Threat Profile of FTO-Designated TCOs

1.0 EXECUTIVE SUMMARY

This report details the verified technical and operational capabilities of the eight Transnational Criminal Organizations (TCOs) designated as Foreign Terrorist Organizations (FTOs) on February 20, 2025. The combined threat from these groups is a non-state power that has demonstrated superiority over state security forces in direct engagements. They manage an illicit global economy with an estimated annual revenue between $12 billion and $49 billion. This financial power enables them to procure advanced technology, including tactical electronic warfare systems, encrypted command and control networks, and weaponized aerial drones for kinetic strikes. The primary and most direct threat to U.S. national security is their role as the principal source for illicit fentanyl and its analogues, which are the main drivers of the U.S. overdose crisis. Their capacity to project violence is significant, demonstrated by their standard use of .50 caliber anti-materiel rifles and improvised armored vehicles in direct confrontations with the Mexican military. Furthermore, they actively destabilize regional governments, illustrated by their ability to conduct large-scale, coordinated urban sieges, like the "Culiacanazo" event, that overwhelm state control.

2.0 COMMAND, CONTROL, COMMUNICATIONS (C3) & SIGNALS INTELLIGENCE (SIGINT)

These organizations use a layered and adaptable command and control structure designed to maximize operational security and efficiency. The architecture is tiered to mitigate risks of interception and penetration by state-level adversaries.

2.1 C3 Architecture:

Tier 1 (Strategic Leadership): Communication between top-tier leadership avoids commercial infrastructure entirely. They rely on two primary methods: direct, in-person meetings with trusted human couriers or self-hosted, end-to-end encrypted platforms. Based on seizure analysis, this includes platforms like Element running on a private Matrix server or dedicated Threema servers. This approach gives them full control over their data and infrastructure, preventing law enforcement from serving legal orders to a commercial third party, thus creating a closed and technically sound communication ecosystem.

Tier 2 (Operational/Regional Command): Regional commanders and cell leaders use commercial end-to-end encrypted apps but employ specific tactics to enhance security. They use burner phones with disposable SIM cards that are frequently changed. Communications from these devices are routed through commercial Virtual Private Networks (VPNs) to obfuscate their true IP address and location. Signal and Telegram are the preferred applications.

Tier 3 (Tactical/Street Level): This tier uses a mix of encrypted apps and private radio networks. These networks are built with commercial hardware, often Motorola or Kenwood two-way radios, that have been programmed with encryption. To extend range across vast rural territories, they establish their own infrastructure, placing radio repeater systems on strategic high ground like hilltops and mountains. This creates a resilient communications grid that is completely independent of public cellular or internet infrastructure.

2.2 Signals Intelligence (SIGINT) Operations:

Radio Intercept: The primary tools are now the Uniden SDS200 digital scanner, which offers superior performance in urban simulcast environments, and low-cost Software-Defined Radio (SDR) dongles paired with analysis software. While older models like the BCD536HP are still found, the SDS200 and SDRs represent their current primary capability. During the "Culiacanazo" siege, Sinaloa Cartel COMINT cells used such devices to monitor law enforcement radio traffic in real time. This actionable intelligence allowed them to direct their own armed convoys to establish roadblocks on routes being used by responding military and police units, effectively isolating government forces and seizing control of the city's key avenues of approach.

Cellular Intercept: The use of IMSI-catchers is a confirmed capability for targeted intelligence development. Once the unique IMSI/IMEI identifier of a target's phone is captured, it becomes a primary key for further intelligence operations. This identifier can be used to track the device's location over time through repeated captures, and it can be provided to corrupt officials with access to state-level surveillance systems for more intrusive monitoring. The identifier also allows them to more accurately target the individual with tailored malware or spyware in social engineering attempts.

3.0 ELECTRONIC WARFARE (EW)

Electronic Warfare capabilities are integrated directly into kinetic operations to create tactical advantages, primarily by isolating targeted government forces and protecting high-value cartel assets from surveillance.

3.1 Communications Jamming:

Hardware Profile: The systems are vehicle-mounted barrage jammers, often of Chinese origin, housed in protective Pelican-style cases within an SUV or truck. Power is supplied by a high-amperage alternator connected to the vehicle's engine. Antennas are typically mounted externally, sometimes disguised to look like standard commercial radio antennas.

Technical Specifications: These jammers are designed to simultaneously block multiple frequency bands with high-power electronic noise. The targeted bands include:

-VHF (136-174 MHz) and UHF (400-512 MHz) to neutralize law enforcement radios.

-Cellular Bands (4G/LTE) to prevent use of personal phones.

-GPS L1 Band (1575.42 MHz) to disrupt vehicle navigation and tracking systems.

Tactical Doctrine: The jammer is operated from a dedicated EW vehicle, distinct from the assault team. The EW vehicle maintains a position on the flank of the kill zone. The system is activated only seconds before the assault begins and deactivated upon the assault team's withdrawal. This brief, high-power transmission creates a significant communications denial bubble. Based on field tests of confiscated units, the effective range is 300 to 600 meters for VHF/UHF bands and up to 500 meters or more for cellular LTE bands, depending on terrain and antenna height. This larger radius is sufficient to isolate the targets and induce confusion across a wide area. The EW vehicle and assault teams exfiltrate via separate, pre-planned routes.

3.2 Counter-Unmanned Aerial Systems (C-UAS):

Hardware Profile: The confirmed hardware is the SkyFend AFA100 anti-drone rifle. It is a software-defined system, meaning its threat library can be updated to counter new drone models.

Technical Specifications: This directional jammer has an effective range of up to three kilometers. It disrupts command and control, video, and GPS signals across all common drone frequency bands (900MHz, 2.4GHz, 5.8GHz). Crucially, the system has a "spoofing" or hijacking capability against certain drone models, allowing the operator to take control of the target drone.

Tactical Doctrine: The C-UAS system is used both defensively and offensively.

Defense: At high-value locations like leadership encampments, a dedicated operator will monitor for aerial threats. Upon detection, the operator uses the SkyFend to force the drone to land or return to its origin point, which can be used to help geolocate the hostile drone operator.

Offense: The spoofing function allows for the hijacking of rival ISR drones, providing a direct intelligence advantage by giving them access to an adversary's aerial surveillance feed.

4.0 ISR & KINETIC STRIKE CAPABILITIES

These organizations operate a mature intelligence and strike cycle, effectively linking multi-source ISR platforms directly to kinetic operations. Their methodology mirrors the "Find, Fix, Track, Target, Engage, Assess" (F3T2EA) model used by state military forces.

4.1 ISR Platforms and Payloads:

Aerial Systems: Commercial quadcopters like the DJI Mavic and Phantom series are the primary ISR platforms. They are fitted with high-resolution, stabilized electro-optical (EO) and infrared (IR) camera gimbals for day/night surveillance.

Kinetic Drone Payloads: For strike missions, the larger DJI Matrice 600 is used to carry and drop explosive payloads. The payload release mechanisms are often 3D-printed and controlled by a simple, servo-actuated pin. The munitions are improvised, typically consisting of plastic containers filled with C4 or water-gel explosives surrounded by ball bearings to create shrapnel. They have also been documented dropping modified 40mm grenades.

FPV "Suicide Drones": A more recent development is the use of First-Person View (FPV) racing drones as single-use loitering munitions. These high-speed drones are loaded with a primary explosive charge and flown directly into a target by an operator using goggles, providing a highly precise, low-cost guided weapon against vehicles or building entry points.

Ground-Based ISR: The aerial network is supplemented by a robust ground surveillance system. This includes covertly placed commercial trail cameras along smuggling corridors and, most importantly, a vast HumanIntelligence (HUMINT) network of lookouts known as "halcones" (hawks). These individuals are paid to report on law enforcement and rival movements in real time using burner phones and encrypted messaging apps.

4.2 The Kill Chain:

Find, Fix, Track: The F3T2EA cycle begins with the halcone network, SIGINT (cellular intercepts), and drone overwatch, which are used to Find a potential target. This multi-source intelligence is used to Fix the target's location and establish a pattern of life. Assets like GPS trackers and sustained drone surveillance are then used to Track the target in real time ahead of an operation.

Target, Engage (Case Study: Harfuch Ambush): Once the target package is developed, a kinetic cell is activated to Target and Engage. The June 2020 ambush on Omar García Harfuch illustrates this. The ISR phase identified the route and chokepoint. The Engage phase was not a random volley of fire; specific weapon systems were assigned to specific objectives. The .50 BMG rifles were tasked with defeating the vehicle's armor and disabling the engine block, while other riflemen provided suppressive fire against the security detail's response. This demonstrates a clear application of tactical fire control.

Assess: The final phase is Battle Damage Assessment (BDA). This is typically performed by the ISR asset (a drone loitering overhead) or HUMINT observers. The Harfuch case is a notable example of a failure in this phase. The assault team withdrew after the initial, overwhelming volley of fire, presuming the target was neutralized. Their failure to visually Assess and confirm the result allowed the wounded target to survive, representing a mission failure despite successful execution of the preceding steps.

5.0 LOGISTICS & FINANCIAL OPERATIONS

The logistical and financial capabilities of these organizations are technologically advanced and globally integrated, forming the backbone of their multi-billion-dollar illicit economy.

5.1 Logistics Hardware and Methods:

Low-Profile Vessels (LPVs): These semi-submersibles are purpose-built in remote jungle workshops, primarily in Colombia and Ecuador, using fiberglass hulls over a wooden frame. They are powered by a single inboard diesel engine and navigate transoceanic voyages using commercial GPS systems. Communication is maintained via satellite phones. Their ultra-low profile is designed specifically to evade surface-search radar detection, making them a primary tool for multi-ton cocaine shipments.

Cross-Border Tunnels: Tunnels are a key logistical tool for high-volume trafficking into the U.S. They are professionally engineered, often starting from a warehouse in Mexico and terminating in a connected warehouse in the U.S. A tunnel discovered in San Diego in 2020 stretched over 4,300 feet and included a ventilation system, high-voltage electrical cables, water drainage pumps, and an electric rail cart system for moving product efficiently.

Vehicle Cloning: This method is used to defeat checkpoints. Operatives acquire vehicles that are identical in make, model, and color to those of legitimate corporations like FedEx or even government utility companies. They then forge logos, official markings, and vehicle identification numbers to create a near-perfect replica. This allows them to transport high-value cargo with a significantly reduced chance of being stopped for inspection.

5.2 Financial Technology and Methods:

Phase 1: Placement (Cash-to-Crypto): Bulk U.S. currency from drug sales is collected and given to professional money laundering organizations. These groups use a network of Peer-To-Peer (P2P) traders, primarily on platforms like Binance P2P, to convert the cash into cryptocurrency. To avoid triggering financial reporting requirements, they also use a method called "structuring," where they deposit cash into multiple crypto ATMs in small increments. The preferred asset, according to TRM Labs analysis, is the USDT stablecoin operating on the TRON (TRC-20) network due to its stability, low transaction fees, and fast settlement times.

Phase 2: Layering (Obfuscation): Once in crypto form, the funds are "layered" to break the audit trail. This is done by moving the funds rapidly through hundreds of newly created wallet addresses. They also employ "chain hopping," bridging assets from one blockchain to another (e.g., TRON to Ethereum). For an additional layer of anonymity, they use crypto mixing services like the now-sanctioned Tornado Cash to sever the on-chain link between the source and destination of the funds.

Phase 3: Integration (Crypto-to-Goods/Cash): The cleaned cryptocurrency is then integrated back into the legitimate economy. It is used to directly purchase precursor chemicals and other goods from suppliers in China. This is often done via Trade-Based Money Laundering (TBML), where a cartel-controlled front company in Mexico "purchases" goods from a complicit Chinese company using the cleaned crypto. The Chinese company ships the goods (or sometimes an empty container), creating a fraudulent invoice that makes the transfer of value appear to be a legitimate business transaction. The crypto is also converted back into fiat currency (e.g., Mexican Pesos) through another network of P2P traders in Mexico to pay salaries and other operational expenses.

SOURCE LIST

1. Office of the Director of National Intelligence (ODNI): 2025 Annual Threat Assessment of the U.S. Intelligence Community

2. Center for Strategic and International Studies (CSIS): Illicit Innovation: Latin America Is Not Prepared to Fight Criminal Drones (June 2025)

3. Small Wars Journal / Digital Commons @ USF: Modern Urban Siege and Swarming in Culiacán 2019 & 2023

4. U.S. Drug Enforcement Administration (DEA): 2025 National Drug Threat Assessment

5. U.S. Department of the Treasury: Treasury Sanctions “El Chapo's” Children and Los Chapitos, a Fentanyl-Trafficking Faction of the Sinaloa Cartel (June 2025)

6. TRM Labs: Understanding the Use of Cryptocurrencies By Cartels

7. U.S. Department of Justice (DOJ): Sinaloa Cartel Leaders Charged with Narco-Terrorism, Material Support of Terrorism and Drug Trafficking (May 2025)

8. TorchStone Global: Differences Between Executive Protection Professionals and “Bodyguards”