Crypto
Terrorist Financing in the Age of Cryptocurrency: Ep. 112 – Chainalysis
Episode 112 of the Public Key podcast is here and this is our “Live from Links” series, where we showcase our podcasts recorded live at the Chainalysis Links Conference in NYC. A case that involved crypto, terrorist financing, weapons and everything in between. We speak with several key members of the Manhattan District Attorney’s Office, including the District Attorney, Alvin Bragg, the Assistant District Attorney, Edward Burns and the Chief of the Counterterrorism Unit, David Stuart, as well as Dan Heesemann, Intelligence Research Specialist at the NYPD .
You can listen or subscribe now on Spotify, Apple, or Audible. Keep reading for a full preview of episode 112.
Public Key Episode 112: How Cryptocurrency Helped Convict a NYC Based Terrorist
“In a way, if you were a juror on this case, you got educated on cryptocurrency, terrorist financing, and also the Syrian Civil War.” – Edward Burns
In this episode, Ian Andrews (CMO, Chainalysis) has a full house as he speaks to several key members of the Manhattan District Attorney’s Office, including the District Attorney, Alvin Bragg, the Assistant District Attorney, Edward Burns and the Chief of the Counterterrorism Unit, David Stuart. As well as Dan Heesemann, Intelligence Research Specialist at the NYPD.
The team discusses a fascinating case involving cryptocurrency and terrorism financing and shares how they were able to uncover an individual sending money to a terrorist group in Syria and planning violent attacks on American soil.
They walk through the challenges of presenting technical evidence in court and the surprising defense strategy used by the defendant.
This gripping episode sheds light on the intersection of crime, cryptocurrency, and counterterrorism efforts and the persistence and collaboration law enforcement and the District Attorney’s office have to utilize in order to bring these criminals to justice.
Quote of the episode
“In a way, if you were a juror on this case, you got educated on cryptocurrency, terrorist financing, and also the Syrian Civil War… So that was a lot for them to digest” – Edward Burns (Assistant District Attorney, Manhattan District Attorney’s Office)
Minute-by-minute episode breakdown
2 | Background of the public sector guests and their entrance into cryptocurrency
4 | The People vs. Victoria Jacobs: The cryptocurrency terrorist financing case
9 | Unveiling the terrorist financier’s intent and tactics
14 | The elusive Salman Belarusi: Operational security mastermind
18 | Simplifying cryptocurrency for jury understanding
20 | Terrorism, cryptocurrency and the Syrian Conflict
22 | Jury deliberates for hours and finds the defendant guilty on all counts
25 | Manhattan DA, Alvin Bragg explains provides an update on sentencing and closure in case
Related resources
Check out more resources provided by Chainalysis that perfectly complement this episode of the Public Key.
Speakers on today’s episode
- Ian Andrews * Host * (Chief Marketing Officer, Chainalysis)
- Alvin Bragg (District Attorney, Manhattan District Attorney’s Office)
- Edward Burns (Assistant District Attorney, Manhattan District Attorney’s Office)
- David Stuart (Chief of the Counterterrorism Unit, Manhattan District Attorney’s Office)
- Dan Heesemann (Intelligence Research Specialist, NYPD)
This website may contain links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
Our podcasts are for informational purposes only, and are not intended to provide legal, tax, financial, or investment advice. Listeners should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with your use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in any particular podcast and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.
Unless stated otherwise, reference to any specific product or entity does not constitute an endorsement or recommendation by Chainalysis. The views expressed by guests are their own and their appearance on the program does not imply an endorsement of them or any entity they represent. Views and opinions expressed by Chainalysis employees are those of the employees and do not necessarily reflect the views of the company.
Transcript
Ian:
Hey everyone. Welcome back to another episode of Public Key Live from Links. This is your host, Ian Andrews. We’ve got a group for this one, folks. I’m joined by David Stewart, who’s chief of the Counterterrorism Unit, Manhattan DA’s office. Edward Burns, who’s assistant district attorney in the Manhattan DA’s office. And Dan Heesemann, who’s intelligence research specialist, NYPD. Gentlemen, welcome to the show.
David:
Thank you.
Ed:
Great to be here.
David:
Yeah, great to be here.
Ian:
Now maybe we can just run down the line here, starting with you, Ed. Quick background, 30 seconds to a minute. Why are you here at the Crypto Conference? What do you do? What’s your day job? How does this all fit together?
Ed:
So I’ve been at the Manhattan DA’s office since September of 2005. I’ve worked my way up through various bureaus. I did work in narcotics, white collar crime and joined the Rackets Bureau, which houses Dave’s unit in Counterterrorism back in 2022. And once I got there, I was assigned to help out Dave in this really interesting case they told me called the people versus Victoria Jacobs. And that’s how I got involved in the cryptocurrency world.
Ian:
Amazing.
Dan:
Sure. So I’m Dan Heesemann, I’m an Intel research specialist with the NYPD, and I’m a Queen’s kid, born and raised. And so came out of college, figured out what I wanted to do and I thought the NYPD seemed like a good place to go; career, family and civil service. And just figured out the be the best place to go. So that’s how I ended up here. I’ve been here for almost seven years now. It’s scary to think about. And even though I’m not a math person by heart, back in 2019, we decided we wanted to do more in financial crimes and they needed a couple of people. And I said, well, in fourth grade, a nun made me [inaudible 00:01:49] the blackboard because I couldn’t do long vision, but I’ll be your point person.
Ian:
For financial crimes. I can take that on, but it’s obviously gone reasonably well since then-
Dan:
I would say so-
Ian:
… because you’re still here.
David:
So my name is Dave Stewart. I’m a California kid who somehow ended up in New York and I’ve been at the Manhattan DA’s office now for about 17 years. I’m currently chief of the counterterrorism unit, but I’ve done a little bit of everything throughout the office over that time working in the trial division, doing sex crimes cases, human trafficking, organized crime like La Cosa Nostra mafia cases, and now I’ve been doing counterterrorism cases for the past five or six years, which have been really fascinating insights into the way people think about the world and what motivates them.
Ian:
Well, I definitely want to get into that. The three of you literally just came off stage before jumping in here to record with us presenting at the conference on the case that you just mentioned, Ed. So maybe who wants to take us through the high level of what this case was, The People versus Victoria Jacobs.
David:
I’ll start at a high level and then maybe Dan and Ed can kind of jump in and fill in the gaps or the details. So at the highest level, you have a woman who lived in New York City who became immersed within terrorist online ecosystems in Syria and other places, and essentially became obsessed with doing Jihad. And one of the ways that she could do that was to finance and launder money for these groups overseas.
And what we found is that she ultimately sent and laundered over $12,000 over a nine-month time period in 2008 and 2019, but she didn’t stop there. She then sent the group bomb making instructions so that they could make IEDs and kill people with them. And she also acquired illegal knives here in New York City and told people that she was planning a special mission to carry out behind enemy lines.
And I think code for her enemy lines was people right here in New York City. So a very scary, dangerous individual. And thanks to NYPD and the rest of the team, we were able to make arrests and charge her and ultimately convict her of terrorism crimes after a three-week jury trial just this last January.
Ian:
What was the tip or the lead that exposed this? How did it all start, that maybe we have somebody here who’s doing some really bad stuff.
David:
I’ll let Dan jump in for this one.
Dan:
So essentially part of the financial crimes portfolio is reading federal compliance data and making sense of that. And a lot of times it’s just a lot of, I want to say narrative. There’s this person did X, this person did Y, but in this case, we had someone that was in New York that I think this is notable for the crypto folks here, because she was using a nested service.
So the filer that filed this report was not the company she was using. She was using a service underneath that company, that was kind of like a contracted service. And so I think she was trying to be savvy by going outside of a US jurisdiction area to send this money. But in fact, the parent company that was provided the backbone was compliant with US laws or written through this report. And I said, “Well, this is not going to work out for us initially, because we’re here in New York and this company is based elsewhere.”
But then you read, they actually are compliant, we can make this work. So after doing the initial tracing the workup on the subject, we came over to Dave and I don’t think we had reactor at the time, because this is so early on to our adoption of cryptocurrency. And I had a piece of paper I said, “All right, so these are cryptocurrency transactions from someone on the Upper East Side that ended up in Syria. I know it’s farfetched, but you think we’d make this work?” And it worked from there. I think for the folks on the law enforcement side, pitching to the prosecutors is one of those things that you don’t do until that there’s a chance that this case could go to trial. And for us, that’s a fairly high bar.
David:
So the funny part about it is that prior to Dan walking into our office and pitching us this case, we had been doing a lot of terrorism financing work involving Syria. So we were very familiar with how Syrian terrorists were financing their operations there, especially how they use cryptocurrency. And we had done a lot of tracing and graphing using chain analysis at their very early stages of an entity that was an exchange in Syria called Bitcoin Transfer. And it turns out that the individual that Dan came walked into our office was an unknown wallet that we had known about within-
Ian:
Oh, you’re kidding.
David:
… that cluster and tracing graph. And it wasn’t until Dan had kind of unpeeled the layers of that onion and identified it that we were able to see where she fit within the grander scheme of things.
Ian:
Wow.
Dan:
[inaudible 00:07:04] he was going from the top down. We were going from the bottom up, and it kind of just went right in the middle.
David:
So it’s always better to go bottom.
Ian:
I’m curious about, because I’m very much not familiar with Syrian terrorist fundraising practices. What’s the scale of that? Are there a lot of people in the United States who are sending money to support those types of causes? Is this a widespread thing or a high dollar value thing?
Dan:
Not high dollar value map, no. But there are a lot of cases that we’ve seen come out in the past, what, three years probably. And the FBI obviously had the majority of them, but it’s there. It’s a real present danger that people think that they are here in the US and that they can’t travel there, but they can support them financially. And they know a lot of times exactly what they’re sending the money for.
David:
These groups mostly earn their money from local taxation, extortion rings in other ways. For us, the more interesting part of it’s who are the people here that are so infatuated with these groups radicalizing that they’re willing to risk send money to these groups? So those are people that we’re worried about from a kind of mobilization of violence scenario. Obviously want to prevent them from financing terrorism, even if it’s low dollar amounts, but obviously very concerned that this is the type of person that’s going to take that next step. We want to identify them.
Ed:
And I think you just touched upon what the dollar amount is. I would anticipate seeing major dollar amounts move through in this area, just like in any other, comparing other previous crimes that we’ve investigated, as you’ve money laundering and compliance and other regulatory bodies, they know that a certain threshold is going to alert everybody up. So it helps these groups to do smaller dollar amounts. And you see that in money laundering or even the basic people avoiding their currency transaction reports by doing multiple deposits under the $10,000 threshold.
So I think one thing that I’ve learned here is you’re not going to find one group in an organized way, maybe moving millions of dollars, but instead you could have dozens of people moving $10,000 amounts and then maybe not in an organized way, but the money is still getting there, but it’s just going to small amounts to sort of avoid detection and keep us off the trail.
Ian:
No, that’s fascinating. And so then take us back to the case. So you realized that… David, you’ve been mapping this organization from the top down. We’ve discovered a wallet belonging to an individual living here in Manhattan that’s been sending money to this organization. What happens next?
Dan:
Lots of warbles.
David:
No. Dan and I were at the initial stages working on this case. So I will say the first thing we did was started to write legal process to get the records from the exchange that identified her as the person who set up the account that sent the initial transaction. And then once we knew who she was, kind of get a better sense of who she is and what other accounts she might be using, which then led to a search warrant on her email account. And Dan or Ed could jump in and talk about some of the really interesting things that we found.
Ed:
I think Dan should be able to do it since I wasn’t even involved in this point. I didn’t even know that this was going on yet and then I can kind of jump in.
Dan:
No, absolutely. So I think to Dave’s point, legal process, so subpoenas and those are really useful. And I think one of the things that comes up in investigation of all sorts in law enforcement, but particularly in cryptocurrency and these complex things, is the idea of going down rabbit holes. And if you’re continuing to go down this rabbit hole, you’re not going to come up with anything. It’s going to be a dry hole. But in this case, we never I think, went too far down a rabbit hole without finding something that said, all right, we need additional process here.
We need to go further and actually subpoena that next email address or that phone number, because always something there. There was always another there. But essentially in the emails, what we found was that she was communicating with two individuals that when we traced their email addresses back in open source, so this is just simply Googling stuff.
We saw that they were prolific HTS and Malhama Tactical affiliated individuals. The one guy was a German citizen that was fighting there and he would basically… His byline on his telegram chat account was a German Mujahid documenting the everyday life of Mojahidin Shem. And that email was the exact same handle, so that was a really interesting piece.
And the other guy, Musab Sharqiya, and we just touched on this in the presentation, but he was a complete blank hole. We couldn’t find anything on his name. It wasn’t a real name. We were concerned that it was just someone that was completely unidentified, which would be maybe even worse, because that person could be here in the city as well, or in the US rather.
But then we popped in the name to Google and then pulled up a YouTube channel, a Instagram channel, and had all this information on this guy. And we started to realize that, she’s actually communicating with these individuals and she wants to send this money. She’s not being paid by someone here in the US. It was on her own volition. And that was one of those weird ones, because up until about, I’d say six months into the case, we thought that she was getting paid, or that was one of the possibilities that she wasn’t doing this on her own volition. So it was nice to get that intent and say, “Hey, look, we can start making further investigatory steps.”
David:
Well, for us, there was never any question that she was the one that conducted the transactions. One of the hardest parts about doing the terrorism financing case is proving that she intended that the money that she sent was going to support terrorism overseas. And that’s why we did those early search warrants to peel back the layers, to see what she was saying to the other individuals that she was sending money to, what was her online activity.
And that’s when we started finding her Twitter account where she was praising HTS. We found emails where she was talking about coordinating finances in order to do Jihad overseas. And at that point, there was no question as to what her intent was. And then that started a whole other series of events, investigative events that we did, which started finding even more evidence.
Ian:
It is really interesting because I think we’ve seen over the years a number of campaigns where groups were fundraising online, like social media ads, basically, but they would mask the true intent. In some cases, not very well masking. It’s like donate to help orphan children who have been caught in the war in Syria. But if you looked one step closer, it was very clearly going to Hezbollah or one of the other militant organizations, ISIS operating in the region. So it’s interesting that you were able to find this very direct intent where there wasn’t even a veil of, oh, I’m sending money to help something innocuous and not harmful. It’s like, oh no, I’m here to fund terrorist activity.
David:
In some ways we got lucky. She was pretty clever online. Obviously we have some great messages and we showed some of them during the presentation and throughout the trial, but that was just a fragment or a fraction of our overall communications with terrorists overseas. We only got bits and pieces. Just looking over her phone, she had three years worth of communications with these guys, and we only had bits and pieces that she either forgot to delete, or chose to save on her phones for whatever reason.
Ian:
Did she use a real identity with the crypto exchange when you subpoenaed there, or was it.
David:
Yes. She did.
Ian:
Interesting.
David:
But for her wallet though, she used a noncustodial wallet, and she did not use her real name. She didn’t have to use any name. There was zero KYC that was required for her to set up that wallet, and she knew that. So it was very much a circumstantial case in some ways, because we had a lot of evidence that pointed to her, some more direct than others. But it was just the overall amount and volume of evidence that identified her.
In fact, her defense at the trial, at least up to three quarters of the way through, was that it wasn’t her at all, that someone else had assumed her identity and conducted all of these transactions that someone else had been the one that communicated with these terrorists, which was so asinine because we literally found pictures of the terrorists on her phones. And pictures that she had spliced of herself in with the terrorists to show that they were in some sort of relationship.
Dan:
Sorry, Dave, not to interrupt, but I want to take from the CT side of things to give you a little background on Malhama Tactical, the individual Salman Belarusi, he’s talking about. He was a guy that during the Syrian Civil War, he was prolific for his operational security. You could not find a picture of him out there without his mask on. He always was masked up and to the point where he actually faked his own death at one point during the Syrian Civil War, and then re-emerged as another guy Abu Rofiq, or the other way around. It was Rofiq and then he became Abu Salman. So the fact that when we went on these phones and we found pictures of him just lounging around the barracks, having a Coca-Cola, we were like, oh, they really were close communicating partners.
Ian:
Was there a romantic relationship? It sounds like maybe-
David:
Somewhat romantic relationship.
Ian:
They didn’t meet in person, so there was no-
David:
This is a little bit hard to say exactly what their relationship was.
Ed:
I would say as somebody who came in late and was adjusting to all of this at first, it struck me a little odd, but I think in this day and age, there are people that they would call a relationship where they never meet. And it’s a true romantic relationship where they’re purely online knowing that they were never going to meet. Remember it was an impossibility. She was never going to get to Syria. That was an impossibility of it. So it allowed it to just continue in this way. And it was something that I was like, well, this doesn’t make sense. And then when you took it into that sort of context of no, people do have these online relationships, it made it seem a little bit more reasonable. One thing I just want to touch, I think Dave said, “Oh, we were lucky.”
And that’s true of any criminal investigation. Luck plays a part of it, but you can say that about anything in life. The question is, are you working hard enough and are you being vigilant enough that when your break comes along, are you there to take advantage of it and discover it? And that’s what these guys were doing. They could have turned around at any time and been like, this is crazy, or this is not that much money.
But they kept going because they’re like, this should be something there. And by doing so, you uncovered a very dangerous person operating in New York City for a very bad group. And I think that was a key part that I just want to say. It’s easy to sell ourselves short sometimes and be like, “Oh, luck had a lot to do with it.” Well, you still kept going and you still persevered and you still have the annals, so you kind of made your own luck in that way.
David:
Ed, I’m sorry. I’m just so glad you brought that up. And I just want to add two short points in.
Ed:
Absolutely.
David:
And this was evidence at the trial, so it’s no surprise to anybody. She claimed to be Belarusi’s fiancee. I don’t think that they… We don’t have any evidence they ever got engaged, but she obviously viewed herself…
Ian:
In her head.
David:
… in her own mind as having that kind of romantic relationship with him. And two, to Ed’s point, I’m so glad he brought it up. At the DA’s office in Manhattan, we are the only local DA’s office in the entire country that I know of that has a dedicated team for counterterrorism cases. We have four full-time analysts who are experts in all things’ terrorism, and we have dedicated investigators, and we work with NYPD’s team, which is even bigger than ours and have similar expertise. But it was so important for us as prosecutors to understand the landscape because otherwise, when a case like this walks in, if we hadn’t been prepared at the outset, we would’ve had no idea how to handle it.
Dan:
And to that point [inaudible 00:19:33], one quick point. We talk about low dollar amount of cases, and I think that at the state and local level, people that are looking at cryptocurrency enabled crimes. They should pursue these small dollar amount cases, because you never know where it’s going to lead. And at the federal level, they may say, “Well, we don’t have the resources to pursue $500,” but we do at the local level.
Ian:
I love this story and the point you’re making about having people with the expertise to investigate digital aspects of a crime, because I talk to a lot of people from around the country, and I think that’s their biggest challenge, is they have a big caseload. They have maybe one expert investigator who’s catching everything and they just can’t follow everything through. So it’s terrific that you’ve got a broader set of resources here, particularly on a topic with the urgency of counter-terrorist financing.
David:
And cryptocurrency, and I should do a shout-out to the lab. We have probably one of the most preeminent digital labs in the country, if not the world. So when we got those phones in from the search warrant, they were processed and ready to be extracted and analyzed within-
Dan:
48 hours.
David:
… 24 hours. So that speed at which we’re able to do these complex cases and get evidence from cell phones and other devices is unique and essential.
Ian:
Now, one thing I’m always curious about is you’ve now got a fairly good picture of the case. It’s clear that there’s money moving to a terrorist organization. Once you get these email search warrants, you’re able to establish there’s intent behind it. Do you immediately go and arrest the individual at that point? Or do you surveil them for longer to potentially uncover a wider network? How do you make a decision on that?
Ed:
Well, I think, and this is where I can assist in my perspective, it all depends on each case. Here, the best evidence that they recovered was from the cell phones. Any arrest before that would’ve been… I felt they made the right choice, they would’ve been premature and then there’s a whole bunch of things that would’ve happened. So it really depends on what you get in these cases and evaluating what strength you are. I think it’s always a good idea to make sure that you’re ready to go. Do not make an early arrest unless you absolutely need to. Make sure you have all your evidence. If you’re banking on getting evidence-
Ian:
Through the arrest.
Ed:
… through the arrest, that’s a difficult challenge. And that could also impede your investigation, not hurt your chances of success. The key part of why this was successful was a continuing partnership between NYPD and the Manhattan DA’s office, and how the investigation was going to be taken down when the arrest was going to occur. The coordination of the search warrant that Dan talked about during his presentation, having the Manhattan DA’s, that unit, the high-tech analysis unit present, so we got the phones and that she was not able to destroy that evidence, because we had anticipation that we weren’t going to be able to arrest her. So those steps were key to success and I think that always a case by case basis, but here, I think that was the right move. It was clearly the right move.
Ian:
I’m curious about, so once you make the arrest, obviously then you’re getting prepared for trial. And I think one of the challenging things about any case where there’s digital evidence, but in particular cryptocurrency, it’s very technical and you’ve got to present that to an audience that they’re not spending all day long thinking about crypto. And what’s the strategy, whether it’s a judge or a jury trial, that you’re able to lay out effectively communicating the facts when they’re very technical in nature.
Ed:
And this is where it was almost helpful that I wasn’t involved early on, because these guys were well in the weeds of cryptocurrency. And I had a loosely affiliated association. Money launderers use cryptocurrency and narcotics trafficking. I’d done a lot of money laundering cases. I was very familiar with that crime. And then I heard cryptocurrency, I’m like, whoa, okay. I don’t know. And I had an analyst come down and explain it to me. And I’m like, okay.
So I kind of just remembered hearing how I was able to take that information that she gave me and was able to sit there and be like, that’s what we need to do for a jury, because they can understand it. When it boils down to it, it’s going to be she’s sending money to a bad actor to do bad things. We just got to get the jury not to get lost in the weeds of all this data of what cryptocurrency is.
And that was when we used… We were talking to Beth Bisbee and other teams that other people at chain analysis too, were assisting us in understanding the transactions and different things. And we really just broke it down and be like, look, we really need to explain this to an uninformed jury pool that doesn’t have any familiarity with it. And in fact, it was funny when we were picking our jury, everybody that had a familiarity of cryptocurrency knew about this case and was actually taken off the jury, because they had previous knowledge of it. So it was just interesting, but it was sort of a small world and I think-
Ian:
So you got a preselected pool basically that had zero knowledge of crypto walking in almost.
Ed:
I think we had one jury that was like, “I know what this is, and I know that everyone’s going to ask me what is going on.” And we didn’t want to have competing expert, and it was a very good jury pool, but sort of like that point. But I think it’s just, that’s our job as prosecutors, which is what I [inaudible 00:25:16] my presentation. Dave’s mentioned that he handled sex crimes. He had to explain DNA evidence. I handled narcotics trafficking cases. I would have to explain where the drugs come from, how heroin is broken down into a heroin mill, other aspects of that. So just like cryptocurrency, terrorist finance is a very big term, but you can break it down to we have a defendant here sending money to bad actors overseas to do bad things. And as long as we kept that focus, the jury was right with us the whole time.
Ian:
That’s amazing. Now, I want to go back to something, David, that you mentioned earlier. You said that the defendant changed their defense strategy three quarters of the way through the trial. They went from saying they had nothing to do with it. Their identity had been stolen. What did they change to? What was the-
David:
Well, the defense ultimately in this summation, because they could not deny that it was her because the evidence was so strong that she was the one responsible for the communications and the transactions ultimately was that, which is really, I think, a very bad defense. But their defense was, “Well, the Syrian terrorist group wasn’t that bad,” and-
Ian:
Sorry, I have to laugh a little bit.
David:
Well, Syria is a complicated place.
Ian:
Share the name of that lawyer with me later, and I’m going to make sure to-
Ed:
Well, I’ll give them a break. They had a tough client and there wasn’t much to say. They had to say something.
David:
And Syria is a complicated place. The group was not only trying to establish their own violent Jihadist state within Syria, they were battling against the Syrian regime and also Russia. So there were some common enemies that the defense could point to, to say, “Hey, they’re fighting Russia. We’re fighting Russia, so maybe they’re not that bad.” But at the end of the day, the two wrongs don’t make a right. And this was a bad group, regardless of the fact that they were also fighting groups or countries like Russia and the Assad regime in Syria.
Ed:
In a way, if you were a juror on this case, you got educated on cryptocurrency, terrorist financing, and also the Syrian Civil War. And this group that you’ve never heard of as Hay’at Tahrir al-Sham and their military training operation of Malhama Tactical. So that was a lot for them to digest.
Ian:
Just pronouncing that would kill me right there.
Ed:
It took me very long to get those down. And I don’t know if… I still don’t know if I’m right. There’s no way to can call me out if I’m wrong.
Ian:
And then just to wrap the story, so the conviction was just handed down recently. You want to tell that story?
Ed:
I think, well, Dave gave a great summation that really was covered the whole entire breadth of her criminal activity from the start. And the jury was given the case, I think, very early on, and within three hours, Convicted that it was… I think Dave said it was three weeks. I feel like it was a four-week trial. I think it was jury selection took a week, and then we had three weeks of testimony.
Dan:
Four week trial.
Ed:
Four-week trial, and they deliberated for less than three hours. Convicted the defendant on all counts.
Ian:
Congratulations.
David:
Thank you very much.
Ian:
Big win for great effort here. Gentlemen, thank you for coming to Links. Thank you for sitting here with us on the podcast and sharing the success. Here’s to many more in the future.
Ed:
Thank you very much.
Ian:
Absolutely.
David:
Thank you for having me. It’s really a pleasure.
Ian:
All right.
Ed:
Thank you guys.
David:
I apologize.
Key Takeaways
- On June 16, the IMF reported Nigeria drew $59 billion in crypto inflows, capturing 60% of regional stablecoins.
- High 9% remittance costs and a volatile naira drove Nigerian businesses to adopt US dollar- stablecoins.
- The Nigerian Senate sent a new crypto licensing bill to the Committee on Capital Market for a 4-week review.
IMF: Stablecoins Transform From Niche Market to Major Payment Route
Nigerians are increasingly turning to U.S. dollar-pegged stablecoins to move money across borders as small businesses and households search for cheaper and faster alternatives to traditional banking channels, the International Monetary Fund (IMF) said June 16.
Previously seen as a niche financial market, crypto has evolved into a dominant payments corridor in Nigeria. The country pulled in roughly $59 billion in crypto inflows between July 2023 and June 2024, securing about 60% of all stablecoin traffic in sub-Saharan Africa, IMF data shows.
The surging adoption comes as the Nigerian government pivots toward formalizing the digital asset sector. The Nigerian Senate recently advanced a comprehensive cryptocurrency regulation bill to its Committee on Capital Market for a four-week review phase. The bill, which passed a crucial second reading following a majority voice vote, aims to establish mandatory licensing for digital asset exchanges and introduce investor protections.
For years, regulatory uncertainty has clouded the country’s digital asset market. Local industry advocates point to a restrictive 2021 central bank directive under former Central Bank of Nigeria Governor Godwin Emefiele as a measure that drove transactions into opaque, black-market environments and slowed institutional growth. Lawmakers sponsoring the new legislation argue that formal regulation is now vital to protect consumers and prevent Nigeria from falling behind regional peers like South Africa and Kenya.
The economic drivers behind the shift are stark. Traditional cross-border remittances to sub-Saharan Africa are among the most expensive in the world, averaging about 9% of a $200 transaction value compared to a global average of 6%, according to World Bank data cited by the IMF.
By contrast, stablecoins allow users to transfer funds near-instantly via smartphones and digital wallets at a fraction of the cost. Beyond cost-cutting, the digital tokens offer local users a way to store value outside of the volatile Nigerian naira, effectively acting as a bridge between cryptocurrency markets and everyday commerce.
However, the IMF warned that the rapid rise of dollar-linked tokens introduces significant policy headaches for West Africa’s largest economy. Widespread displacement of the local currency could weaken the central bank’s monetary policy levers by reducing domestic demand for the naira.
Furthermore, migrating financial transactions to private digital wallets complicates regulatory oversight, raising the risk of illicit financial flows and terrorism financing—the exact vulnerabilities the Senate’s newly proposed regulatory framework is under pressure to address.
Crypto
Crypto Clipper uses Tor and worm-like propagation for persistence and control | Microsoft Security Blog
Microsoft Threat Intelligence and Microsoft Defender Experts identified a Windows-based cryptocurrency clipper that has affected users since February of 2026. Clipper malware relies on stealing clipboard data and parsing it for valuable assets.
The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 server. It carries out high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution.
The execution of this clipper is notable because it does not depend on a traditional installer or exposed IP-based C2 infrastructure. Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor.
For defenders, the strongest signals are behavioral: script interpreters spawning suspicious child processes, localhost:9050 proxy usage, screen-capture commands in PowerShell, and signs of clipboard inspection or crypto-address replacement.
Microsoft Defender for Endpoint detects multiple components of this threat such as Suspicious JavaScript process and Possible data exfiltration using Curl. Additionally, Microsoft Defender Antivirus detects this crypto clipper as Trojan: Win32/CryptoBandits.A.
Attack chain overview
Since February 2026, malicious shortcut (.lnk) payloads have infected devices with a cryptocurrency clipper. This malware comprises two components that it deploys on the compromised system: a worm component that ensures propagation and a clipper/stealer component that harvests and exfiltrates cryptocurrency wallet information.
The worm functionality ensures propagation by creating additional malicious shortcuts of legitimate files it identifies on the device. It also delivers file-based payloads and excludes them from Defender scanning. It deploys scheduled tasks for execution and persistence for both the worm component and the stealer component. Figure 1 presents a high-level execution flow of the two components.
The clipper runs as a script-based payload that interacts with the operating system through WScript and ActiveXObject. It includes an anti-analysis check that queries running processes and exits if Task Manager is detected. If the environment passes this gate, the malware launches a renamed Tor binary named ugate.exe in a hidden window, waits about 60 seconds for Tor to bootstrap, generates a victim GUID, and registers the infected device with a hidden-service C2.
After registration, the malware enters a continuous loop. It polls the C2 for instructions and monitors the clipboard roughly every 500 milliseconds, extracting seed phrases and private keys that match wallet-related patterns. It also hijacks cryptocurrency addresses by replacing copied wallet values with attacker-controlled alternatives and uploads screenshots through Tor. If the C2 returns an EVAL response, the malware executes attacker-supplied code at runtime.
Behaviors and methodologies
Initial access
Initial access occurs from malicious .lnk files. In instances we analyzed, these .lnk shortcuts were distributed on USB storage devices. The .lnk shortcut stages a worm component in the form of an executable. The malicious script checks for an existing malicious payload and stops if the device is already infected. If the payload is not present, the malware fetches the payload from the C2 through Tor. The Figure below illustrates the functions that stage and decrypt the initial payload.
The .lnk payload scans the USB device for common document files like .doc, .xlsx, .pdf, hides the original files, and creates additional .lnk shortcut files with the same file names. The shortcut files are crafted with arguments to link to the worm payload. The end user is not aware that they are launching an executable when opening the .lnk files.
Execution
Once a user clicks on one of the shortcuts, the staged worm payload runs. It excludes staging folders and Windows binaries used in the execution of the stealer component. The malware then drops decrypted payloads, including two malicious JavaScript files, into the subfolder under the “C:UsersPublicDocuments” folder.
A five-character naming convention is used both for the subfolder and the scripts’ names.
The figure below illustrates an instance with files dropped under a ” C:UsersPublicDocumentsomoho” folder path:
The worm component also establishes persistence by creating two indefinite scheduled tasks: one responsible for spreading itself to a freshly inserted uncompromised USB storage device, and another for the stealer activity.
Defense evasion
The malware employs multi-layered obfuscation, with all components encrypted and only decrypted at runtime. Installation is handled by a Python script that is itself obfuscated using PyArmor and packaged into a standalone executable via PyInstaller. In addition, the two JavaScript payloads are each protected with dual-layer obfuscation, further increasing analysis complexity. This design significantly reduces static visibility while maintaining flexible runtime behavior.
The sample also incorporates a basic anti-analysis check by querying the Win32_Process WMI class and terminating execution if Task Manager is detected. Although simplistic, this mechanism can hinder manual inspection and slow initial triage efforts.
The bundled Tor client is central to the operation. By routing communication over localhost:9050 and resolving “.onion” destination domains inside Tor, the malware reduces DNS visibility, obscures the final C2 destination, and complicates destination-based blocking. This design gives the operator anonymity benefits while keeping the malware compact and self-contained.
Command and control
The command and control over a Tor-routed domain routes network traffic through local IP address 127.0.0.1 on port 9050. The tunneled domain appears in the initiating process command line. The C2 domains use the following endpoints and actions across different execution stages.
- C2 Domain:
.onion - Endpoints:
- /route.php : Beacon and command retrieval
- /recvf.php : File upload (screenshots)
- /stub.php: Payload download
- Communication:
- Protocol: HTTP over Tor (SOCKS5 proxy at localhost:9050)
- Method: curl with POST requests
- Authentication: GUID + GEIP (geolocation)
- Actions Sent to C2:
- GUID : Heartbeat beacon
- SEED : Exfiltrated seed phrase
- PKEY : Exfiltrated private key
- REPL : Address replacement notification
- GOOD : (legacy/fallback action)
- Commands from C2:
- GUID : Acknowledge/refresh victim GUID
- EVAL : Execute arbitrary JScript code (remote code execution)
A file named “cfile” is created on the infected system as an output for payload hosted on the C2 domain.
The malware sample we analyzed also provided a function called checkC2Command. The function has an EVAL method, which would allow any payload placed in the cfile to be executed on the victim’s system.
Collection
Seed
Clipboard theft focuses on high-value financial artifacts. The malware detects 12 or 24-word BIP39 seed phrases in clipboard data. It saves the seed to local file (GOOD path) as a backup and exfiltrates it to the C2 domain via Tor. It retries network transmission until it is acknowledged and deletes local backup after successful transmission. It also takes five screenshots (ten seconds apart) and uploads them asynchronously. The screenshots help the threat actor gain additional context on the end user’s wallet and balances.
The crypto clipper also detects cryptocurrency keys for both Ethereum and Bitcoin WIF. Once the captured keys are saved and exfiltrated, the malware captures screenshots of the user’s screen for a full context. The captured values are validated against a word list.
Address replacement
The stealer also probes for cryptocurrency addresses and replaces them with attacker’s addresses. The malware checks that the address has alphanumeric values.
- For a Bitcoin legacy address which starts with “1” and has a length of 32-36 values, the address is replaced with an address that matches the first two characters.
- For a Bitcoin P2SH address which starts with a “3” and has a length of 32-36 values, the stealer replaces the address with one matching the original address on the first two characters.
- For a Bitcoin taproot address which starts with “bc1p” and has a length of 40-64 characters, the stealer replaces it with one matching the last character.
- For a Bitcoin Bech32 address which starts with “bc1q” and has a length of 40-64 characters, the stealer replaces only the last character.
- For a Tron address which starts with “T” and has exactly 34 characters, the stealer replaces the address with one that matches the first two characters.
- For a Monero address which starts with a “4” or a “8” and has exactly 95 characters, the stealer replaces the address with a single address.
The following shows an example of address replacement:
This malware family shows how lightweight, script-based stealers can deliver outsized impact when paired with anonymized communications and runtime tasking. The combination of Tor-routed C2, clipboard targeting, screenshot capture, and remote code execution gives attackers both immediate monetization paths and continued control over compromised devices.
Organizations should focus on hardening script execution paths, monitoring local SOCKS proxy abuse, and using behavioral hunting to connect script activity with network, clipboard, and process signals. That combination offers the best chance of surfacing this class of threat before financial loss or broader follow-on activity occurs.
Mitigation and protection guidance
Defenders should prioritize behavioral detections over static signatures. Investigate systems where WScript, CScript, or related script engines launch curl, cmd.exe, PowerShell, or unexpected executables. localhost:9050 network activity, especially when coupled with suspicious scripting behavior, is also valuable context for triage.
Where operationally feasible, reduce abuse of script-based interpreters and review Attack Surface Reduction rules that block obfuscated scripts and suspicious child-process chains. Review detections for PowerShell-based screen capture and examine devices for indicators of clipboard inspection or wallet-address replacement.
Recommended actions
- Disable AutoRun/AutoPlay for all removable media
- Block .lnk execution from removable drives via GPO
- Restrict unnecessary use of wscript.exe, cscript.exe, and similar script hosts where possible.
- Review and enable relevant Attack Surface Reduction rules, especially those focused on obfuscated script execution and suspicious child-process behavior.
- Investigate script-to-network chains involving curl, PowerShell, or cmd.exe.
- Hunt for local SOCKS5 proxy activity on localhost:9050.
- Review clipboard-related and screen-capture behaviors on devices handling sensitive financial workflows.
Microsoft Defender XDR detections
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Tactic
Observed activity
Microsoft Defender coverage
Initial Access/Execution
Malicious .lnk delivers malware components
EDR Suspicious behavior by cmd.exe was observedSuspicious Python library load
Execution
WScript / ActiveXObject execution and runtime tasking
EDR Suspicious JavaScript processSuspicious Python library loadSuspicious behavior by cmd.exe was observed AV Contebrew malware was prevented Behavior:Win64/PyPowJs.STA
Discovery
Task Manager check used as an anti-analysis gate
Persistence
Scheduled tasks are created to run the JavaScript payload wrapped in a XML file.
EDR Suspicious Task Scheduler activity
Defense Evasion
Shuffled strings and decoder functions conceal commands and APIs Task Manager if detected, the malware execution is halted
Behavior:Win64/ProcessExclusion.ST; Behavior:Win64/PathExclusion.STA Behavior:Win64/PathExclusion.STB
Collection
Clipboard theft targets seed phrases, keys, and wallet addresses PowerShell screenshot capture supports operational visibility
AV:
Trojan:Win32/CryptoBandits.A Trojan:Win32/CryptoBandits.B Trojan:JS/CryptoBandits.A Trojan:JS/CryptoBandits.B
Command and Control
Traffic routed through Tor via local SOCKS5 proxying
EDR Possible data exfiltration using curlBehavior:Win64/CurlOnion.STA
Exfiltration
Data posted using Curl through Tor via local SOCKS5 proxying
EDR Possible data exfiltration using curl
Microsoft Security Copilot
Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:
- Incident investigation
- Microsoft User analysis
- Threat actor profile
- Threat Intelligence 360 report based on MDTI article
- Vulnerability impact assessment
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.
Threat intelligence reports
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Advanced hunting
Execution launched from scheduled tasks
DeviceProcessEvents
| where FileName =="schtasks.exe"
| where ProcessCommandLine matches regex
@"(?i)schtaskss+/creates+/tns+[a-z]{4,6}s+/xmls+C:\Users\Public\Documents\[a-z]{4,6}\[a-z]{4,6}.xmls+/f"
Local Tor proxy activity (localhost:9050)
DeviceNetworkEvents
| where ActionType =="ConnectionSuccess"
| where InitiatingProcessCommandLine has_all ("curl","socks5-hostname",".onion")
Tor-routed curl execution
DeviceProcessEvents
| where FileName =~ "curl.exe"
| where ProcessCommandLine has_all ("--socks5-hostname", "localhost:9050")
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine
MITRE ATT&CK Techniques observed
This threat has exhibited use of the following attack techniques. For standard industry documentation about these techniques, refer to the MITRE ATT&CK framework.
Initial Access
- T1091 Replication Through Removable Media
Execution
- T1059 Command and Scripting Interpreter | EVAL-driven remote code execution from server tasking
Discovery
- T1057 Process Discovery | Task Manager check used as an anti-analysis gate
Persistence
- T1053.005 Scheduled Task/Job | Scheduled Task
Defense evasion
- T1027 | Shuffled strings and decoder functions conceal commands and APIs
Collection
- T1115 Clipboard Data | Clipboard theft targets seed phrases, keys, and wallet addresses
- T1113 Screen Capture | PowerShell screenshot capture supports operational visibility
Command and Control
- T1090 Proxy | Traffic routed through Tor via local SOCKS5 proxying
Exfiltration
- T1048.002 Exfiltration Over Alternative Protocol
Indicators of compromise (IOC)
| Indicator | Type | Description |
| 7630debd35cac6b7d58c4427695579b3e3a8b1cc462f523234cd6c698882a68c | SHA-256 | Crypto Clipper Worm |
| a7abf1d9d6686af1cefcd60b17a312e7eb8cfe267def1ec34aeab6128c811630 | SHA-256 | Crypto Clipper Worm |
| 23c1e673f315dafa14b73034a90dd3d393a984451ff6601b8be8142be6487b43 | SHA-256 | Crypto Clipper Worm |
| cf9fc891ea5ca5ecd8113ef3e69f6f52ff538b6cccbdaa9559106fc72bc6da30 | SHA-256 | Crypto Clipper Worm |
| 100407796028bf3649752d9d2a67a0e4394d752eb8de86daa42920e814f3fae8 | SHA-256 | Crypto Clipper Worm |
| d14b80cbd1a19d4ad0473a0661297f8fdf598e81ff6c4ab24e212dcad2e54b3f | SHA-256 | Crypto Clipper Worm |
| 9d90f54ae36c6c5435d5b8bed40faf54cc91f6db28574a6310b5ffaeb0362e96 | SHA-256 | Crypto Clipper Worm |
| 67fc5cf395e28294bbb91ed0e954fdf2e80ebd9119022a115a42c286dc8bacf5 | SHA-256 | Crypto Clipper Worm |
| 0020d23b0f9c5e6851a7f737af73fd143175ee47054931166369edd93338538a | SHA-256 | Crypto Clipper Worm |
| 35a6bc44b176a050fd6824904b7604f0f45b0fdfa26bf9500b9e05973b387cfd | SHA-256 | Crypto Clipper Worm |
| c824630154ac4fdfce94ded01f037c305eab51e9bef3f493c60ff3184a640502 | SHA-256 | Crypto Clipper Worm |
| d43bf94f0cb0ab97c88113b7e07d1a4024d1610617b5ad05882b1dbab89e15ba | SHA-256 | Crypto Clipper Worm |
| b2777b73a4c33ac6a409d475057843be6b5d32262ef28a1f1ff5bb52e3834c5f | SHA-256 | Crypto Clipper Worm |
| 7787a9a7d8ae393aa32f257d083903c4dc9b97a1e5b0458c4cd480d4f3cb5b05 | SHA-256 | Crypto Clipper Worm |
| f3b54984caca95fd496bcfe5d7db1611b08d2f5b7d250b43b430e5d76393f9e0 | SHA-256 | Crypto Clipper Worm |
| 20db98af3037b197c8a846dbf17b87fc6f049c3e0d9a188f9b9a74d3916dd5e1 | SHA-256 | Crypto Clipper Worm |
| ugate.exe | Filename | Portable Tor binary |
| cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion | Domain | C2 domain |
| gfoqsewps57xcyxoedle2gd53o6jne6y5nq5eh25muksqwzutzq7b3ad.onion | Domain | C2 domain |
| he5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad.onion | Domain | C2 domain |
| lyhizqy2js2eh6ufngkbzntouiikdek5zsdj3qwa22b4z6knpqorgiad.onion | Domain | C2 domain |
| j3bv7g27oramhbxxuv6gl3dcyfmf44qnvju3offdyrap7hurfprq74qd.onion | Domain | C2 domain |
| shinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion | Domain | C2 domain |
| 7goms4byw26kkbaanz5a5u5234gusot7rp5imzc3ozh66wwcvmcudjid.onion | Domain | C2 domain |
| facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion | Domain | C2 domain |
| wt26llpl5k6gok3vnaxmucwgzv2wk3l7nuibbh25clghrtus3p5ctsid.onion | Domain | C2 domain |
| ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion | Domain | C2 domain |
References
Learn more
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.
To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.
Key Takeaways
- SpaceX could join major indexes within weeks of its Nasdaq debut.
- Only about 8% of SpaceX shares are currently tradeable, limiting initial index weightings.
- Broader index exposure could build well before SpaceX becomes eligible for the S&P 500.
Fast-Entry Rules Could Put SpaceX Into Millions of Investor Portfolios
Millions of investors may soon find SpaceX (Nasdaq: SPCX) inside funds they already own, according to James Flintoft, head of investment solutions at AJ Bell. The company’s Nasdaq debut has opened fast-entry routes into several major indexes, while S&P 500 funds remain tied to a longer eligibility schedule.
SpaceX began trading at $135 per share after raising more than $85 billion, making it the largest IPO on record. Its valuation later surpassed $2 trillion, placing the company among the most valuable publicly listed businesses in global markets.
A company of that size can qualify for major benchmarks quickly, but passive investors will not all receive exposure at the same time. The timing depends on the index behind each fund, including Nasdaq-100 products, MSCI global trackers, FTSE Russell funds, and CRSP-based portfolios, whose indexes underpin many Vanguard U.S. index funds, alongside S&P 500 trackers.
AJ Bell, a U.K. investment platform offering individual savings accounts (ISAs), pensions, and dealing accounts, said the listing raises important questions for passive investors. Flintoft said:
“The first practically important question for investors using index or passive strategies in their portfolios is not whether SpaceX is a good investment – it is will you hold it, where and when?”
Nasdaq has already created a faster route for large IPOs. The exchange’s May 1, 2026, methodology update allows newly listed companies ranked among the top 40 by market capitalization to enter the Nasdaq-100 within 15 trading days. Flintoft stated, “while SpaceX’s shares listed on the Nasdaq stock exchange, they will take slightly longer to join the Nasdaq-100 index.”
Those rules explain why SpaceX could appear quickly in several fund families. Nasdaq-100 trackers can use Nasdaq’s 15-trading-day window, FTSE Russell products can use the fifth-trading-day process, and MSCI-linked funds can apply MSCI’s large-IPO framework.
S&P 500 Funds Remain on a Different Timeline
FTSE Russell has also moved toward faster IPO inclusion. On May 26, 2026, the index provider said eligible large IPOs can enter Russell U.S. indexes after the fifth trading day, using first-day free float, following a February market consultation.
MSCI provides another route into global index funds. Its Global Investable Market Indexes have used fast-track rules for large IPOs since 2007, covering benchmarks tied to MSCI World, MSCI ACWI, MSCI Emerging Markets, and MSCI EAFE products.
Flintoft explained:
“If your portfolios include Nasdaq-100 trackers, FTSE Russell-based products, MSCI World or MSCI All Country funds, those products will acquire exposure within weeks of listing.”
“The initial weighting will be measured in basis points given the constrained free float, but as lockup tranches release over the following six months, the weighting will grow – depending on how the share price performs,” he further shared.
S&P 500 funds remain on a different timeline. Flintoft noted that S&P Dow Jones Indices confirmed June 4 that companies must trade publicly for at least 12 months and be profitable under U.S. Generally Accepted Accounting Principles, the accounting standards used in corporate financial reporting. SpaceX has yet to meet either requirement, placing potential S&P 500 inclusion no earlier than mid-2027.
The company reported a $4.94 billion net loss in 2025, compared with a $791 million profit in 2024, while revenue rose 33% to $18.67 billion. It also recorded a $4.3 billion loss in the first quarter of 2026.
The first portfolio changes should be small, with Flintoft citing Bloomberg data showing about 8% of SpaceX shares are currently tradeable. As additional shares are released after the first quarterly earnings report and at later lockup dates, index weightings could increase over time. SpaceX could appear in Nasdaq-100, FTSE Russell, MSCI, and CRSP-linked products over the coming weeks as those indexes follow their respective inclusion schedules, while S&P 500 trackers remain subject to existing eligibility rules.
-
Lifestyle21 minutes agoThe second life of a classic: ‘Amores Perros’ is remastered and back in theaters
-
Technology30 minutes agoValve is so behind on Steam Controller orders that some won’t ship until 2027
-
World36 minutes agoFrom bear hugs to handshakes: How India lost its edge with Trump while Pakistan quietly gained ground
-
Politics43 minutes agoNew poll reveals where Americans stand after Trump agreement with Iran
-
Health46 minutes agoNo sex for 10 weeks? Championship team’s playoff strategy raises eyebrows
-
Sports51 minutes ago2026 FIFA World Cup Golden Boot Race Tracker: Lionel Messi Is Alone At The Top
-
Technology58 minutes agoMcDonald’s AI drive-thru may take your next order
-
Business1 hour ago
Uber, California lawyers say deal reached to avert dueling ballot initiative showdown
