Accused in two terror attacks in India used online payment services, e-commerce platforms, VPNs: terror financing watchdog’s report

Global money laundering and terrorist financing watchdog Financial Action Task Force (FATF) has said that the accused in two recent terror attacks in India used online payment services, e-commerce platforms, and Virtual Private Networks (VPNs). The FATF cited the incidents in its report ‘Comprehensive Update on Terrorist Financing Risks’ published on Tuesday (July 8, 2025).

The first case pertains to use of online payment services and VPNs to fund a “lone actor” terrorist act. On April 3, 2022, an individual influenced by terror group ISIL’s ideology attacked security personnel at Gorakhnath Temple in Uttar Pradesh. The attack was detected during the attempt by the accused to breach security, leading to his immediate arrest.

The case was transferred to the State Anti-Terror Squad (ATS) for investigation. The ATS found that the accused had transferred ₹6,69,841 via PayPal to foreign countries in support of ISIL, using international third-party transactions and VPN services to obscure the IP address. He also received ₹10,323.35 from a foreign source.

A forensic report on the accused’s phone revealed that he had been using a VPN for calls, chatting, and downloads to evade detection. “Further financial scrutiny uncovered that the accused had made a payment to a VPN provider through his bank account to secure these services… the investigation also uncovered that the accused had sent money to multiple individuals identified as ISIL followers in foreign jurisdictions to support terrorist activities,” said the report.

Pulwama attack

During the probe into the February 2019 suicide-bomb attack on a convoy killing 40 Central Reserve Police Force (CRPF) personnel in Jammu and Kashmir’s Pulwama, it was detected that an e-commerce platform was used for the procurement of materials for the terrorist attack, carried out by Pakistan-based Jaish-e-Mohammed.

A key component of the improvised explosive device used in the attack — aluminium powder — was procured “through the EPOM [E-commerce platforms and online marketplaces] Amazon”. “This material was used to enhance the impact of the blast. As a result of the investigation, 19 individuals were charged under relevant provisions of the Unlawful Activities (Prevention) Act, including sections related to Terror Financing. Among those charged were seven foreign nationals, including the suicide bomber”.

“Terrorists have been reported to abuse EPOMs, which are occupying an evergrowing position in worldwide economic landscapes, for various purposes… criminals and terrorists can pose as multiple buyers and sellers (e.g., fraudulent/complicit online shop fronts) on the EPOMs, and use trade-based ML/TF [Money Laundering/Terror Financing] techniques, such as over/under invoicing, to transfer value (goods and funds) between each other,” the report observed.

The report said terrorists have used EPOMs for procuring equipment, weapons, chemicals, and 3D-printing material. “EPOMs can also be used by terrorists to sell items to finance their projects and operations, including lower value items that were previously not in demand. EPOMs can be used to sell items obtained through wildlife exploitation or stolen cultural artefacts,” said the report.

It has been found that EPOMs can be used for fund-moving purposes inspired by trade-based money laundering schemes. Traded goods can offer a disguise for the value being transferred from one member to another of the network, as per the report.

The methods of raising or transfer of funds for terror financing as highlighted in the report include trafficking of humans/ goods/ drugs/ wildlife articles, virtual assets, donations, crowdfunding, use of shell entities, shell bank accounts and immediate cash withdrawals, mobile applications, misuse of non-profit organisations, extortion, kidnapping for ransom, “hawala” channels, etc.