⚠ Sanctioned and Indicted Operators : Hero Module
The following individuals are named in DOJ indictments and/or OFAC designations connected to this exchange complex. One remains at large.
Aleksandr Mira Serda
aka Aleksandr Ntifo-Siaw (prior name)
RoleCo-founder, Chief Commercial Officer
Age40 (at indictment)
NationalityRussian
Last known locationUAE (at indictment)
Legal statusAt large
Reward offerUp to $5M (State Dept.)
Indicted Sanctioned At large
Aleksej Besciokov
var. Aleksei Beschyokov
RoleCo-founder, Primary Technical Admin
Age46 (at indictment)
NationalityLithuanian
Last known locationRussia (resident); arrested India
Legal statusArrested India; extradition pending
Arrested12 March 2025, Kerala (Varkala)
Indicted Sanctioned In Custody
Sergey Mendeleev
No confirmed aliases
RoleCo-founder
NationalityRussian Single Source
Last known locationRussia (assessed)
Legal statusNo personal indictment / sanctions (as of June 2026)
RiskVia designated entity
Not charged
01

Executive Summary and Exchange Overview

Total Processed Volume
$96B+
April 2019 – March 2025 (DOJ / Elliptic)
Post-Sanction Volume
$60B+
After April 2022 designation (Elliptic lower bound)
Identified Illicit Flows
$100M+
Confirmed illicit (OFAC designation language)
Sanctioned-Entity Share
82%
Global crypto vol. to/from sanctioned entities (TRM Labs)
Assets Frozen (Mar 2025)
$26M+
USD frozen by USSS / Tether ($28M USDT frozen separately)
Grinex 2025 Volume
$93.3B
Transactions facilitated in 2025 (Chainalysis)
Overall Assessment
Garantex was the single largest illicit crypto exchange complex globally by sanctioned-entity volume prior to its March 2025 disruption. Its successor, Grinex, reconstituted operations within days and processed tens of billions in 2025 before being disrupted by an April 2026 hack. The operator network has demonstrated a consistent pattern of rapid rebrand and legal-shell migration. Risk from successor platforms (ABCex/AEXbit, Rapira, TokenSpot) remains active.
Entity (primary)Garantex Europe OU
Successor entityGrinex
Registration jurisdiction (Garantex)Estonia : Reg. no. 14850239 (Tallinn)
Registration jurisdiction (Grinex)Kyrgyzstan (incorporated December 2024)
Infrastructure hosting jurisdictionRussia (Moscow, Saint Petersburg); EU servers seized March 2025
Operator location (assessed)Russia (primary); UAE (Mira Serda at indictment); Lithuania (Besciokov nationality)
Operational period (Garantex)Late 2019 – March 6, 2025
Operational period (Grinex)March 2025 – April 2026 (suspended)
OFAC designation (Garantex)April 5, 2022 (EO 14024); re-designated August 13–14, 2025 (EO 13694)
OFAC designation (Grinex)August 13–14, 2025 (EO 13694)
EU designationFebruary 24, 2025 : 16th sanctions package; first-ever EU crypto exchange designation
UK designationRussia (Sanctions) (EU Exit) Regulations 2019 : RUS1421
Estonian FIU licenseRevoked February 2022
FinCEN registrationNot registered despite U.S. business activity (DOJ)
Primary domains (seized)garantex.io, garantex.org, garantex.academy
State nexus tierPROBABLE COOPERATION / TOLERATED SAFE HARBOR (hybrid)
Blockchain analytics coverageElliptic (provided assistance to USSS); TRM Labs; Chainalysis
02

Lineage and Organizational Heritage

Garantex → Grinex Successor Chain

Key Finding
Grinex was incorporated in Kyrgyzstan in December 2024 : approximately three months before the March 6, 2025 law enforcement action. This pre-positioning indicates operators anticipated disruption and prepared the successor entity in advance, not in reaction to it.
Late 2019
Garantex Europe OU founded and registered in Estonia (reg. no. 14850239). Operations center on Moscow Federation Tower and Saint Petersburg offices. [DOJ, OFAC, OpenSanctions]
February 2022
Estonia's Financial Intelligence Unit revokes Garantex Europe OU's VASP license, citing "critical AML/CFT deficiencies" and connections to criminal wallets. [OFAC, Estonia FIU]
April 5, 2022
OFAC designates Garantex Europe OU under EO 14024. Three wallet addresses added to SDN list. Designated in the same action as Hydra Market. [OFAC]
February 24, 2025
EU includes Garantex in its 16th sanctions package : the EU's first-ever designation of a cryptocurrency exchange. Six wallet addresses designated. Linked to Sberbank, Alfa-Bank, and T-Bank (all previously sanctioned). [EU Council, TRM Labs]
March 6, 2025
USSS, FBI, German BKA, Finnish NBI, Europol, Dutch National Police, and Estonian NCP execute coordinated takedown. Three domains seized. Servers in Germany and Finland taken offline. $26M frozen; Tether separately freezes $28M USDT (89 addresses shared on Garantex Telegram). DOJ unseals indictments against Besciokov and Mira Serda. [DOJ, Elliptic, TRM Labs]
March 2025 (immediately following)
Garantex officers activate Grinex (pre-positioned since December 2024 in Kyrgyzstan). Customer funds migrated. A7A5 ruble-backed token deployed for balance recovery. Cross-promotion via existing Garantex Telegram channels. [OFAC, TRM Labs, Chainalysis]
August 13–14, 2025
OFAC re-designates Garantex under EO 13694 (cyber authorities) and designates Grinex as sanctioned successor. Mira Serda, Besciokov, A7, A71, A7 Agent, Old Vector, InDeFi Bank, and Exved all designated in same action. [OFAC, Federal Register]
April 15–16, 2026
Grinex and simultaneously TokenSpot (assessed Garantex front company) hacked for a combined ~$15M. Stolen USDT swapped to TRX via SunSwap (same DEX previously used by Garantex). Grinex blames "special services of unfriendly states." Chainalysis and Elliptic raise exit-scam hypothesis. Grinex suspends operations. [Elliptic, Chainalysis, Reuters, TRM Labs]

Evidentiary Pillars : Garantex/Grinex Continuity

PillarEvidenceSourceConfidence
Personnel continuity"Grinex … created by Garantex employees"; "Garantex officers created the infrastructure"OFAC August 2025Confirmed
Infrastructure continuityNearly identical UI; same Telegram channels used for user migrationTRM Labs, ChainalysisConfirmed
Fund continuityGarantex customer deposits transferred directly to Grinex accountsOFAC August 2025Confirmed
On-chain continuity$2B+ bidirectional exposure between A7, Garantex, Grinex, Kyrgyz entitiesChainalysis 2025Confirmed
Pre-positioningGrinex incorporated Kyrgyzstan December 2024 : before March 2025 LE actionTRM LabsConfirmed
Hack/exit continuitySunSwap DEX used in April 2026 hack previously served Garantex for hot wallet liquidityChainalysis April 2026Credible

Disputed Assessments

The framing of the April 2026 "hack" as a Western intelligence operation versus an operator exit scam is unresolved. Grinex attributed the incident to foreign state actors; Chainalysis and Elliptic noted that fund-movement patterns (rapid stablecoin-to-TRX swap to avoid freeze) are consistent with insider or self-directed activity. Analyst Inference No external technical evidence or attribution has been published by any government. Treat as unresolved pending forensic disclosure.

03

Service Model and Business Operations

Exchange Mechanics

Confirmed Garantex operated as a centralized spot crypto-fiat exchange with walk-in cash offices at Moscow's Federation Tower and Saint Petersburg. Customers could "buy and sell virtual currencies using fiat currencies." Primary assets: Bitcoin, Ethereum, and Tether (USDT, predominantly on TRON). No credible evidence of leveraged derivatives or DeFi products. [OFAC 2022, DOJ 2025]

Confirmed Grinex replicated the Garantex product set with near-identical UI and continued emphasis on ruble-denominated settlement. OFAC states Grinex "facilitated the transfer of billions of dollars in cryptocurrency transactions" via the A7A5 ruble-backed token. [OFAC August 2025, TRM Labs]

KYC/AML : Stated Policy vs. Observed Behavior

Critical Gap: Stated vs. Observed
No full-text KYC policy or terms of service has been recovered from open sources. The gap between Garantex's written obligations as a licensed Estonian VASP and its documented behavior is the primary analytical finding for this section.
DimensionStated / WrittenObserved (LE / Forensics)Source
AML controlsEstonian VASP license required standard AML program (prior to Feb. 2022 revocation)"Extremely lax compliance controls"; "willfully disregarding AML/CFT obligations" (OFAC); "critical AML/CFT deficiencies" (Estonia FIU)OFAC, Estonia FIU
Customer identificationKYC required by Estonian lawOperators falsely told Russian LE that a Mira Serda-linked account was unverified, while internally the account was tied to his personal documentsDOJ indictment
FinCEN registrationRequired for U.S. business activityGarantex never registered with FinCEN despite doing substantial U.S. businessDOJ 2025
Wallet attribution controlsNot publicly statedPost-sanction, operators built infrastructure to prevent attribution of wallet addresses back to the exchange : techniques similar to those used by Alphabay darknet marketDOJ indictment, Elliptic
Transaction monitoringNot recoveredDaily wallet rotation to evade exchange-level blocking; no effective transaction monitoring inferred from scale of illicit flowsDOJ indictment
Geographic restrictionsNot recoveredNo meaningful restrictions : OFAC characterizes Garantex as a hub for Russian sanctions evasionOFAC

Fiat Rail Analysis

Confirmed Ruble and USD fiat support confirmed via cash offices (Federation Tower, Saint Petersburg). Specific correspondent bank names are not documented in public sources beyond the A7/Promsvyazbank link. [OFAC, DOJ]

Confirmed A7 LLC and subsidiaries (A71, A7 Agent) provide cross-border ruble settlement infrastructure linking Garantex/Grinex crypto flows to traditional banking networks. A7 is co-owned by sanctioned Moldovan oligarch Ilan Shor and sanctioned Russian bank Promsvyazbank. [OFAC August 2025, LBK&M]

Granular bank-by-bank fiat rail mapping unavailable in open sources. EU designation references association with Sberbank, Alfa-Bank, and T-Bank but does not specify transaction-level detail.
04

Technical Infrastructure and Platform Footprint

Domains and Hosting

DomainStatusActionSource
garantex.ioSeizedSeized March 6, 2025 by USSS, EDVA seizure warrantDOJ 2025, OFAC SDN
garantex.orgSeizedSeized March 6, 2025DOJ 2025, OFAC SDN
garantex.academySeizedSeized March 6, 2025 (third domain not in OFAC's 2022 SDN listing)DOJ 2025
grinex.io (inferred)Active (under sanctions)No public seizure as of June 2026; suspended after April 2026 hackElliptic, Reuters 2026
garantex.bizUnknownCited in secondary reporting; not in official lists Single SourceWikipedia

Infrastructure Footprint

Confirmed Physical offices at Moscow Federation Tower and Saint Petersburg. Servers hosting Garantex operations were seized by German and Finnish law enforcement during the March 2025 action; specific ASNs and hosting providers are not named in public statements. [DOJ, Elliptic]

Confirmed Grinex registered in Kyrgyzstan (December 2024) with infrastructure assessed as separate from seized Garantex servers but sharing operational overlap per TRM Labs on-chain analysis. [TRM Labs, OFAC]

Blockchain and Protocol Footprint

Confirmed Primary volume in USDT on TRON blockchain (Elliptic analysis shows this as dominant post-sanction channel, comprising the majority of the $60B+ post-sanction figure). BTC and ETH also used. A7A5 token issued on TRON and Ethereum networks. [Elliptic 2025]

Confirmed Post-sanction anti-fingerprinting: Garantex rotated operational crypto wallet addresses on a daily basis to evade exchange-level blocking : a technique analogous to that used by Alphabay darknet market. Elliptic developed proprietary techniques to identify these wallets, contributing to USSS investigation. [DOJ indictment, Elliptic]

Telegram and Communications

Confirmed Garantex operated official and semi-official Telegram channels used to announce the March 6 temporary suspension and share the 89 Tether-frozen addresses. These same channels were used immediately afterward to promote Grinex and subsequently ABCex and AEXbit. [TRM Labs, Elliptic]

Post-Disruption Resilience Assessment

Reconstitution Pattern
Garantex/Grinex demonstrates the highest documented resilience of any sanctioned crypto exchange complex: pre-positioned successor entity (December 2024), same-day fund migration (March 6, 2025), user migration via existing Telegram channels, A7A5 token as fiat substitute for balance recovery, and a network of third-tier successor exchanges (ABCex/AEXbit, Rapira, TokenSpot) absorbing further displaced volume. Full ecosystem reconstitution, not single-entity reconstitution.

Credible Further successors identified by TRM Labs: ABCex and AEXbit assessed as almost certainly the same entity (co-spending analysis); Rapira (Georgia-registered, Moscow office) had $72M+ in direct transactions with Grinex. Five exchanges identified by Elliptic as filling the post-Garantex void: Bitpapa, ABCex, Exmo, Rapira, Aifory Pro. [TRM Labs, Elliptic 2026]

05

Financial Intelligence and On-Chain Analysis

Volume Estimates by Source

Volume Sourcing Note
Three distinct figures are cited in public reporting. They measure different things and must not be averaged or collapsed. Elliptic's post-sanction figure is explicitly a lower bound.
FigureAmountPeriod / ScopeSourceMethodology note
Total Garantex volume$96B+April 2019 – March 2025 (all transactions)DOJ press release; EllipticTotal processed volume, not illicit only
Post-sanction volume$60B+April 2022 – March 2025Elliptic (lower bound)Addresses identified via proprietary techniques; ongoing identification may raise figure
Identified illicit flows$100M+Pre-designation (OFAC 2022 language)OFAC designationConfirmed illicit-actor transactions only
Sanctioned-entity share82% / 70%All time / post-designationTRM LabsShare of global crypto volume to/from sanctioned entities
Grinex 2025 volume$93.3BFull year 2025ChainalysisTransactions facilitated including A7A5
A7/Garantex/Grinex exposure$2B+BidirectionalChainalysis 2025Between A7, Garantex, Grinex, and Kyrgyz-registered entities

Three-Phase On-Chain Flow

Phase 1 : Receipt

Confirmed Primary inbound actor types per OFAC and forensic vendors:

Phase 2 : Layering

Confirmed Custodial exchange accounts enabling internal cross-asset conversion. Daily wallet rotation to evade blockchain analytics fingerprinting. [DOJ]

Confirmed A7A5 token on TRON and Ethereum used as an additional layering instrument and customer balance restoration mechanism post-March 2025. [TRM Labs, OFAC]

Phase 3 : Extraction

Confirmed Fiat conversion via cash offices and Russian domestic banking. Off-ramp through high-risk exchanges and OTC brokers. A7/A7A5 infrastructure providing ruble-linked cross-border settlement pathway. [DOJ, OFAC, Elliptic]

Credible In the April 2026 Grinex incident, stolen USDT was swapped to TRX via SunSwap (a TRON DEX) in a pattern consistent with a stablecoin-freeze-avoidance technique common among illicit actors. [Chainalysis April 2026]

Designated Wallet Addresses

OFAC April 2022 designation (original 3 addresses):

BTC 3Lpoy53K625zVeE47ZasiG5jGkAxJ27kh1
ETH 0x7FF9cFad3877F21d41Da833E2F775dB0569eE3D9
USDT 3E6ZCKRrsdPc35chA9Eftp1h3DLW18NFNV

Additional addresses (Elliptic / SlowMist via public reporting): Credible

ETH 0x002471b8A185f9980708d0eAEC5B289714F56f8d
BTC bc1qwtz3zv95x2flu4w26kgfepf529z50r2sqc5zml
BTC 3My1ffQr5qQzmq4aBFgRqwRYqfB5zPAt8t
BSC 0x3051Ca7cB7f6C599fA2f27385AD75010cf0f2bbF
TRX TA1hsikRfsgGiW9nEBpT4tEXEySTNYLr2d
Comprehensive wallet cluster maps are proprietary to Elliptic, TRM Labs, and Chainalysis. Public disclosure covers only a fraction of identified addresses. The full cluster identified by Elliptic during the USSS investigation has not been released.
06

Client Profile and Criminal Use

Actor typeSpecific actors / evidenceTransaction confidenceFacilitation assessmentSource tier
Ransomware : Russian-speaking Conti, Black Basta, LockBit, NetWalker, Phoenix Cryptolocker, Ryuk ($2.3M+ confirmed for Ryuk). In 2023, Russian-speaking groups accounted for 69% of all ransomware crypto proceeds ($500M+). CONFIRMED Structural enablement with elements of active facilitation (post-designation evasion build-out) OFAC, DOJ, TRM Labs, Elliptic
North Korea : Lazarus Group $30M+ from Horizon Bridge hack ($100M total) routed to Garantex in February 2023 per Elliptic. DOJ alleges Besciokov personally approved transactions linked to DPRK hackers. CONFIRMED Active facilitation (individual approval of DPRK-linked transactions alleged) Elliptic, DOJ indictment
Darknet markets Hydra (~$2.6M direct; Garantex primary financial enabler pre-2022 takedown). Post-Hydra: Blacksprut, Solaris, Mega, OMG!OMG! (tens of millions per Elliptic). CONFIRMED Structural enablement OFAC, Elliptic
Sanctions evaders / Russian elites Garantex used by Russian oligarchs to move wealth post-February 2022 invasion (Elliptic). Ekaterina Zhdanova (sanctioned Russian money launderer) used Garantex for elites and ransomware flows (TRM Labs). CONFIRMED Structural enablement Elliptic, TRM Labs, OFAC
Ukraine war-related procurement Garantex linked to payments to companies supplying components of weapons used by Russia in Ukraine invasion (NCA Operation Destabilise). Credible Structural enablement UK NCA Single Source
Broader cybercrime / fraud Garantex described as central node for generic illicit flows beyond ransomware and DNM; granular attribution less documented in public sources. Credible Structural enablement TRM Labs, Chainalysis

Geographic Patterns

Heavily Russia-centric customer base; CIS users; Middle East and Central Asia for sanctions evasion and OTC flows (assessed from Grinex Kyrgyzstan registration and Mira Serda UAE location). Credible [OFAC, Elliptic, TRM Labs]

07

State Nexus Assessment

Four-Tier Classification : Assessed Tier
PROBABLE COOPERATION / TOLERATED SAFE HARBOR (hybrid)
No single tier fully captures the relationship. The exchange operated openly in Moscow for years without domestic enforcement (consistent with Tolerated Safe Harbor), while its deep integration with state-linked financial infrastructure (Promsvyazbank, A7, Ilan Shor network) and its role in Russia's formal sanctions-evasion ecosystem indicates a degree of state alignment beyond mere tolerance. Direct control by a named Russian state body is not documented.

Evidence Supporting Tolerated Safe Harbor (Minimum)

Evidence Supporting Probable Cooperation (Elevated)

Negative Evidence : Against Direct Control

Jurisdictional Separation (Mandatory)

Registration jurisdiction (Garantex)Estonia (Tallinn). OFAC, UK, EU designated. License revoked Feb. 2022.
Registration jurisdiction (Grinex)Kyrgyzstan (December 2024 incorporation). Old Vector entity.
Infrastructure hosting jurisdictionRussia (primary, Moscow and St. Petersburg). EU nodes seized March 2025 by German and Finnish police.
Assessed operator locationPrincipally Russia. Mira Serda: UAE at time of indictment. Besciokov: Lithuania (nationality), Russia (resident), India (arrested). Mendeleev: Russia (assessed).
08

Law Enforcement and Regulatory Response

Criminal Indictments

DefendantChargesMax sentenceStatus (June 2026)
Aleksej Besciokov
Lithuanian, age 46
Conspiracy to commit money laundering; conspiracy to violate IEEPA (sanctions); conspiracy to operate unlicensed MTB 45 years total (20 + 20 + 5) Arrested March 12, 2025, Varkala, Kerala, India. Extradition proceedings underway under India's Extradition Act 1962. Not yet extradited as of June 2026.
Aleksandr Mira Serda
Russian, age 40; formerly Ntifo-Siaw
Conspiracy to commit money laundering 20 years At large. State Dept. reward: up to $5M (Transnational Organized Crime Rewards Program).

Case prosecuted by USAO-EDVA (Asst. U.S. Attorney Zoe Bedell) and DOJ Criminal Division CCIPS National Cryptocurrency Enforcement Team (Trial Attorney Tamara Livshiz). Investigating agencies: USSS and FBI. [DOJ March 7, 2025]

Sanctions Chronology

DateAuthorityActionLegal basis
April 5, 2022OFACGarantex Europe OU designated. 3 wallet addresses added to SDN. Designated in same action as Hydra Market.EO 14024 (Russia-related)
Feb. 24, 2025EU CouncilGarantex in 16th Russia sanctions package. First-ever EU crypto exchange designation. 6 wallet addresses. Linked to Sberbank, Alfa-Bank, T-Bank.EU Russia sanctions regime
March 2025UK FCDOGarantex Europe OU designated. RUS1421 : "involved person" operating crypto exchange supporting Ukraine destabilization.Russia (Sanctions) (EU Exit) Regulations 2019
August 13–14, 2025OFACGarantex re-designated; Grinex designated as successor; Mira Serda, Besciokov designated as individuals; A7, A71, A7 Agent, Old Vector, InDeFi Bank, Exved designated as network entities.EO 13694 as amended (cyber)

Infrastructure Actions

Confirmed March 6, 2025: USSS executed seizure order (EDVA, 18 U.S.C. §§ 981 and 982) against three domain names: garantex.org, garantex.io, garantex.academy. German and Finnish LE simultaneously seized servers. Over $26M frozen. Tether separately froze $28M USDT across 89 addresses. [DOJ, Elliptic, TRM Labs]

Post-Disruption Reconstitution Assessment (Mandatory)

Reconstitution Status : Active
Garantex reconstituted as Grinex within days of the March 2025 disruption using infrastructure pre-positioned in December 2024. Grinex itself processed $93.3B in 2025 before its April 2026 suspension. Third-tier successors (ABCex/AEXbit, Rapira, TokenSpot) are actively absorbing displaced volume as of June 2026. The operator network has not been neutralized : only displaced.

Confirmed Garantex brand: unlikely to re-emerge under original name given SDN listing in three major jurisdictions and destroyed domain infrastructure. [OFAC, DOJ]

Credible Grinex brand: suspended April 2026 following hack. Exit-scam hypothesis not ruled out. If operator network is intact, a successor to Grinex is probable based on demonstrated behavior pattern. [Chainalysis, Elliptic April 2026]

09

Connected Entities and Ecosystem Relationships

Two-tier model applied to all entries. Tier 1 : Transaction confidence: how confident are we that funds transited this exchange from/to the entity? Tier 2 : Facilitation assessment: characterization of the exchange's role (Active facilitation / Structural enablement / Incidental processing). These are independent assessments and must not be collapsed.

Entity Relationship type Tier 1: Transaction confidence Tier 2: Facilitation assessment Corroborating vendors Notes
Hydra Market Darknet market : primary financial enabler CONFIRMED
~$2.6M direct flows; 86% of Russian DNM illicit BTC to exchanges flowed through Hydra/Garantex nexus. OFAC joint designation.
Structural enablement
Lax AML/KYC predictably enabled large-scale Hydra vendor use.
OFAC, Elliptic, TRM Labs Hydra also sanctioned April 5, 2022 in same action.
Conti / Black Basta / LockBit / NetWalker / Phoenix / Ryuk Ransomware groups : direct deposit of proceeds CONFIRMED
Direct wallet-level attribution in OFAC designation and Elliptic/TRM on-chain reporting. Ryuk: $2.3M+ confirmed.
Structural enablement / Active facilitation
Post-sanction evasion infrastructure built specifically to continue serving these actors despite OFAC designation.
OFAC, Elliptic, TRM Labs All groups have strong Russia ties. Besciokov alleged to have personally approved some transactions.
Lazarus Group (DPRK) State-sponsored hacker : funds laundering CONFIRMED
$30M+ from Horizon Bridge hack ($100M total) traced to Garantex Feb. 2023 by Elliptic.
Active facilitation
DOJ alleges Besciokov personally approved transactions linked to DPRK hackers.
Elliptic; DOJ indictment Corroborating: Elliptic. No disagreeing vendor. TRM Labs has not published entity-specific Lazarus/Garantex detail.
Blacksprut, Solaris, Mega, OMG!OMG! Post-Hydra Russian darknet markets CONFIRMED
Tens of millions in transactions documented by Elliptic.
Structural enablement Elliptic 2025 TRM Labs has not published specific figures for these markets. Single Source for market-level breakdown.
A7 / A71 / A7 Agent (Russia) Cross-border settlement partners; owners of A7A5 ecosystem CONFIRMED
OFAC explicitly describes coordination; $2B+ bidirectional exposure (Chainalysis). Co-owned by Ilan Shor and Promsvyazbank.
Active facilitation
Direct coordination between A7 and Garantex operators to build a shared sanctions-evasion rail.
OFAC, Chainalysis, LBK&M All three A7 entities designated August 2025.
Old Vector (Kyrgyzstan) A7A5 token issuer; Grinex hosting entity CONFIRMED
OFAC identifies Old Vector as the A7A5 token issuer working with Garantex. Designated August 2025.
Active facilitation
Created specifically to operationalize the A7A5 token as a sanctions-evasion instrument.
OFAC August 2025
Grinex Successor exchange : created by Garantex employees CONFIRMED
OFAC explicit: "created by Garantex employees." Customer funds transferred directly. $93.3B processed in 2025.
Active facilitation
Grinex IS Garantex operationally; the designation of Grinex reflects this continuity.
OFAC, TRM Labs, Chainalysis, Elliptic Multiple corroborating vendors. No disagreeing vendor on successor status.
TokenSpot (Kyrgyzstan) Assessed Garantex front company; co-hacked April 2026 CREDIBLE
TRM Labs on-chain analysis identifies co-spending patterns consistent with common control. Simultaneously hacked April 2026.
Active facilitation (assessed)
If TRM front-company assessment is correct, TokenSpot is an operational arm, not a separate entity.
TRM Labs 2026 Single Source for front-company assessment. Chainalysis and Elliptic have not published entity-specific TokenSpot analysis.
ABCex / AEXbit Third-tier successor platforms with Garantex-pattern UIs CREDIBLE
TRM Labs: address co-spending analysis indicates ABCex and AEXbit almost certainly same entity. ABCex processed at least $11B.
Structural enablement
Replicating Garantex's KYC-deficient model; not confirmed as operator-controlled successor.
TRM Labs 2025–2026 Elliptic names ABCex in post-Garantex void report. No Chainalysis entity-specific disclosure. Operator link is single-source (TRM).
Rapira (Georgia-registered) High-risk exchange with direct Grinex transactions CREDIBLE
$72M+ in direct transactions with Grinex documented by TRM Labs. Moscow office.
Structural enablement TRM Labs, Elliptic Both TRM and Elliptic name Rapira. Corroborated by two vendors.
Bitpapa / Aifory Pro / Exmo Russian-market exchanges absorbing post-Garantex volume CREDIBLE
Named by Elliptic in five-exchange post-Garantex void analysis. Bitpapa previously sanctioned by OFAC (March 2024).
Structural enablement Elliptic 2026 TRM Labs does not publish a matching grouped analysis. Single Source for grouped attribution.
Promsvyazbank (Russia) State-linked bank; co-owner of A7 entities CREDIBLE
OFAC identifies Promsvyazbank as co-owner of A7 ecosystem used by Garantex. Bank-to-exchange direct flows not separately quantified in public sources.
Active facilitation (via A7 co-ownership) OFAC August 2025 Promsvyazbank separately designated. Connection runs through A7 co-ownership, not direct Garantex transaction.
10

Trajectory Assessment

Market Position and Volume Trends

Confirmed Pre-disruption: Garantex accounted for 82% of global crypto volume to/from sanctioned entities : the single largest illicit exchange complex globally. Despite the April 2022 OFAC designation and Estonia license revocation, volume grew rather than contracted, with Elliptic's post-sanction lower bound reaching $60B. [TRM Labs, Elliptic]

Confirmed Grinex 2025: Processed $93.3B in 2025, demonstrating that the March 2025 disruption produced no sustained volume reduction : it produced a brand migration. [Chainalysis]

Credible Post-Grinex (April 2026 onward): volume distributing across ABCex/AEXbit, Rapira, Bitpapa, Aifory Pro, and other grey-zone exchanges. No single successor has demonstrated Garantex-scale consolidation as of June 2026. [Elliptic, TRM Labs]

Disruption Impact

Structural Assessment
The March 2025 LE action was the most significant single enforcement action against a crypto exchange since BTC-e (2017). It removed the dominant infrastructure node for Russia-linked illicit finance. However, because operators pre-positioned Grinex, migrated funds within 24 hours, and maintained the A7A5 ecosystem, net disruption to criminal throughput was temporary. The April 2026 Grinex suspension : whether hack or exit scam : represents a second disruption event, but the operator network appears intact and will likely reconstitute again under a new brand.

Reconstitution Status

Garantex brand: Not reconstituted. Domain infrastructure destroyed; multi-jurisdictional SDN listing. Confirmed

Grinex brand: Suspended as of April 2026. Sanctions active. No public announcement of a third brand as of June 2026. Credible

Operator network: Partially intact. Mira Serda at large; Besciokov in custody pending extradition; Mendeleev status unknown. A7 ecosystem designated but not dismantled operationally. Credible

Intelligence Gaps

Full KYC policy text, user agreements, and UI flows for Garantex/Grinex not recovered from open sources.
Granular fiat rail mapping: only A7/Promsvyazbank connection explicitly documented. Correspondent banking detail unknown.
Complete wallet cluster maps are proprietary to blockchain analytics vendors; public disclosures represent a fraction of identified addresses.
State nexus: No explicit FSB/GRU/Rosfinmonitoring direction documented. Probable cooperation assessment based on circumstantial alignment, not direct evidence.
Besciokov extradition outcome: Pending as of June 2026. No public ruling on extradition from India to U.S.
Post-April 2026 operator behavior: Whether a third brand is being prepared, and the role of the TokenSpot operators in reconstitution, is not yet documented in open sources.
Grinex hack attribution: Western intelligence versus exit scam versus third-party criminal : unresolved. No technical evidence published as of June 2026.

Recent Reporting

[April 2026] Grinex and TokenSpot simultaneously hacked for ~$15M combined. Grinex blames Western intelligence. Chainalysis raises exit-scam hypothesis. Grinex suspends operations. [Elliptic, Chainalysis, Reuters, TRM Labs]

[August 2025] OFAC re-designates Garantex under cyber authorities and designates Grinex plus eight additional network entities. State Dept. announces $5M reward for Mira Serda. [OFAC, State Dept.]

[June 2025 onward] Elliptic publishes report identifying five exchanges absorbing post-Garantex illicit volume: Bitpapa, ABCex, Exmo, Rapira, Aifory Pro : all offering ruble-to-crypto with weak or no KYC. [Elliptic 2026]

[March 2025] TRM Labs identifies ABCex and AEXbit as almost certainly the same entity via co-spending analysis; documents $11B+ in ABCex processing. [TRM Labs]

Sources

  1. U.S. Treasury: Sanctions Cryptocurrency Exchange and Network Enabling Sanctions Evasion : August 2025
  2. OFAC: Russia-related Designation / Cyber-related Designation : April 5, 2022
  3. U.S. Treasury: Sanctions Russia-Based Hydra and GARANTEX : April 5, 2022
  4. LBK&M: OFAC Sanctions Cryptocurrency Exchange and Network (Garantex/Grinex/A7)
  5. FSRC: Treasury Sanctions : August 14, 2025
  6. CyberScoop: U.S. widens sanctions on Russian crypto exchange (Grinex)
  7. ICIJ: EU sanctions Russian crypto exchange Garantex : March 2025
  8. OpenSanctions: GARANTEX EUROPE OU entity record
  9. OFAC SDN: Garantex Europe OU : sanctions list search
  10. JD Supra: OFAC Focuses on Cybercrime by Sanctioning Hydra and GARANTEX
  11. Global Sanctions: New U.S. Russia and Cyber Designations : April 2022
  12. DOJ: Garantex Cryptocurrency Exchange Disrupted in International Operation : March 7, 2025
  13. TRM Labs: The Imitation Game : High-Risk Exchanges Copying Garantex's Playbook
  14. Federal Register: Notice of OFAC Sanctions Action : August 18, 2025
  15. Elliptic: Sanctioned Russia-linked crypto exchange Grinex halts operations : April 2026
  16. Reuters: Russia-linked Grinex suspends operations after cyber attack : April 16, 2026
  17. UK Sanctions List: GARANTEX EUROPE OU : RUS1421
  18. TRM Labs: The Takedown of Garantex : A Notorious Crypto Exchange's Role in Illicit Finance
  19. State Dept.: U.S. Targets Cryptocurrency Exchange, Offering Rewards Up to $6M : August 2025
  20. Wikipedia: Garantex
  21. Elliptic: Uncloaking Garantex for law enforcement and sanctions compliance : March 2025
  22. Chainalysis: Sanctioned Russia-Linked Exchange Grinex Suspends Operations : April 2026
  23. TRM Labs: Sanctioned Russian Exchange Grinex and TokenSpot Hit in USD 15M Theft
  24. TRM Labs: 2026 Crypto Crime Report
  25. TechCrunch: Garantex administrator arrested in India : March 12, 2025
  26. Krebs on Security: Alleged Co-Founder of Garantex Arrested in India
  27. The Block: Five crypto exchanges helping Russia evade sanctions, filling Garantex's void (Elliptic)
  28. TRM Labs: EU Includes Crypto Exchange Garantex in 16th Sanctions Package

Profile produced using open-source intelligence. Confidence labels applied per schema: CONFIRMED (multiple independent sources), CREDIBLE (single strong source or multiple weaker sources), ANALYST INFERENCE (logical extrapolation from confirmed facts). All volume figures cited with source and methodology; figures from different vendors are not averaged. Two-tier connected entity model applied throughout Section 09.