in smaller quantities—to acquire sufficient amounts to create explosives.

— (U) On 27 July 2011, investigators found precursor chemicals and other IED components, including smokeless powder, clocks, batteries, wires, and other items commonly used to make IEDs in the hotel room of a US Army soldier who allegedly sought to target military personnel.
— (U) The admitted perpetrator of the 22 July 2011 attacks in Oslo, Norway avoided law enforcement suspicion by acquiring through legal means the ammonium nitrate, aluminum powder, nitromethane, and blenders he used in constructing IEDs.

(U//FOUO) Commercial products containing precursor materials may include:
— (U//FOUO) Fertilizer and first aid cold packs (ammonium nitrate).
— (U//FOUO) Swimming pool chemicals (calcium hypochlorite/hydrogen peroxide).
— (U//FOUO) Some types of water filtration/treatment systems (potassium permanganate).
— (U//FOUO) Beauty supply products (hydrogen peroxide and acetone).
— (U//FOUO) Industrial cleaning supplies (hydrochloric acid or sulfuric acid).

(U) Potential Indicators of suspicious purchases: Most commercial products suitable for constructing IEDs serve legitimate purposes. Consequently, it is often difficult to identify purchases or other activities that may be associated with terrorist intent to create explosives. No single indicator is likely to divulge suspicious purchases, but, depending on specific circumstances, a combination of the behaviors listed below may warrant reporting and investigation:

— (U) Attempts to purchase all available stock or materials in bulk, especially by individuals with no previous history of bulk purchases.
— (U) Payment or insistence on payment in cash for bulk purchases, or using a credit card in another person’s name.
— (U) Insistence on in-store pickup instead of store delivery of bulk purchase.
— (U) Use of rented or out-of-state vehicle to transport bulk purchases.
— (U) Smaller purchases of the same products at different locations within a short period of time.
— (U) Displays of nervous or suspicious behavior and evasive or vague responses to questions about intended use of products.

(U//FOUO) For additional information, please see DHS-FBI Joint Homeland Security Assessment “(U//FOUO) Use of Common Precursor Chemicals to Make Homemade Explosives,” 10 August 2010; and Roll Call Release “(U//FOUO) Indicators of Suspicious Acquisition of Beauty Supply Products,” 26 February 2010.

How the Military is Defeating Hackers

Posted on May 25, 2016May 25, 2016 by Denise Simon

Here’s how the US military is beating hackers at their own game

Paul Szoldra

US Soldiers Iraq Staff Sgt. Stacy L. Pearsall/USAF

TechInsiders: There’s an unseen world war that has been fought for years with no clear battle lines, few rules of engagement, and no end in sight.

But it’s not a shooting war; not a war where combatants have been killed or wounded — at least not yet.

It’s a war that pits nations against each other for dominance in cyberspace, and the United States, like other nations employing professional hackers as “cyber soldiers,” sees it as a battlefield just like any other.

“It’s like an operational domain: Sea, land, air, space, and cyber,” Charlie Stadtlander, chief spokesperson for US Army Cyber Command, told Tech Insider. “It’s a place where our presence exists. Cyber is a normal part of military operations and needs to be considered as such.”

As US military leaders warn of the growing progress of Russia, China, and North Korea in cyberspace, the Pentagon has ramped up its own efforts in what it calls the “cyber domain” after the release of a new cyber strategy in April 2015.

“This ephemeral space that’s all around us, literally, is a space where operations can be performed against us,” Frank Pound, a program manager who leads DARPA’s “Plan X” cyber warfare platform, told Tech Insider. “And how do we defend against that? How do we detect that?”

Building a cyber army

In its cyber strategy, the military proposed 133 teams for its “cyber mission force” by 2018, 27 of which were directed to support combat missions by “generating integrated cyberspace effects in support of … operations.” (Effects is a common military term used for artillery and aircraft targeting, and soldiers proclaim “good effect on target” to communicate a direct hit).

The cyber mission force will comprise some 4,300 personnel. But only about 1,600 of those would be on a “combat mission team” that would likely be considered to be taking an offensive hacking role. They are up against China’s own “specialized military network warfare forces,” North Korea’s secretive Bureau 121 hacker unit, other nation-states, hacktivists like Anonymous, and criminal enterprises alike.

They have been further tasked with breaking into the networks of adversaries like ISIS, disrupting communications channels, stopping improvised explosive devices from being triggered through cellphones, or even, as one Marine general put it, just “trying to get inside the enemy’s [head].”

Online hacks can lead to offline outcomes, and the military has become keenly aware of that power. In 2009, the US and Israel reportedly infected Iranian computers with the Stuxnet malware that destroyed roughly one-fifth of the country’s nuclear centrifuges. And as recently as February, hackers were used against ISIS as others fought on the ground, quite possibly for the first time ever.

“These are strikes that are conducted in the war zone using cyber essentially as a weapon of war,” Defense Secretary Ash Carter told NPR. “Just like we drop bombs, we’re dropping cyber bombs.”

As one Army officer said during a 2015 training exercise, the cyber war seems to just be getting started: “Future fights aren’t going to be guns and bullets. They’re going to be ones and zeroes.”

soldiers cyber command Brian Rodan/US ArmySoldiers work together during a training exercise in 2011.

‘Prepping the battlefield’

That the Pentagon would employ specialists to defend itself in cyberspace is not surprising, since government and military systems are attacked regularly by nations trying to read soldier’s email, or others who want to uncover personal details on millions who undergo background checks for security clearances.

But the defense of networks — while still an important function — has been supplanted in some cases by an offensive strategy. That is, soldiers hacking into computers overseas for intelligence or to disrupt the enemy on the battlefield — a kind of digital tit-for-tat.

“If there’s something that you can do to prep the battlefield before a kinetic attack or to disrupt defenses during kinetic attacks, why wouldn’t a combatant commander turn to that?” Stadtlander said.

Stadtlander couldn’t talk about ongoing operations that Army Cyber Command is involved in, mainly due to the unique nature of cyber warfare. An enemy who knows the US is developing a next-generation fighter jet might develop something in response that could take years, but with a cyberattack, a fix can be developed sometimes within days.

“The unique thing about cyber activity and defense is you’re talking about building a couple thousand lines of code or having a certain electronic device, or some sort of cyber capability. And just based on the nature of this space, a lot of times it can only be used once,” he said. “Once it’s known … it’s no longer a viable tool.”

Still, some insight into what the US military is capable of can be found within its own training manuals, presentations, and the few news stories by the military’s own writers. And it’s likely that hackers with Army Cyber Command, subordinate to US Cyber Command and NSA, benefit from top secret initiatives to infect “millions” of computers with malware in an effort aimed at “owning the net.”

“Denying the ability to coordinate, communicate, and assess,” Stadtlander said. “That’s an advantage that we might be able to leverage.”

Inside the Army’s cyber warfare ‘Bible’

Perhaps one of the most important publications on cyber warfare was released with little fanfare in Feb. 2014. Known as Army Field Manual 3-38 Cyber Electromagnetic Activities, it proclaimed itself as the “first doctrinal field manual of its kind,” unifying a number of other publications on network operations, electronic warfare, and intelligence into one 96-page document.

In FM 3-38, the Army defined offensive cyberspace operations as actions “intended to project power by the application of force in or through cyberspace,” while noting they are to be carried out in support of command objectives and within legal frameworks.

But what can soldiers do in cyberspace that can affect what happens on the battlefield? Quite a bit, according to the manual.

us army cyber soldier US Army

“A cyberspace attack may be employed in conjunction with” other methods of attack “to deceive, degrade, destroy, and disrupt a specific enemy integrated air defense system or enemy safe haven,” it says.

As an example, the manual offers an early warning radar site as a target which, if soldiers can get inside the network, could possibly be destroyed or degraded.

That’s just what students trained for during an exercise in March, according to the Fort Gordon Globe. Acting just as they would on the battlefield, cyber soldiers patrolled to their objective — a simulated enemy air defense control system — then searched for their target’s wireless network so it could be exploited or neutralized.

There’s little need for stealth coating on aircraft when a guy behind a computer can disable the radar site for you. The manual also offers other systems Army hackers may consider breaking into, such as enemy telephone networks, servers, and smartphones.

“Even if you think about the way that IEDs are triggered,” Stadtlander said, using the acronym for improvised explosive devices. “Or an adversary’s [intelligence, surveillance, and reconnaissance], a lot of these are done through electronics and with internet connections.”

Getting into the Army’s ‘hacker university’

Located just southwest of Augusta, Georgia is Fort Gordon, an Army installation that brings together most of the service’s cyber warriors under one roof. In 2013, the Army chose the site as the home base of its Cyber Command after the unit was established in 2010.

Also home to a 604,000 square foot operations center for the National Security Agency, Gordon is where cyber warriors are taught their craft at what the Army calls its Cyber Center of Excellence. But before they get to the military’s “hacker university,” enlisted soldiers need to score high technical scores on the military entrance exam, and sign on for five years of service, instead of the normal four-year tour.

army cyber command US ArmyInsider Fort Gordon’s Cyber Operations Center.

Due to the classified nature of their work, cyber training is often conducted in secure compartmented information facilities (SCIFs) where cell phones and other outside recording devices are not allowed, and all soldiers will have to obtain a Top Secret clearance prior to being assigned to their unit.

Soldiers go through a lengthy period of training after basic training: Six months spent at the Navy’s Center for Information Dominance in Pensacola, Florida followed by six months at Fort Gordon.

Army officers go through their own training program at the Georgia base, called Cyber Basic Officer Leader Course. The course takes nearly nine months to complete and is the longest officer training program in the Army.

Enlisted soldiers train with members of all military branches over six months at the Navy’s Cyber Analysis Course, according to Bloomberg. Since students can come from a variety of skill sets and backgrounds, the first two-thirds of classroom time focuses on basic programming, mathematics, and how networks and operating systems function. But later on they learn the steps to research and infiltrate targets, defend networks, and even hack a simulated network with Metasploit, a common tool hackers have used since its release in 2004.

Meanwhile, officers receive similar training, though their position merits other coursework in leading operations as opposed to carrying them out. Though a cyber officer can likely step in and be more than capable, given the certifications they obtain, to include Cisco’s Certified Network Associate (CCNA) and the independent Certified Information Systems Security Professional (CISSP) credential.

“They are really valuably trained after that [schooling],” Stadtlander said.

So valuable in fact that the Army is seeing a challenge in retaining its talent from heavyweights in Silicon Valley.

Is hacking considered an ‘act of war’?

Chinese Army Hackers via Flickr

“There is no international standing or framework that is binding over any one nation-state in terms of offensive cyber operations,” Bradley P. Moss, a national security lawyer, told Tech Insider. “It’s whatever rules we put in place for ourselves.”

In essence, the US, China, Russia, and others are operating in a sort-of “digital Wild West” with few overarching guidelines outside of the Law of War that predates our interconnected world.

Cyber warfare continues unabated because there is no governing body such as the United Nations telling nations not to hack one another. Not that that would necessarily make a difference, as a 2014 UN report criticized mass surveillance programs employed by NSA and others as violating privacy rights “guaranteed by multiple treaties and conventions,” The Intercept reported.

Still, Moss explained that nations are less concerned with the legalities of hacking each other, and instead, worry about the potential diplomatic and political fallout should they be exposed.

“More or less, we all engage in some manner of warfare these days, we just don’t go to ‘war’ over it,” Moss said.

How foreign nations would likely respond to being hacked by the US is something that is considered before any offensive operation, according to a top secret presidential policy directive leaked by ex-NSA contractor Edward Snowden.

The document, made public in 2013, listed cyber attacks resulting in “loss of life, significant responsive actions against the United States, significant damage to property, serious adverse US foreign policy consequences, or serious economic impact” as requiring presidential approval.

And for US military hackers who may be on a battlefield in Iraq, Syria, or elsewhere, their self-imposed rules for cyber attacks are clear:

“Military attacks will be directed only at military targets,” reads the Pentagon’s cyberspace operations document.

us army cyber command US Army

But what of cyber attacks that have potentially devastating effects on foreign nations, such as US-made worms that cause nuclear centrifuges to fall apart, or alleged Russian-made malware that knocks out power and heat to people in the dead of winter?

Are these “acts of war”?

“From a strictly legal matter, you could designate the US Army hacking the Russian Army’s [computer] system as an act of war,” Moss said. “Just as much as if we were to have infiltrated and damaged a Russian bomber, that would be an act of war.”

But, he added: “There’s nothing that necessarily stops us, except the political and diplomatic ramifications.”

Europe: Micro-financing of ISIS

Posted on May 25, 2016May 25, 2016 by Denise Simon

Microfinancing the Caliphate: How the Islamic State is Unlocking the Assets of European Recruits

Author(s): Magnus Ranstorp

CTC/Abstract: Islamic State recruits from Europe are raising significant funds for the group through multiple microfinancing techniques within the European Union. Moneymaking schemes have included petty theft, fraudulent loan applications, social insurance fraud, and VAT fraud. A range of techniques are being employed by aspiring and active European Islamic State operatives to transfer money to the Islamic State in Syria and Iraq, including bringing money with them when they travel to join the group, withdrawing funds from money transfer businesses operating along the Turkey-Syria border, sending cash couriers, and using the hawala system. To shrink this funding pipeline, financial intelligence must be better integrated into EU counterterrorism efforts.

Much attention is focused on the Islamic State’s macro-level financial resources from within Syria and Iraq, where oil sales, plundering, and taxation as well as donations are the group’s primary funding sources. The Islamic State is also known to raise significant funds from exchange rate manipulation and transactions in Jordan and Iraq.[1] There has been, however, less focus on the range of foreign terrorist fighter (FTF) microfinancing schemes and transactions within Europe. This article explores the range of methods used by European Islamic State FTFs to raise and then transfer funds to Islamic State coffers. It is based in large part on a study conducted for the Swedish Financial Supervisory Authority focusing on FTFs from northern European countries as well as extensive interviews with law enforcement, financial investigators, and intelligence officials.[2]

A Caliphate Cashing In The Islamic State is encouraging each individual recruit to bring whatever assets are available to contribute to the group’s cause. The resulting efforts are often well-organized. As this article will outline, FTF microfinancing schemes range from sophisticated VAT (value-added tax) fraud schemes to benefit fraud. Money Service Businesses (MSBs) like Western Union, Moneygram, and a myriad of other companies operating along the Turkish-Syrian border are heavily used to transfer money, including to middlemen in Turkey and Syria.

The scale and scope of the travel of European FTFs to Syria and Iraq to join the Islamic State is unprecedented. It is estimated that around 5,000 European Union nationals have joined the Islamic State and to a lesser extent Jabhat al-Nusra since the onset of the Syrian civil war. While there are significant numbers of FTFs departing from France (1,700), Germany (800), and the United Kingdom (700-1,000), there are other smaller states with proportionately higher ratio of their Muslim population leaving for Syria. Belgium has 470 FTFs (including 50 women) who have joined the Islamic State. In Austria, there are over 300 FTFs (with a high proportion of individuals of Chechen descent), which is probably a spillover effect of its vicinity to the Western Balkans, an area from which several hundred FTFs have departed.[a] There are an estimated 210 FTFs from the Netherlands. Denmark has 135 FTFs, and Sweden has 299 FTFs, out of which at least 45 are women. In Scandinavia there is a cumulative total of 500 FTFs with almost 200 who have returned.

The large number of European FTFs have provided the Islamic State with significant incoming cash flows. Facilitators encourage aspiring fighters to raise as much money as possible before immigrating to the Islamic State. These facilitators help the recruits identify ways to unlock funds. Recruits with good credit histories and those well placed to defraud financial institutions, as well as those with a network of contacts willing to provide funds, are particularly prized.

Financial contributions vary according to the recruit’s individual financial position, ability, and situation. Often male recruits come from dysfunctional families or single-parent families (often without a father) and with multi-criminal backgrounds, having past convictions for drug offenses, theft, or violence. Many have operated together with territorial criminal gangs. Acquiring available funding provides FTFs with enhanced status and position upon their arrival in Syria with the Islamic State, providing significant incentives for them to raise as much cash as possible.

Consequently, there are a number of indicators that may allow law enforcement to identify FTFs before travel. FTFs often make sudden asset sales or transfers ahead of their departure. They often quit their jobs if they have one, and they commonly make unusually large withdrawals from their accounts. A red flag is unusually high activity in combination with many different loans and cash withdrawals. In terms of company financial activity, recruits often generate very large revenue in short periods. Credit is accumulated, and business purchases are at high levels to maximize credit limits with orders placed within a short period, with purchases often of IT or mobile phones. Bills are never paid. This means that by the time recruit has traveled, unpaid invoices accumulate.

FTFs travel to and from the principal conflict regions in Syria or Iraq through direct or indirect air travel routes (they often break up travel patterns to disguise destination) or through various land routes to staging points in Turkey, Jordan, and Lebanon. Turkey is a key hub for FTFs and for funding sources, particularly because of its long, porous land border with Syria. Often FTFs fly into Istanbul and then proceed to fly to Hatay or other airports closer to the Turkish-Syrian border. Some are turned back in Istanbul but then travel via boats through the Greek archipelago to gain entry to Turkey. Many FTFs now avoid Istanbul altogether because they are regularly refused entry. Instead they travel to charter destinations close to Syria. There have been cases of travel through several detour destinations.

There are a range of options used by European FTFs to transfer funds to the Islamic State. Some bring cash on their person across the border in to Syria even though there is a risk the funds will be confiscated by border security agents along the route. This has led others to withdraw funds from Money Service Businesses (MSBs) stationed in the Turkey-Syria border area. Groups of Europeans on their way to join the Islamic State sometime use fixers in the border region to withdraw funds from MSBs, as do Europeans who have already joined the group.[3]

All this has made Turkey a key hub for the flow of funds to Syria for terrorist use, especially its border towns with Syria. Intelligence suggests that foreign fighters engaged in fighting in Syria withdraw cash from ATMs on the border of Turkey and Syria and that the facilitators who bring them back and forth across the border play a key role in aiding this monetary activity.[4] Periodic withdrawals occur over prolonged periods along the border areas through MSBs. Small amounts of EUR €500–EUR €1,000 are typically withdrawn to avoid suspicions.

This article will now explore in detail how European FTFs are (1) raising funds for the Islamic State and then (2) transferring this money to the group in Syria and Iraq.

Part 1: Raising Funds It is important to recognize that there are many legal fundraising activities that are exploited by FTFs, particularly the large charitable sector. The complexity of the crisis in Syria and huge need for humanitarian assistance make the issue of detection of terror finance extremely sensitive and difficult. A few aid agencies operate under strict Islamic State supervision (by the Islamic State Department of Relief) and no international staff is present.[5] Both charities that are genuinely seeking to provide humanitarian assistance and fake charities that have been set up to channel funds to the Islamic State operate under these conditions. A 2014 Financial Action Task Force (FATF) report found that well-intentioned non-profit organizations (NPOs) most at risk of having funds requisitioned by the terrorist groups were “those engaged in ‘service’ activities … operating in close proximity to an active terrorist threat” and those “that send funds to counterpart or ‘correspondent’ NPOs located in or close to where terrorists operate.”[6]

Another common method of individual Muslim contribution is through Tajheez Al-Ghazi, which roughly translates as waging jihad by proxy by those unable themselves to travel.[7] This typically involves a complex web of sponsorship with no central hub or connector, which makes this type of effort difficult to pinpoint and counter. Funds can be distributed via humanitarian channels, or it may be as simple as buying someone’s airline ticket or sponsoring a piece of equipment. For FTFs from Middle Eastern countries, this contribution is often collected through online crowdfunding from sources in the Gulf States, and there is concern such activity is also going on in Europe.[8]

Theft and Petty Crime European FTFs have funded their travel to Syria through a range of illicit streams including thefts and petty crime. The fact that a significant number of FTFs have past criminal convictions means they already have experience in raising funds this way. Extremist preachers have justified such criminal fundraising on religious grounds. A prime example was Khalid Zerkani, a Moroccan veteran of the Afghan Jihad who recruited dozens of Belgians to fight jihad in Syria between 2013 and 2014, including the team leader of the Paris attacks Abdelhamid Abaaoud. Zerkani was known as “Papa Noel” by his acolytes in and around the Brussels district of Molenbeek because he encouraged them to rob people in the street and steal the luggage of tourists and then distributed the proceeds to fund their travel to Syria. One Brussels-based FTF received €5000 ($5700) from Zerkani to make the trip.[9]

Bank Fraud Many FTFs have taken out loans from banks[b] without any intention of paying them back. Amedy Coulibaly, who attacked a kosher grocery store in Paris in January 2015, took out a €6,000 ($6,700) bank loan in Lille using a fake payslip shortly before the terrorist attack.[10] Some FTFs have applied for the funds via internet applications. In Sweden there are several cases of FTFs taking out unsecured bank loans in combination with other types of fraud such as quick loans (SMS loans) and the leasing of SUVs and other cars with no intention of paying them off and every intention of reselling the vehicles.[11]

There are also other types of banking fraud. In the United Kingdom, the Metropolitan Police unravelled a large-scale fraud by British FTFs in March 2015 who had pretended to be police officers and were targeting elderly citizens for their bank details. After telling them their bank accounts had been compromised, the FTFs instructed their victims to transfer money to an account under the control of the fraudsters.[12] In May 2016, eight individuals were jailed for defrauding U.K. pensioners out of more than £1 million ($1.44 million). Around 140 frauds or attempted frauds were discovered by the investigation; the group had used “16 telephone lines to make 5,695 calls to 3,774 different numbers.”[13]

VAT and Business Fraud The issue of withholding VAT payment is a very common and lucrative method for terror financing. Very large sums can be generated quickly via consumer goods that are easily resold. In Sweden, a 30-year-old salafi preacher, influential among FTFs, was charged with VAT fraud amounting to SEK6 million ($740,000) in a scheme lasting four months during the first quarter of 2013. He purchased mobile phones and tablets for SEK29.7 million ($3.6 million) in the United Kingdom and sent the order to his company in Finland. He then resold the shipment to a 23-year-old Swedish FTF and his company in Bergsjön. SEK5 million is believed to be missing still and is thought to be in the Middle East or North Africa.[14]

Another Swedish case involves the combined VAT fraud of the 20-year-old son of the late Islamic State of Iraq leader in Mosul (Mohammed Moumou who was killed in 2008 by U.S. forces in Iraq) and a 25-year-old man who worked as case officer for the Swedish Tax Authority.[15] The pair established a company with no employees and began importing iPhones from Lithuania for SEK28 million ($3.4 million), which they resold to retail outlets at a bargain price, withholding payment of any VAT to the Tax Authority. Owing SEK7.1 million ($870,000) in VAT payments, the company had no assets. Simultaneously, the 25-year-old had taken out several loans from SEB, Swedbank, Bank Norwegian, and dozens of other credit institutes amounting to SEK1 million ($120,000).[16] Criminal proceedings were transferred to Turkey and other countries in the region. There are indications these two individuals were part of a much broader financial, criminal enterprise led by Soheil Raffieé Bakhtiarzadeh and Shahin Raffieé Bakhtiarzadeh, two brothers wanted by Europol, on request by Sweden, and involving dozens of companies.[17]

These kinds of VAT carousels where phones are sold and resold to different companies create profitable criminal proceeds. In business jargon, these so-called “missing traders” receive a VAT number and then trade quickly before dissolving their companies.[18]

Another case of VAT fraud was perpetrated by Abdessamad Fateh in Denmark. Also known as Abu Hamza, he was officially designated by the United States as a foreign terrorist fighter and “a member of a Scandinavia-based network of extremists allegedly linked to al-Qa’ida, [who] has traveled to Syria.”[19] [c] Abu Hamza had been arrested previously as a suspect in a terror plot against the cartoonist Kurt Westergaard at Jyllands-Posten in 2008. He owned a company importing large quantities of chicken and cheese from Germany to Denmark and failed to pay DKK3 million ($460,000) VAT in a scheme in which accountants acted as facilitators through a series of shell companies—including a travel agency—that were created and then dissolved.[20]

VAT fraud can assume massive proportions. In 2014 Italian authorities discovered that so-called carbon credit and VAT fraud had occurred between 38 middlemen who sold carbon-credit between Italian SF Energy and a series of companies in Denmark, Germany, the Netherlands, and the United Kingdom. This €1.15 billion ($1.3 billion) tax scam resulted in significant funds being channeled to the Taliban via bank transactions in Cyprus, Hong Kong, and the UAE.[21]

Often these VAT fraud schemes involve fake addresses or designated “fall guys” who assume the legal and financial consequences. This enables the real culprits to continue the scheme elsewhere.

Lease/Loans of SUVs and Cars One of the most common fraudulent practices is to secure a car loan or leasing option with no intention of paying back the debt. This provides Islamic State sympathizers with opportunities to send cars to the Islamic State in Syria. Often these cars are larger SUVs. For example, Toyota Hilux pickups and Toyota Land Cruisers retrofitted with heavy weapons frequently appear in Islamic State propaganda videos in Iraq, Syria, and Libya.

Toyota Hilux models, for example, whether stolen or purchased, are shipped from around the world to Turkey. There are numerous reported cases of the vehicles coming from as far away as Canada and Australia.[22] Vehicles are also often driven from Europe to Turkey and then into Syria by FTFs. Turkish border authorities require coupling a driver with a foreign-registered vehicle for each entry/exit into Turkey. These transfers have become more difficult.

Social Insurance Fraud The issue of social insurance or benefit fraud has been flagged as a method exploited by FTFs in Syria and Iraq. Much of this problem stems from inadequate control systems requiring unemployed individuals to report regularly to authorities. In some EU states the problem has been exposed by inquiries by authorities. For example, investigation in Denmark revealed that 32 FTFs had received social insurance benefits amounting to DKK379,000 ($58,000) while they were in Syria fighting for the Islamic State.[23]

In Britain a probe has been launched to examine the extent to which British FTFs are abusing the taxpayer social insurance system through false claims, online fraud, and student loans. Police officials have confirmed that women were being used to smuggle out cash derived from benefit fraud as they aroused less suspicion.[24] In July 2015, the Department of Work and Pensions (DWP) Fraud and Error Service launched a wide probe into the extent of this benefit fraud. Investigations were prioritized after three women from Bradford with nine children between them claimed benefits and had allegedly left for Syria.[25]

In Belgium in August 2013, the cities of Antwerp and Vilvoorde stopped welfare payments to 29 FTFs as they did not live at their registered address. These FTFs had managed to access their bank accounts via ATMs across the border in Turkey and withdraw money.[26] The Dutch authorities took steps to freeze the payment of social benefits to 85 FTFs.[27] In France, authorities decided to cut welfare benefits last year for 290 persons identified as jihadis.[28]

Social Media Crowdfunding As mentioned above, intelligence officials have flagged crowdfunding as an emerging source of funding for the Islamic State and its terror activity.[29] Crowdfunding for specific projects combines clever social media and emotional telethons with the fundraising power of a multitude of individuals. Establishing charitable NPOs for this purpose can attract funding through diverse social media sites. According to FATF reports, there are plenty of cases where the appeals for supply and equipment were quickly matched and specific instructions were given over encrypted platforms about where to direct the funds.[30]

Part 2: Transfer of Funds Interviews the authors conducted with Western intelligence and law enforcement officials provide a picture of how European FTFs are transferring funds to the Islamic State. It is important to note the Islamic State still relies on access to banking services in Syria and Iraq and in neighboring areas contested by the group. According to one report, “in Iraq alone, approximately ninety such international bank branches continue to operate in contested areas of Ninawa, Salah al-Din, Anbar, and Kirkuk provinces.”[31] One of its most important access points to the international financial system are bank branches situated in the border region between Turkey and Syria. The Islamic State was also for a period accessing the government funding of workers, which was provided every month in Mosul. The Iraqi government stopped paying these salaries in Mosul last August.[32]

Money Service Businesses (MSBs) Money remittance and currency exchange providers have been exploited for money laundering purposes and terrorism finance. Like money laundering, terrorists use sequencing or the breaking down of amounts into multiple/sequential transactions below the threshold, thereby circumventing mandatory reporting. They also may employ smurfing[d] or proxy techniques to avoid detection.

MSBs are widely used in Turkey to transfer FTF funds coming from Europe to recipients within the Islamic State using MSB offices and ATMs along border towns straddling the Syrian-Turkish border. Gazientep, Akcakale, Adiaman, Hacipasa, Reyhanli, and Sanliurfa are just some of the places where arriving and departing FTFs can access financial services. After receiving instructions from recruiters and facilitators, FTFs arrive in pre-determined destinations where they take out funds from MSBs through their home country bank accounts or via wired cash.

Regular withdrawals of smaller amounts along the border is common. As noted by U.K. authorities in a 2015 report, “funds are typically broken down in to smaller amounts to avoid the need to provide identification and to avoid detection. Intelligence also indicates that employees have been known to facilitate funds to terrorists through their position within MSBs.”[33] [e]

To avoid detection, the Islamic State regularly changes the playbook it provides European FTFs and their facilitators on how to move money. For example, after Western Union and a number of other MSBs began watching more closely for Islamic State linked transactions in the Syria-Turkey border area, the Islamic State urged aspiring European FTFs to transfer sums under €5,000 ($5,700). For a period of time, they also encouraged them to transfer funds through MSBs to recipients in Bosnia, particularly in the Brcko district, because it was seen as a safer option. Islamic State operatives provided contact details for these recipients.[f]

Pre-paid debit cards Another way FTFs and terrorists conceal their tracks have been through pre-paid debit cards. These can be recharged without identity checks as long as the total amount does not exceed €2,500 ($2,800) per year. They were used to rent hotel rooms outside Paris the night before the November 13, 2015, attacks.[34]

Informal Money Transfer Systems (Hawala) The traditional system of hawala is in operation around the world. In many cases Islamic State financial transactions are conducted through an underground hawaladar network established throughout Iraq, Syria, and beyond. As the Islamic State consolidates control over its provinces, such as in Libya, it is clear the group is relying increasingly on hawala networks for transferring funds.[35] This mechanism will increase in importance as the Islamic State expands in operational areas with infrequent or no access to international financial institutions.

In Europe it has been easier to detect and disrupt hawala networks being used for terrorist purposes. The most prominent case was the 2015 roll-up of a massive, secret hawala network composed of 300 hawaladars with clandestine offices in Spanish cities through 250 butcher shops, grocery stores, and telephone call centers. They managed “the savings of over 150,000 Muslims, many of whom were believed to be receiving social welfare payments from the Spanish state, without any legal oversight. The network allegedly paid the salaries of Spanish jihadis in Syria: They received about $800 if they were single and $1,200 if they were married.”[36]

Cash Couriers The Islamic State uses cash couriers to circumvent multi-layered barriers placed on the group by Western financial institutions. These cash couriers provide essential services for the Islamic State inside Syria and Iraq as well as across the border in Turkey where the money is distributed to trusted networks and used to buy essential equipment.

The system of cash couriers also works the opposite direction with European FTFs and support networks concealing and transporting cash to the Islamic State and their fighters. In one such case, Amal el-Wahabi, a British mother-of-two, was arrested and convicted in the U.K. for trying to smuggle €20,000 ($23,000) to her husband in Syria.[37]

Conclusion FTF microfinancing schemes are important to focus on for a number of reasons. They reveal a disturbing pattern of the Islamic State’s wider and deeper efforts to find funding from a diverse range of sources. For the Islamic State, every recruit holds the potential to unlock financial assets. Focusing on FTF financial sources also provides important insights into the web of the Islamic State’s transnational networks and local recruitment/facilitation focal points. There is a greater need to tackle the Islamic State’s network in Europe using financial enforcement agencies and tools. This requires a more concerted effort by governments to integrate financial intelligence into counterterrorism machinery within and across EU states. This is increasingly urgent as intelligence officials point out that money flows are not just going in one direction—from recruits to the Islamic State in Syria and Iraq. Intelligence now suggests that money is sent from Islamic State sources to recruits and supporters in Europe as ways to fund terror operations.[38]

Dr. Magnus Ranstorp is Research Director (CATS) at Swedish Defence University and Quality Manager at the EU Radicalisation Awareness Centre of Excellence. He has worked on terrorism and counterterrorism issues for over 25 years around the world. Follow @MagnusRanstorp

Substantive Notes [a] This information was collected by Linus Gustafsson at Swedish Defence University throughout 2015-2016 and is based on officially available figures by national authorities or media reports. These figures have been collected from open sources by Swedish Defence University on behalf of the Swedish National Countering Violent Extremism Coordinator every month since mid-2015.

[b] In the 2000s multiple British al-Qa`ida plotters funded their operations through bank fraud. For example, three of those involved in the 2006 transatlantic airline plot successfully applied for loans totaling GBP26,000 ($37,600). See Paul Cruickshank, “The 2006 Airline Plot,” in Bruce Hoffman and Fernando Reinares eds., The Evolution of the Global Terrorist Threat, (New York, NY: Columbia University Press, October 2014).

[c] Abu Hamza returned to Denmark after traveling to Syria and later died of natural causes there.

[d] Smurfing involves the process of making numerous cash deposits into several bank accounts.

[e] It is also important to recognize that FTF facilitators use the MSBs for a variety of purposes. They receive payment for facilitation of travel of fighters on behalf of the Islamic State but have also received funds through them from worried parents who want to extract radicalized children from the clutches of the Islamic State. This information is based on testimony from relatives of FTFs in both The Hague (September 2014) and Stockholm (November 2014).

[f] This area is a well-known jihadist hotspot. The village of Gornja Maoca, for example, contains a high concentration of jihadis. See Gordon N. Bardos, “Jihad in the Balkans: The Next Generation,” World Affairs, September/October 2014.

Citations [1] U.S. Department of State, Bureau of Economic and Business Affairs, “Fact Sheet: Taking Stock of the Counter-ISIL Finance Group’s Achievements in its First Year,” April 12, 2016. For example, see UK Foreign Affairs Sub-committee, ISIL financing inquiry, Oral and Written Evidence.

[2] Magnus Normark and Magnus Ranstorp, Understanding Terrorist Finance Modus Operandi and National CTF Regimes, March 2016. The law enforcement and intelligence officials were interviewed between June-December 2015 in a number of countries: in the U.K., the Metropolitan Police (SO15); in the Netherlands, the National Coordinator for Counterterrorism (NCTV); in the United States, the Department of the Treasury, Financial Crimes Enforcement Network, Department of Justice, and Department of State Office of Counterterrorism; in Canada, the Canada Security and Intelligence Service, Royal Canadian Mountain Police (RCMP), Public Safety Canada, and FINTRAC Canada; in Sweden, the Swedish Security Service (SÄPO) and the Swedish Finance Police (FIPO); and in Denmark, the Danish Security & Intelligence Service (PET). The authors also interviewed officials at Europol, Counter Terrorism and Financial Intelligence in The Hague.

[3] Personal interviews, several European intelligence officials, 2015-2016.

[4] Personal interviews, several European intelligence officials and Swedish banks, 2015-2016.

[5] Eva Svoboda and Louise Redvers, “Aid and the Islamic State,” IRIN/HPG Crisis Brief, December 2014.

[6] Financial Action Task Force (FATF), “Emerging Terrorist Financing Risks,” October 2015, p. 14.

[7] Aimen Dean, Edwina Thompson, and Tom Keatinge, “Draining the Ocean to Catch one Type of Fish: Evaluating the Effectiveness of the Global Counter-Terrorism Financing Regime,” Perspectives on Terrorism 7:4 (2013).

[8] Personal interviews, European law enforcement and intelligence officials, 2015; Normark and Ranstorp.

[9] Jugement contre Khalid Zerkani et al., Tribunal de Premiere Instance Francophone de Bruxelles, July 29, 2015, pp. 44-65.

[10] ”Paris attacks: Investigators turn up new leads,” BBC News, January 19, 2015.

[11] “Lån och bedrägerier finansierar terrorresor,” Sveriges Radio, June 22, 2015.

[12] Jonathan Owen, “British pensioners targeted in scam by extremists raising funds for Isis,” Independent, March 5, 2015.

[13] “Gang jailed over pensioner phone scam,” BBC, May 4, 2016.

[14] “Momsfiffel finansierade jihadister I Syrien,” November 28, 2004.

[15] For an earlier article on circumstances surrounding the 25-year-old, see Magnus Ranstorp, “The Foreign Policy Essay: Scandinavian Foreign Fighters—Trends and Lessons,” Lawfare, December 7, 2014.

[16] Lasse Wierup, ”Tjänsteman åtalas för svindel,” Dagens Nyheter, April 11, 2016.

[17] Soheil Raffieé Bakhtiarzadeh and Shahin Raffieé Bakhtiarzadeh, ”Momsfusk ger nätverk miljoner,” Dagens Nyheter, April 12, 2016.

[18] “Julhandeln högtid för kriminellas momsfiffel,” Dagens Nyheter, December 3, 2014.

[19] U.S. Department of State, “Designation of Foreign Terrorist Fighters,” September 24, 2014.

[20] Personal interview, journalist Troels Kingo Larsen at DR, May 2015; “Terrormistænkte indblandet i fødevarefusk i København,” DR, January 24, 2016.

[21] “Milliardsvindel med dansk kvoteregister er mistænkt for at finansiere terror,” DR, October 1, 2014; “Italy tax scam ‘may have funded terrorism,’” Local, September 24, 2014.

[22] Stewart Bell, “Ontario extortion racket has ties to Hezbollah,” National Post, July 21, 2011.

[23] ”Syrienkrigere har fået 378.000 kroner i velfærdsydelser,” Ritzau, May 18, 2015.

[24] Peter Dominiczak, Tom Whitehead, and Christopher Hope, “Jihadists funded by welfare benefits, senior police officer warns,” Daily Telegraph, November 26, 2014.

[25] Imogen Calderwood, “ISIS jihadis in Syria and Iraq are funding their evil war by milking Britain’s benefits system through false claims, online fraud and student loans,” DailyMail, June 7, 2015.

[26] “Belgian jihadists in Syria stripped of welfare benefits,” France 24, August 19, 2013.

[27] FATF.

[28] “France cut welfare benefits for 290 jihadists last year,” France 24, March 18, 2015.

[29] “Islamic State using social media as crowdfunding platform for terrorist activities, expert warns,” ABC News, November 17, 2015.

[30] FATF.

[31] Matthew Levitt, “Here’s how ISIS still has access to the global financial system,” Business Insider, March 24, 2015.

[32] Aymenn al-Tamimi, “A Caliphate under Strain: The Documentary Evidence,” CTC Sentinel 9:4 (2016).

[33] HM Treasury/HM Home Office, “UK national risk assessment of money laundering and terrorist financing,” October 2015.

[34] “France targets prepaid debit cards in fight against terror finance,” Agence France-Presse, November 23, 2015; “Prepaid cards: help for financially excluded or finance for terrorists?” Express Tribune, November 29, 2015.

[35] Personal interviews, European intelligence and law enforcement officials, 2015.

[36] Jose Maria Irujo, “Una extensa red de 250 locutorios y carnicerias financia la yihad en Siria,” El Pais, February 2, 2015.

[37] Sandra Laville and Duncan Gardham, “Two unlikely jihadis: the ‘weed-smoking kaffir’ and the ignorant dupe,” Guardian, August 13, 2015.

[38] Personal interview, intelligence source, spring 2016.

With Money Infusion, Iran Funds PIJ

Posted on May 25, 2016May 25, 2016 by Denise Simon

Iran resumes funding for Palestinian Islamic Jihad

BTN: Iran recently decided to resume regular financial assistance to the Palestinian terrorist organization known as Islamic Jihad, Arabic-language newspaper Asharq al-Aswat reported on Wednesday.

The decision to transfer an annual sum of $70 million out of the Revolutionary Guards budget reportedly followed a visit by an Islamic Jihad delegation in Tehran last month – the first such visit in two years.

The talks resulted in an agreement to renew operations by Islamic Jihad’s military wing, the Quds Brigades. Qassem Soleimani, commander of the Revolutionary Guards’ elite Quds Force, reportedly decided to appoint Khaled Mansour, considered loyal to Iran, as commander of the Quds Brigades in the Gaza Strip.

Iran’s funding resumed in March, Asharq al-Aswat reported, and Islamic Jihad has thus been able to pay two months’ worth of salaries to members after months of financial straits.

Reports in January said that Iran had ended its funding of Islamic Jihad, according to Israeli news site Walla News.

Despite being a Sunni organization, Islamic Jihad has remained on the side of the Iranian-led Shi’ite axis in the regional power struggle with Saudi-backed elements, and members have fought alongside Syrian President Bashar al-Assad’s regime in that country’s civil war.

Islamic Jihad Secretary General Ramadan Shalah said recently in a public statement that no Arab countries has supposed “the popular uprising in Palestine”, and that only Iran “helps the martyrs’ families.”

****

The entire Obama administration confirms this:

WASHINGTON/JP — Despite facing costly obstacles from the Syrian civil war, Iran continued its arming and funding of terror proxies targeting Israel throughout 2014 largely unabated, the US government found in a report released on Friday.

The State Department report— an annual accounting of organized terrorism worldwide— asserts that Iran has continued, if not expanded, its operations beyond its historical focus on Hamas in Gaza and Hezbollah in Lebanon, to a limited number of operations in Africa, Asia and Latin America, as well as to “various groups throughout the Middle East.”

“Iran has historically provided weapons, training, and funding to Hamas and other Palestinian terrorist groups, including Palestine Islamic Jihad (PIJ) and the Popular Front for the Liberation of Palestine-General Command (PFLP-GC),” the report reads. “These Palestinian terrorist groups have been behind a number of deaths from attacks originating in Gaza and the West Bank.”

Much of Iran’s efforts throughout 2014 focused on maintaining its “resistance front” in Syria and Iraq, the report says, through its support for Shia governments and militias. The report notes of Islamic Revolutionary Guard Corps-Qods Force (IRGC) presence on the ground in both countries.

The report notes of an Israeli naval raid that took place in March of that year on a cargo ship traversing the Red Sea, the Klos C, off the coast of Sudan, which was found bearing 40 M-302 rockets, 180 mortars, and approximately 400,000 rounds of ammunition hidden within crates of cement labeled “Made in Iran.”

“Although Hamas’s ties to Tehran have been strained due to the Syrian civil war, in a November 25 speech, Supreme Leader Khamenei highlighted Iran’s military support to ‘Palestinian brothers’ in Gaza and called for the West Bank to be similarly armed,” the report continues. “In December, Hamas Deputy Leader Moussa Abu Marzouk announced bilateral relations with Iran and Hamas were ‘back on track.'”

In the North, Iran continues providing Hezbollah— active in the fight in Syria as well as against the Jewish state from Lebanon— with “hundreds of millions of dollars. And the report claims Tehran is training “thousands of its fighters at camps in Iran.”

“General Amir Ali Hajizadeh, head of the IRGC Aerospace Force, stated in November that ‘the IRGC and Hezbollah are a single apparatus jointed together,’ and Lebanese Hizballah Deputy Secretary General Naim Qassem boasted that Iran had provided his organization with missiles that had ‘pinpoint accuracy’ in separate November public remarks,” it states.

The State Department asserts that, in admitting its arming of Hezbollah, Iran is in open violation of UN Security Council Resolutions 1701 and 1747.

The report praises Israel’s response to terror threats throughout the year, which saw war with Hamas in Gaza over fifty days that summer.

“Israel was hit by a record volume of rocket and mortar fire from Gaza and the Sinai in 2014, according to the Israeli government, with more than 4,660 projectiles launched, most during the July-August conflict, at Israeli territory compared to 74 launchings in 2013 and 2,557 in 2012,” it says, referring to Israel as a “committed counterterrorism partner.”

“Militants from Gaza also infiltrated Israeli territory using tunnels in six separate attacks and, for the first time, by a sea-borne operation,” it continued. The report also praises Egypt for taking aggressive counterterrorism measures against Hamas and its tunnel operations in the Sinai.

It notes, briefly, that Iranian proliferation of nuclear weapons remains a concern.

Russian Spies and Espionage in NATO and USA

Posted on May 25, 2016May 25, 2016 by Denise Simon

It was not long ago while interviewing a former CIA operative that he responded to my question, ‘do we have a handle on the Russian spies in the United States?’ His answer is no, and they are all over the country and the same goes with China.

2015: Three alleged Russian spies exposed by the FBI are part of the most intense effort by Russia to infiltrate agents onto American soil since the Cold War.

In an affidavit unsealed in federal court on Monday, the Justice Department accused , also known as “Zhenya,” of posing as a Russian banker in Manhattan to funnel economic intelligence to the SVR, Russia’s foreign intelligence agency.

Two other Russians, Igor Sporyshev and Victor Podobnyy, were ostensibly diplomats in Russia’s UN mission in New York but are accused of being Buryakov’s SVR handlers. While Buryakov was operating deep undercover and therefore had no diplomatic protection, the other two have immunity and have already left the the United States.

Anecdotes in the affidavit portray the accused spies as bumbling and hapless compared to the stereotype of hard-eyed Soviet-era KGB professionals. Still, news of their existences comes at the most perilous moment in U.S.-Russia relations in decades, with Barack Obama and Vladimir Putin at a standoff over issues ranging from Ukraine to Moscow’s claims it has a right to a “sphere of influence” in its backyard. More from CNN here.

**** Now NATO:

NATO’s Big New Russian Spy Scandal

A Russian mole has been uncovered inside NATO intelligence. What does this mean for Western security?

Frederico Carvalhão Gil was arrested this weekend in Rome. (Photo: Facebook/Frederico.CarvalhaoGil

Observer: Last weekend, in the latest development in the secret espionage struggle between Vladimir Putin’s Kremlin and the West, a major Russian spy was arrested in Italy. On Saturday, Frederico Carvalhão Gil, a senior intelligence official from Portugal, was picked up by Italian police along with his Russian intelligence handler, whom he was meeting clandestinely in Rome.

Although Portugal is hardly a big player in the global spy game, it has been a member of the Atlantic Alliance since its founding in 1949, and Lisbon’s intelligence services are full members of the West’s secret spy network. Finding a mole like Mr. Carvalhão in any NATO security service is a serious matter for the whole alliance.

A career intelligence officer, the 57-year-old Mr. Carvalhão, who went into the espionage business in the late 1980s, had risen to the senior ranks of Portugal’s domestic spy agency, the Security Intelligence Service—SIS for short. He is a division chief in that service, according to Portuguese press reports, what SIS terms an area director. Mr. Carvalhão’s previous assignments have included operational work in counterintelligence and counterterrorism. A philosophy graduate, the suspected traitor is described as highly intelligent—an intellectual. It’s evident Mr. Carvalhão had access to a wide array of NATO secrets thanks to his official position.

Portuguese intelligence suspected it had a mole for some time, and a secret hunt for the turncoat commenced in 2014. With help from spy partners, including the CIA, Lisbon developed a list of suspects. Mr. Carvalhão was high on that list, not least because of his open affection for all things Eastern European, which he made plain on his Facebook page.

He also likes Eastern European women. “Zipper problems” as they are known in the spy trade have been the downfall of many turncoats, and reports of a Georgian woman Mr. Carvalhão was romantically involved with offer hints of a possible honey-trap. That deserves investigation, since such operations are textbook for the Russian intelligence services. One reason he wound up on NATO counterintelligence radar was multiple reports of indiscreet liaisons with women from the former Soviet Union.

Greed seems to have also played a role. Mr. Carvalhão was allegedly charging the Kremlin’s Foreign Intelligence Service, the SVR, 10,000 Euros ($11,100) for each classified document he was selling them—a princely sum by spy standards. We know that the SVR’s main interest in the information it sought from its Portuguese mole were secrets about NATO and the European Union. If the Russians were willing to pay that much per purloined document, it’s evident to any veteran counterintelligence hand that the classified information he was giving the SVR was important. The Kremlin won’t pay that much for junk.

Mr. Carvalhão had been through a divorce, which may have been a motivation as well—both financially and psychologically. Reeling from a divorce that left him financially strapped, the notorious CIA turncoat Aldrich Ames reached out to the KGB, the SVR’s predecessor, in 1985, offering them top secret information in exchange for $50,000. Thus began Mr. Ames’ nine years of betrayal that lasted until his 1994 arrest—a huge success for the Kremlin that cost the lives of several Soviets who were spying for the CIA.

Once SIS realized Mr. Carvalhão may have gone rogue, he was moved to a less sensitive position at work, where he had access to fewer secrets and was placed under surveillance. By last autumn, he was being watched and his phones were tapped as his employer looked for evidence of his betrayal. They soon discovered that Mr. Carvalhão made regular trips across Europe, which SIS assessed were actually clandestine meetings with the SVR to pass secrets to the Russians outside Portugal. That was less risky than meeting Russians on his home turf, as the career spy knew from his own service with Portuguese counterintelligence.

This culminated in the top secret operation in Rome last weekend which led to Mr. Carvalhão’s arrest. In coordination with Italian partners, SIS watched his movements as he took a flight to Rome last Friday, in preparation for the next day’s planned meeting with the Russians. That clandestine rendezvous was spoiled for Mr. Carvalhão when Italian police appeared at the Roman café, downtown on the Tiber, to bring him into custody on espionage charges proffered by Lisbon. He did not resist arrest.

Neither did the Russian he was meeting. In an interesting twist, his SVR handler was not in Rome under official cover, posing as a diplomat or trade representative—the default setting in espionage circles. Rather, his SVR handler was what the Russian term an Illegal, meaning he was operating without any official protection. He therefore was subject to arrest, whereas a Russian spy pretending to work at their embassy could claim diplomatic immunity to avoid police detention.

The identity of the SVR officer in custody has not been released by Italian authorities, but Illegals are an elite cadre in Russian intelligence circles, much less frequently encountered than their counterparts posing as diplomats. They are also much tougher to detect, since they aren’t working at any embassy or consulate, and last year’s FBI arrest of an SVR Illegal in New York City—where he was spying on Wall Street—was a coup for American counterintelligence.

Rome and Lisbon may have unraveled an important spy ring here. Illegals are used to handle high-value agents, for instance moles inside Western spy services like Mr. Carvalhão for whom meetings with SVR officers under official cover—who are often known to the local security service, which watches their movements closely—would pose a serious risk of exposure.

Just what this Portuguese mole gave the Russians is not yet known. Assessing that, and therefore the damage he caused to Western security, is the major task facing investigators in Lisbon and other NATO capitals right now. The Atlantic Alliances have been penetrated by the SVR many times—the most recent big case was Herman Simm, a senior Estonian security official who was arrested in 2008 after spying for the Kremlin for years, during which he had access to countless NATO secrets.

The disastrous case of Edward Snowden, the National Security agency IT contractor who defected to Moscow nearly three years ago, was an unprecedented blow to American intelligence and the entire Western spy partnership. In response, NATO has belatedly begun to get serious about the threat posed by Russian espionage. There was a major increase in Kremlin spying against the West beginning a decade ago, reaching and in some cases even surpassing Cold War levels of intensity. Last year, NATO forced the Russians to cut back their official delegation to alliance headquarters in Brussels, since so many of them were actually spies, brazenly stealing NATO secrets.

The SVR is every bit as audacious at stealing our secrets as the KGB ever was. The SpyWar between East and West never ended, and under Vladimir Putin—that onetime KGB officer who values espionage highly—it forms a core component of Kremlin foreign and security policy. The case of Frederico Carvalhão demonstrates that Moscow is still stealing our secrets at every opportunity. The West ignores counterintelligence, particularly against an increasingly aggressive Russia, at its peril.

John Schindler is a security expert and former National Security Agency analyst and counterintelligence officer.