The Garantex Crypto Laundering Network
How a sanctioned Russian crypto exchange allegedly reconstituted itself through a successor platform and a ruble-backed token after a 2025 law-enforcement disruption — and how an analyst can trace the structure from open sources.
A network that outlived its own seizure
Crypto exchanges are durable infrastructure for sanctions evasion precisely because the people and code can migrate faster than enforcement. The reporting around Garantex is a clean case study in that durability: an exchange disrupted by law enforcement that allegedly carried its customers, balances, and operators into a successor platform within weeks.
This brief synthesises public reporting from blockchain-analytics firms and investigative outlets. Every entity, figure, and date below is reported, not independently confirmed by us — primary designation records (OFAC) were not reachable from our research environment, and per our forensic rule a blocked fetch is not verification. Use this as a sourced starting map, not a settled record.
As of date: figures and structure here reflect reporting through mid-2026 and decay quickly. Re-confirm any specific entity against the live designation list before relying on it.
The reconstitution, as reported
OFAC re-designated Garantex on 14 August 2025, with reporting tying the exchange to processing of illicit transactions linked to ransomware and cybercrime REPORTED.
SOURCE: U.S. Treasury press release sb0225; TRM Labs — not primary-verified here
The same action is reported to have designated Garantex's successor exchange, Grinex, alongside individuals and associated companies in Russia and the Kyrgyz Republic REPORTED.
SOURCE: U.S. Treasury sb0225; CyberScoop — not primary-verified here
Following a 6 March 2025 law-enforcement action, Garantex operators are reported to have moved customer deposits to Grinex, which promotional materials describe as a response to the sanctions and freezes affecting Garantex REPORTED.
SOURCE: U.S. Treasury sb0225; Chainalysis — not primary-verified here
Recovery of frozen balances is reported to have been routed through the A7A5 ruble-backed token, attributed to Kyrgyzstani firm Old Vector REPORTED.
SOURCE: U.S. Treasury sb0225; TRM Labs — not primary-verified here
Garantex is reported to have processed over $100 million in transactions linked to illicit activity since 2019 REPORTED. Treat dollar tallies as reported, not audited.
SOURCE: U.S. Treasury sb0225; The Hacker News — not primary-verified here
Grinex is reported to have suspended operations in 2026 following a claimed cyberattack, which the platform blamed on foreign intelligence services REPORTED.
SOURCE: Chainalysis; Elliptic — not primary-verified here
How to trace a successor-exchange pattern
The Garantex-to-successor shape recurs. The method below is reusable on any exchange that claims to have “closed” under pressure.
| Signal | Where to look | What it tells you |
|---|---|---|
| Balance migration | On-chain flows from the old hot wallets | Whether funds moved to a new cluster after the disruption |
| Shared operators | Designation lists, corporate registries (incl. Kyrgyz Republic) | Personnel overlap between the two platforms |
| New incorporation timing | Company registry of the successor's jurisdiction | Whether the successor predates the seizure (pre-positioning) |
| Bridging token | Token contract + issuer registration | The instrument used to make frozen users whole |
| Marketing continuity | Public promotional material, mirror domains | Explicit framing as a successor |
Method note: on-chain flows can be confirmed independently with blockchain analytics; corporate and personnel links usually cannot be confirmed from open sources alone and should stay tagged reported until a primary record is checked.
Common questions
Is Grinex the same company as Garantex?
Reporting describes Grinex as a successor that received Garantex customer balances and is framed as a response to the action against Garantex. Whether it is legally the same entity is a separate question; we record the relationship as reported, not as a confirmed identity.
What is the A7A5 token's role?
It is reported as a ruble-backed token used to let affected users recover balances after the disruption, attributed to a Kyrgyzstani issuer. As with every figure here, treat that as sourced reporting pending primary confirmation.
How can I verify these claims myself?
Cross-check the designation against the issuing authority's own list, confirm on-chain balance migration with a blockchain-analytics tool, and pull the successor's incorporation record from its jurisdiction's registry. A blocked or failed fetch is never treated as confirmation.