Phase 2 of the research serves to build upon the foundation laid in Phase 1. The Phase 2 research further explores: the criminal groups utilizing digital assets in illegal activities; how these criminal groups are conducting illicit activity and recruiting members; cryptocurrency ATMs and Point-of-Sales illicit uses; generative AI applications in cybercrime; darknet market use of digital assets; the evolving use of cryptocurrencies (especially the year to date change); criminal activity’s impact on government and private sector; and additional policy recommendations. Although illicit use can never be completely eliminated, it can be mitigated by increased consumer knowledge, proactive law enforcement investigations, and better practices and regulations issued by key stakeholders.
DHS Public-Private Analytic Exchange Program Report: Combatting Illicit Activity Utilizing Financial Technologies and Cryptocurrencies Phase I
Private and public sector analysts and subject matter experts working in the cyber financial landscape gathered through a series of meetings to examine the use of financial technologies and cryptocurrencies by illicit actors. The key research points investigated include discovering the most common illicit finance activities, the most exploited elements of financial technologies, the legal vulnerabilities that allow exploitation, pseudo-anonymity in online transactions, weaknesses in Know-Your-Customer laws, and the risks of use associated with other emerging blockchain applications (i.e. NFTs). The research gathered from investigating these areas led to the development of suggested, effective changes to reduce illicit activity in this space and identifying the key stakeholders to implement these changes. This paper seeks to provide guidance in navigating cryptocurrencies, emerging digital payment solutions, and other blockchain applications to both consumers and stakeholders to minimize the illicit use of these platforms. While illicit use cannot be eliminated altogether, it can certainly be reduced with better consumer knowledge and better practices/regulations issued by key stakeholders.
(U//FOUO) DHS Report: Chinese Municipal Government Publishing Anti-US Social Media Content With Limited Reach
A People’s Republic of China (PRC) municipal government-controlled media outlet is very likely directing a cluster of English-language, coordinated inauthentic Twitter accounts that posted content denigrating the United States (see graphics). The cluster of accounts, which we have dubbed SPICYPANDA, has been active from at least January 2021 and has published sophisticated content, but it failed to grow a follower base thus far. DHS attributed SPICYPANDA to the municipal media entity Chongqing International Communications Center (CICC) based on its leadership’s creation of SPICYPANDA’s anti-US messaging campaign, its overt ties to a website promoted by the accounts, and its Western social media messaging accolades and capabilities.
The Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and National Counterterrorism Center (NCTC) assess that domestic violent extremists (DVEs)a fueled by various evolving ideological and sociopolitical grievances pose a sustained threat of violence to the American public, democratic institutions, and government and law enforcement officials. Flashpoint events in the coming months may exacerbate these perceived grievances, further increasing the potential for DVE violence. DVEs adhering to different violent extremist ideologies have coalesced around anger at issues including perceived election fraud, as well as immigration and government responses to the COVID-19 pandemic, drawing on their varied perceptions of those issues. These factors, along with fluid conspiracy theories, have amplified longstanding DVE grievances, including perceptions of government and law enforcement overreach or oppression and shifts in US demographics and cultural values.
We judge that narratives driven by Chinese, Iranian, and Russian state media, and proxy websites linked to these governments, often involve fact-based articles as well as editorials; these publications may include misinformation, disinformation, or factual but misrepresented information. This monthly “Snapshot” compiles English-language narratives, which we assess are intended for US and Western audiences, and highlights both consistent trends and emergent messaging, which we assess to reveal foreign actors’ changing influence priorities. We judge that, typically, China uses state and proxy media—including US-based outlets—to try to shape diaspora conduct and US public and leadership views; Iran state media manipulates emerging stories and emphasizes Tehran’s strength while denigrating US society and policy; and Russia uses both state and proxy media to amplify narratives seeking to weaken Washington’s global position relative to Moscow’s.
This Intelligence In View provides federal, state, local, and private sector stakeholders an overview of Russian Government-affiliated cyber activity targeting the United States and Russian regional adversaries, including disruptive or destructive cyber activity, cyber espionage in support of intelligence collection, and malign foreign influence in service of Russian political agendas. This In View also provides examples of malware and tools used by Russian Government-affiliated cyber actors.
(U//FOUO) DHS-FBI-NCTC Bulletin: Dissemination of Tactics, Techniques, and Procedures Used by Buffalo Attacker Likely To Enhance Capabilities of Future Lone Offenders
This Joint Intelligence Bulletin (JIB) provides an overview of significant tactics, techniques, and procedures (TTPs) discussed or used by the alleged perpetrator of the 14 May 2022 mass casualty shooting in Buffalo, New York and details how related documents spread after the attack may contribute to the current threat landscape. The alleged attacker drew inspiration from previous foreign and domestic racially or ethnically motivated violent extremists (RMVEs) and their online materials, underscoring the transnational nature of this threat. DHS, FBI, and NCTC advise federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials and private sector security partners to remain vigilant of this enduring threat.
This resource is provided to inform law enforcement, terrorism prevention practitioners, other first responders, community leaders, as well as the general public about both threats of violence and contextual behaviors that suggest an individual is mobilizing to violence. While some violent extremists may make direct, indirect, or vague threats of violence, others may plot violent action while avoiding such overt threats to maintain operational security—underscoring the need to consider both threats of violence and contextual behaviors.
During the six-month period from April 2022 to September 2022, we project that US Customs and Border Protection (CBP) will record between 1 and 2.1 million encounters at the US Southwest Border. We have low confidence in these projections because migration is a complex and fluid issue, making predictive analysis difficult. Additionally, the percentage of selected Latin American and Caribbean nationals encountered at the US Southwest Border has increased from 11 percent in the first six months of FY 2021 to 31 percent in the first six months of FY 2022. This increasing diversification of migrant nationalities encountered at the US Southwest Border—on top of other capacity challenges—will further complicate US capacity to manage the expected flow, as it requires engagement with other migrant-source countries besides Mexico and Northern Triangle countries. Specifically, encounters of Cuban, Nicaraguan, and Venezuelan nationals pose unique challenges because of our limited relationships with these host countries.
(U//FOUO) DHS Bulletin: Domestic Violent Extremist Activity Likely in Response to US Supreme Court Decision on Abortion
Some domestic violent extremists (DVEs) will likely exploit the recent US Supreme Court decision to overturn Roe V. Wade to intensify violence against a wide range of targets. We expect violence could occur for weeks following the release, particularly as DVEs may be mobilized to respond to changes in state laws and ballot measures on abortion stemming from the decision. We base this assessment on an observed increase in violent incidents across the United States following the unauthorized disclosure in May of a draft majority opinion on the case.
Domestic violent extremists (DVEs) continue to exploit 3-D printing to produce weapons and firearm accessories that are unregulated and easy to acquire, according to recent federal and local arrests. This jointly authored Reference Aid is intended to highlight recent incidents of DVE misuse of 3-D printing and demonstrative examples of how the tactic could be exploited by DVEs in the United States.
(U//FOUO) DHS Bulletin: Moscow’s Invasion of Ukraine Impeding Reach of Russian State Media in the West
Russia’s invasion of Ukraine has spurred Western governments, social media companies, and individuals to limit or disengage from Russian state media outlets, likely degrading many outlets’ ability to directly message to Western audiences through 2022. This Western response impedes the ability of critical elements of Russia’s influence ecosystem to recruit and retain culturally adept media talent, shape in-country reporting, maintain a perception of media independence, and generate revenue. These setbacks affect multiple facets of RT’s and Sputnik’s operations, hampering the prospects for a speedy reconstitution of their Western-facing efforts. These actions, and others being considered by Western countries, go well beyond previous efforts to counter Moscow’s use of its state media outlets to spread mis-, dis-, and malinformation (MDM), such as deplatforming, foreign agent registration, and social media labeling of content.
DHS Public-Private Analytic Exchange Program Report: Combatting Targeted Disinformation Campaigns A Whole-of-Society Issue Part Two August 2021
Recent events have demonstrated that targeted disinformation campaigns can have consequences that impact the lives and safety of information consumers. On social media platforms and in messaging apps, disinformation spread like a virus, infecting information consumers with contempt for democratic norms and intolerance of the views and actions of others. These events have highlighted the deep political and social divisions within the United States. Disinformation helped to ignite long-simmering anger, frustration, and resentment, resulting, at times, in acts of violence and other unlawful behavior.
DHS Public-Private Analytic Exchange Program Report: Combatting Targeted Disinformation Campaigns A Whole-of-Society Issue October 2019
In today’s information environment, the way consumers view facts, define truth, and categorize various types of information does not adhere to traditional rules. The shift from print sources of information to online sources and the rise of social media have had a profound impact on how consumers access, process, and share information. These changes have made it easier for threat actors to spread disinformation and exploit the modern information environment, posing a significant threat to democratic societies. Accordingly, disinformation campaigns should be viewed as a whole-of-society problem requiring action by government stakeholders, commercial entities, media organizations, and other segments of civil society.
(U//FOUO) DHS Bulletin: Warning of Potential for Cyber Attacks Targeting the United States in the Event of a Russian Invasion of Ukraine
We assess that Russia would consider initiating a cyber attack against the Homeland if it perceived a US or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security. Russia maintains a range of offensive cyber tools that it could employ against US networks—from low-level denials-of-service to destructive attacks targeting critical infrastructure. However, we assess that Russia’s threshold for conducting disruptive or destructive cyber attacks in the Homeland probably remains very high and we have not observed Moscow directly employ these types of cyber attacks against US critical infrastructure—notwithstanding cyber espionage and potential prepositioning operations in the past.
(U//FOUO) DHS Bulletin: Iranian Influence Efforts Primarily Use Online Tools to Target US Audiences, Remain Easily Detectable for Now
We assess that Iran likely will continue to rely primarily on proxy news websites and affiliated social media accounts to attempt sustained influence against US audiences, while we expect intermittent, issue-specific influence attempts via other means (e.g., e-mails). We base this assessment on Iran’s actions since at least 2008 to build and maintain vast malign influence networks anchored by proxy websites, as well as Iran’s attempts to find new avenues to re-launch established malign influence networks after suspension. Tehran employs a network of proxy social media accounts and news websites that typically launder Iranian state media stories (stripped of attribution), plagiarize articles from Western wire services, and occasionally pay US persons to write articles to appear more legitimate to US audiences.
(U//FOUO) DHS-FBI-NCTC Bulletin: First Responder Awareness of Privately Made Firearms May Prevent Illicit Activities
Criminals and violent extremists continue to seek ways to acquire firearms through the production of privately made firearms (PMFs). PMFs can be easily made using readily available instructions and commonly available tools, require no background check or firearms registration (serial number) under federal law, and their parts have become more accessible and affordable. This, combined with the increase in law enforcement recoveries of nonserialized and counterfeit firearms in criminal investigations, will most likely create increasing challenges in law enforcement investigations, including weapon accountability access and tracking. PMF awareness and identification can aid PMF recovery, prevention of illicit activities including terrorism, and overall first responder and public safety.
Cybersecurity and Infrastructure Security Agency Report: Protecting Against the Threat of Unmanned Aircraft Systems (UAS)
Department of Homeland Security, Federal Bureau of Investigation, Intelligence Fusion Centers, U.S. Secret Service
This Joint Threat Assessment (JTA) addresses threats to the 59th Presidential Inauguration taking place in Washington, DC, on 20 January 2021. This JTA is co-authored by the Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS)/US Secret Service (USSS), with input from multiple US Intelligence Community and law enforcement partners. It does not include acts of non – violent civil disobedience (i.e., protests without a permit), which are outside the scope of federal law enforcement jurisdiction.
(U//FOUO) Domestic Violent Extremists Emboldened in Aftermath of Capitol Breach, Domestic Terrorism Threat Likely Amid Political Transitions
This Joint Intelligence Bulletin (JIB) is intended to highlight the threat of violence from domestic violent extremists (DVEs) in the wake of the 6 January violent breach by some DVEs of the US Capitol Building in Washington, DC, following lawful protest activity related to the results of the General Election. Anti-government or anti-authority violent extremists (AGAAVE), specifically militia violent extremists (MVEs); racially or ethnically motivated violent extremists (RMVEs); and DVEs citing partisan political grievances will very likely pose the greatest domestic terrorism threats in 2021.
Cybersecurity and Infrastructure Security Agency Mail-In Voting in 2020 Infrastructure Risk Assessment
All forms of voting – in this case mail-in voting – bring a variety of cyber and infrastructure risks. Risks to mail-in voting can be managed through various policies, procedures, and controls.
The outbound and inbound processing of mail-in ballots introduces additional infrastructure and technology, which increases the potential scalability of cyber attacks. Implementation of mail-in voting infrastructure and processes within a compressed timeline may also introduce new risk. To address this risk, election officials should focus on cyber risk management activities, including access controls and authentication best practices when implementing expanded mail-in voting.
(U//FOUO) DHS Bulletin: Russia Likely to Continue Seeking to Undermine Faith in US Electoral Process
We assess that Russia is likely to continue amplifying criticisms of vote-by-mail and shifting voting processes amidst the COVID-19 pandemic to undermine public trust in the electoral process. Decisions made by state election officials on expanding vote-by-mail and adjusting in-person voting to accommodate challenges posed by COVID-19 have become topics of public debate. This public discussion represents a target for foreign malign influence operations that seeks to undermine faith in the electoral process by spreading disinformation about the accuracy of voter data for expanded vote-by-mail, outbound/inbound mail ballot process, signature verification and cure process, modifying scale of in-person voting, and safety and health concerns at polling places, according to CISA guidance documents provided to state and local election officials.
We assess that some violent opportunists have become more emboldened following a series of attacks against law enforcement during the last 24 hours nationwide. This could lead to an increase in potentially lethal engagements with law enforcement officials as violent opportunists increasingly infiltrate ongoing protest activity. We also have received an increase in reports on shots fired during lawful protests nationwide—an indicator we associate with the potential for increased violence moving forward—and several uncorroborated reports of probably violent opportunists pre-staging improvised weapons at planned protest venues. Law enforcement officers continue to be the primary targets of firearm attacks, though several incidents last night involved violent opportunists shooting into crowds of protestors.
We assess that violent opportunists will continue to exploit ongoing nationwide lawful protests as a pretext to attempt to disrupt law enforcement operations; target law enforcement personnel, assets, and facilities; and damage public and private property. We have identified multiple tactics currently at play, including the use of weapons, counter-mobility, physical barriers, screening and concealment, intercepted communications, and pre-operational activities.
(U//FOUO) DHS Bulletin: Ongoing Violence, Information Narratives Nationwide Poses Continued Threat to Law Enforcement
In the last 24 hours the types of people or groups seeking to carry out violence in response to the death of George Floyd in Minneapolis has shifted in many cities. The initial violent looters and protestors were believed to be organic members of the local communities. However, domestic violent extremists are attempting to structure the protests to target specific symbols of state, local, and federal authority. We anticipate armed individuals will continue to infiltrate the protest movement. We assess with high confidence during the period of darkness from 30 to 31 May the violent protest movements will grow and DVEs and others will seek to take over government facilities and attack law enforcement.