The U.S. Department of the Treasury and related agencies have recently expanded sanctions against Russian cryptocurrency exchange platforms Garantex and its successor Grinex, including freezing over $27 million in assets. These moves stem from allegations that these platforms facilitated massive illicit transactions linked to ransomware gangs and other cybercrime groups, while also allegedly aiding in sanctions evasion.
Garantex, a Moscow-based crypto exchange founded in 2019 and once licensed in Estonia, was initially sanctioned by the U.S. Treasury’s Office of Foreign Assets Control (OFAC) in April 2022. It was accused of processing more than $100 million in illicit cryptocurrency transactions connected to ransomware attacks and darknet market activities. The platform had ties to notorious cybercriminal operations such as Conti, Black Basta, LockBit, NetWalker, Ryuk, and Phoenix Cryptolocker ransomware gangs, as well as darknet marketplaces like the Hydra market.
In early March 2025, a coordinated multinational law enforcement operation spearheaded by the U.S. Secret Service, in partnership with German and Finnish authorities, seized Garantex’s web domains, confiscated servers, and froze approximately $26 million in cryptocurrency assets. Shortly after, two of Garantex’s top administrators, Aleksandr Mira Serda and Aleksej Besciokov, were charged, with Besciokov arrested in India during his vacation. The Justice Department unsealed indictments revealing the scope of their alleged involvement in laundering ransomware proceeds and other illicit activities.
However, following these enforcement actions, Garantex’s operators reportedly created a successor platform, Grinex, established in December 2024 in Kyrgyzstan. Grinex was promoted on Telegram channels linked to Garantex almost immediately after the March domain seizures, maintaining a similar interface and infrastructure aimed at circumventing sanctions and resuming illicit operations. The Treasury Department stated that Grinex facilitated the transfer of billions of dollars in cryptocurrency transactions, effectively serving as a continuation of Garantex’s business.
Grinex was also linked to the use of the ruble-backed stablecoin token A7A5, issued by the Kyrgyzstan-based firm Old Vector, which enabled users to regain access to frozen assets and helped the illicit platforms bypass sanctions. This token, tied to sanctioned Russian and Moldovan entities, reportedly processed around $1 billion daily, reflecting a sophisticated scheme to evade Western financial restrictions.
The U.S. Treasury re-designated Garantex and sanctioned Grinex along with several key individuals and affiliated companies. Executives targeted include co-founders Sergey Mendeleev, Aleksandr Mira Serda, and Pavel Karavatsky, and the arrested executive Aleksej Besciokov. Additional entities sanctioned include InDeFi Bank, Exved, Old Vector, A7, A71, and A7 Agent, located in Russia and Kyrgyzstan and allegedly involved in supporting these activities.
John K. Hurley, Under Secretary of the Treasury for Terrorism and Financial Intelligence, emphasized the serious threat posed by these platforms: “Exploiting cryptocurrency exchanges to launder money and facilitate ransomware attacks not only threatens our national security but also tarnishes the reputations of legitimate virtual asset service providers.” He reaffirmed the U.S. commitment to protecting the integrity of the digital asset industry and combating cybercrime.
Complementing these actions, the U.S. Department of State announced rewards totaling up to $6 million for information leading to the arrest or conviction of Garantex executives, offering $5 million specifically for Aleksandr Mira Serda. This underlines the high priority the U.S. places on dismantling networks that use cryptocurrency for criminal and sanctions-evading activities.
The Treasury and Justice Department furthermore revealed that the disruptions to Garantex did not entirely stop its illicit cryptocurrency operations. According to reports from blockchain intelligence firm TRM Labs, a contingency plan had been in place for months, allowing Garantex’s leadership to pivot quickly by transitioning funds and customers to Grinex. This enabled the continued laundering of ransomware proceeds, transactions with darknet markets, and evasion of sanctions through complex wallet obfuscation tactics.
Between April 2019 and March 2025, Garantex was reported to have processed at least $96 billion in cryptocurrency transactions, highlighting its vast scale and significance in the global crypto ecosystem. The newly sanctioned network played a pivotal role in enabling ransomware operators and criminal actors to move funds across borders, circumventing international financial controls.
The sanctions block all U.S.-related assets of the designated individuals and entities, prohibit U.S. persons from transacting with them, and impose secondary sanctions risks on non-U.S. entities that provide support. The measures are part of broader U.S. efforts to counter ransomware financing and criminal abuse of digital assets by targeting virtual asset service providers that facilitate these illicit flows.
In summary, the recent U.S. sanctions and enforcement actions against Russia-based Garantex and its successor Grinex represent a significant escalation in targeting cryptocurrency platforms linked to cybercrime and sanctions evasion. By freezing over $27 million in assets, sanctioning executives, associated companies, and issuing high-value rewards for information, U.S. authorities aim to dismantle this sophisticated network that has facilitated billions in ransomware laundering and illicit activity. These steps underscore the growing geopolitical and security challenges at the intersection of digital assets and international crime.
AML Editor’s article was originally published in regtechtimes on Augut, 18 2025