Executive Summary and Exchange Overview
| Entity (primary) | Garantex Europe OU |
| Successor entity | Grinex |
| Registration jurisdiction (Garantex) | Estonia : Reg. no. 14850239 (Tallinn) |
| Registration jurisdiction (Grinex) | Kyrgyzstan (incorporated December 2024) |
| Infrastructure hosting jurisdiction | Russia (Moscow, Saint Petersburg); EU servers seized March 2025 |
| Operator location (assessed) | Russia (primary); UAE (Mira Serda at indictment); Lithuania (Besciokov nationality) |
| Operational period (Garantex) | Late 2019 – March 6, 2025 |
| Operational period (Grinex) | March 2025 – April 2026 (suspended) |
| OFAC designation (Garantex) | April 5, 2022 (EO 14024); re-designated August 13–14, 2025 (EO 13694) |
| OFAC designation (Grinex) | August 13–14, 2025 (EO 13694) |
| EU designation | February 24, 2025 : 16th sanctions package; first-ever EU crypto exchange designation |
| UK designation | Russia (Sanctions) (EU Exit) Regulations 2019 : RUS1421 |
| Estonian FIU license | Revoked February 2022 |
| FinCEN registration | Not registered despite U.S. business activity (DOJ) |
| Primary domains (seized) | garantex.io, garantex.org, garantex.academy |
| State nexus tier | PROBABLE COOPERATION / TOLERATED SAFE HARBOR (hybrid) |
| Blockchain analytics coverage | Elliptic (provided assistance to USSS); TRM Labs; Chainalysis |
Lineage and Organizational Heritage
Garantex → Grinex Successor Chain
Evidentiary Pillars : Garantex/Grinex Continuity
| Pillar | Evidence | Source | Confidence |
|---|---|---|---|
| Personnel continuity | "Grinex … created by Garantex employees"; "Garantex officers created the infrastructure" | OFAC August 2025 | Confirmed |
| Infrastructure continuity | Nearly identical UI; same Telegram channels used for user migration | TRM Labs, Chainalysis | Confirmed |
| Fund continuity | Garantex customer deposits transferred directly to Grinex accounts | OFAC August 2025 | Confirmed |
| On-chain continuity | $2B+ bidirectional exposure between A7, Garantex, Grinex, Kyrgyz entities | Chainalysis 2025 | Confirmed |
| Pre-positioning | Grinex incorporated Kyrgyzstan December 2024 : before March 2025 LE action | TRM Labs | Confirmed |
| Hack/exit continuity | SunSwap DEX used in April 2026 hack previously served Garantex for hot wallet liquidity | Chainalysis April 2026 | Credible |
Disputed Assessments
The framing of the April 2026 "hack" as a Western intelligence operation versus an operator exit scam is unresolved. Grinex attributed the incident to foreign state actors; Chainalysis and Elliptic noted that fund-movement patterns (rapid stablecoin-to-TRX swap to avoid freeze) are consistent with insider or self-directed activity. Analyst Inference No external technical evidence or attribution has been published by any government. Treat as unresolved pending forensic disclosure.
Service Model and Business Operations
Exchange Mechanics
Confirmed Garantex operated as a centralized spot crypto-fiat exchange with walk-in cash offices at Moscow's Federation Tower and Saint Petersburg. Customers could "buy and sell virtual currencies using fiat currencies." Primary assets: Bitcoin, Ethereum, and Tether (USDT, predominantly on TRON). No credible evidence of leveraged derivatives or DeFi products. [OFAC 2022, DOJ 2025]
Confirmed Grinex replicated the Garantex product set with near-identical UI and continued emphasis on ruble-denominated settlement. OFAC states Grinex "facilitated the transfer of billions of dollars in cryptocurrency transactions" via the A7A5 ruble-backed token. [OFAC August 2025, TRM Labs]
KYC/AML : Stated Policy vs. Observed Behavior
| Dimension | Stated / Written | Observed (LE / Forensics) | Source |
|---|---|---|---|
| AML controls | Estonian VASP license required standard AML program (prior to Feb. 2022 revocation) | "Extremely lax compliance controls"; "willfully disregarding AML/CFT obligations" (OFAC); "critical AML/CFT deficiencies" (Estonia FIU) | OFAC, Estonia FIU |
| Customer identification | KYC required by Estonian law | Operators falsely told Russian LE that a Mira Serda-linked account was unverified, while internally the account was tied to his personal documents | DOJ indictment |
| FinCEN registration | Required for U.S. business activity | Garantex never registered with FinCEN despite doing substantial U.S. business | DOJ 2025 |
| Wallet attribution controls | Not publicly stated | Post-sanction, operators built infrastructure to prevent attribution of wallet addresses back to the exchange : techniques similar to those used by Alphabay darknet market | DOJ indictment, Elliptic |
| Transaction monitoring | Not recovered | Daily wallet rotation to evade exchange-level blocking; no effective transaction monitoring inferred from scale of illicit flows | DOJ indictment |
| Geographic restrictions | Not recovered | No meaningful restrictions : OFAC characterizes Garantex as a hub for Russian sanctions evasion | OFAC |
Fiat Rail Analysis
Confirmed Ruble and USD fiat support confirmed via cash offices (Federation Tower, Saint Petersburg). Specific correspondent bank names are not documented in public sources beyond the A7/Promsvyazbank link. [OFAC, DOJ]
Confirmed A7 LLC and subsidiaries (A71, A7 Agent) provide cross-border ruble settlement infrastructure linking Garantex/Grinex crypto flows to traditional banking networks. A7 is co-owned by sanctioned Moldovan oligarch Ilan Shor and sanctioned Russian bank Promsvyazbank. [OFAC August 2025, LBK&M]
Technical Infrastructure and Platform Footprint
Domains and Hosting
| Domain | Status | Action | Source |
|---|---|---|---|
| garantex.io | Seized | Seized March 6, 2025 by USSS, EDVA seizure warrant | DOJ 2025, OFAC SDN |
| garantex.org | Seized | Seized March 6, 2025 | DOJ 2025, OFAC SDN |
| garantex.academy | Seized | Seized March 6, 2025 (third domain not in OFAC's 2022 SDN listing) | DOJ 2025 |
| grinex.io (inferred) | Active (under sanctions) | No public seizure as of June 2026; suspended after April 2026 hack | Elliptic, Reuters 2026 |
| garantex.biz | Unknown | Cited in secondary reporting; not in official lists Single Source | Wikipedia |
Infrastructure Footprint
Confirmed Physical offices at Moscow Federation Tower and Saint Petersburg. Servers hosting Garantex operations were seized by German and Finnish law enforcement during the March 2025 action; specific ASNs and hosting providers are not named in public statements. [DOJ, Elliptic]
Confirmed Grinex registered in Kyrgyzstan (December 2024) with infrastructure assessed as separate from seized Garantex servers but sharing operational overlap per TRM Labs on-chain analysis. [TRM Labs, OFAC]
Blockchain and Protocol Footprint
Confirmed Primary volume in USDT on TRON blockchain (Elliptic analysis shows this as dominant post-sanction channel, comprising the majority of the $60B+ post-sanction figure). BTC and ETH also used. A7A5 token issued on TRON and Ethereum networks. [Elliptic 2025]
Confirmed Post-sanction anti-fingerprinting: Garantex rotated operational crypto wallet addresses on a daily basis to evade exchange-level blocking : a technique analogous to that used by Alphabay darknet market. Elliptic developed proprietary techniques to identify these wallets, contributing to USSS investigation. [DOJ indictment, Elliptic]
Telegram and Communications
Confirmed Garantex operated official and semi-official Telegram channels used to announce the March 6 temporary suspension and share the 89 Tether-frozen addresses. These same channels were used immediately afterward to promote Grinex and subsequently ABCex and AEXbit. [TRM Labs, Elliptic]
Post-Disruption Resilience Assessment
Credible Further successors identified by TRM Labs: ABCex and AEXbit assessed as almost certainly the same entity (co-spending analysis); Rapira (Georgia-registered, Moscow office) had $72M+ in direct transactions with Grinex. Five exchanges identified by Elliptic as filling the post-Garantex void: Bitpapa, ABCex, Exmo, Rapira, Aifory Pro. [TRM Labs, Elliptic 2026]
Financial Intelligence and On-Chain Analysis
Volume Estimates by Source
| Figure | Amount | Period / Scope | Source | Methodology note |
|---|---|---|---|---|
| Total Garantex volume | $96B+ | April 2019 – March 2025 (all transactions) | DOJ press release; Elliptic | Total processed volume, not illicit only |
| Post-sanction volume | $60B+ | April 2022 – March 2025 | Elliptic (lower bound) | Addresses identified via proprietary techniques; ongoing identification may raise figure |
| Identified illicit flows | $100M+ | Pre-designation (OFAC 2022 language) | OFAC designation | Confirmed illicit-actor transactions only |
| Sanctioned-entity share | 82% / 70% | All time / post-designation | TRM Labs | Share of global crypto volume to/from sanctioned entities |
| Grinex 2025 volume | $93.3B | Full year 2025 | Chainalysis | Transactions facilitated including A7A5 |
| A7/Garantex/Grinex exposure | $2B+ | Bidirectional | Chainalysis 2025 | Between A7, Garantex, Grinex, and Kyrgyz-registered entities |
Three-Phase On-Chain Flow
Phase 1 : Receipt
Confirmed Primary inbound actor types per OFAC and forensic vendors:
- Ransomware groups: Conti, Black Basta, LockBit, NetWalker, Phoenix Cryptolocker, Ryuk (Ryuk laundered $2.3M+ specifically per TRM Labs)
- North Korea: Lazarus Group : $30M+ from the $100M Horizon Bridge hack laundered through Garantex (February 2023) per Elliptic
- Darknet markets: Hydra (~$2.6M direct, Garantex was primary Hydra financial enabler pre-takedown); post-Hydra: Blacksprut, Solaris, Mega, OMG!OMG! (Elliptic)
- Sanctioned Russian entities and oligarchs: Garantex used for sanctions evasion by Russian elites post-February 2022 invasion (Elliptic)
Phase 2 : Layering
Confirmed Custodial exchange accounts enabling internal cross-asset conversion. Daily wallet rotation to evade blockchain analytics fingerprinting. [DOJ]
Confirmed A7A5 token on TRON and Ethereum used as an additional layering instrument and customer balance restoration mechanism post-March 2025. [TRM Labs, OFAC]
Phase 3 : Extraction
Confirmed Fiat conversion via cash offices and Russian domestic banking. Off-ramp through high-risk exchanges and OTC brokers. A7/A7A5 infrastructure providing ruble-linked cross-border settlement pathway. [DOJ, OFAC, Elliptic]
Credible In the April 2026 Grinex incident, stolen USDT was swapped to TRX via SunSwap (a TRON DEX) in a pattern consistent with a stablecoin-freeze-avoidance technique common among illicit actors. [Chainalysis April 2026]
Designated Wallet Addresses
OFAC April 2022 designation (original 3 addresses):
Additional addresses (Elliptic / SlowMist via public reporting): Credible
Client Profile and Criminal Use
| Actor type | Specific actors / evidence | Transaction confidence | Facilitation assessment | Source tier |
|---|---|---|---|---|
| Ransomware : Russian-speaking | Conti, Black Basta, LockBit, NetWalker, Phoenix Cryptolocker, Ryuk ($2.3M+ confirmed for Ryuk). In 2023, Russian-speaking groups accounted for 69% of all ransomware crypto proceeds ($500M+). | CONFIRMED | Structural enablement with elements of active facilitation (post-designation evasion build-out) | OFAC, DOJ, TRM Labs, Elliptic |
| North Korea : Lazarus Group | $30M+ from Horizon Bridge hack ($100M total) routed to Garantex in February 2023 per Elliptic. DOJ alleges Besciokov personally approved transactions linked to DPRK hackers. | CONFIRMED | Active facilitation (individual approval of DPRK-linked transactions alleged) | Elliptic, DOJ indictment |
| Darknet markets | Hydra (~$2.6M direct; Garantex primary financial enabler pre-2022 takedown). Post-Hydra: Blacksprut, Solaris, Mega, OMG!OMG! (tens of millions per Elliptic). | CONFIRMED | Structural enablement | OFAC, Elliptic |
| Sanctions evaders / Russian elites | Garantex used by Russian oligarchs to move wealth post-February 2022 invasion (Elliptic). Ekaterina Zhdanova (sanctioned Russian money launderer) used Garantex for elites and ransomware flows (TRM Labs). | CONFIRMED | Structural enablement | Elliptic, TRM Labs, OFAC |
| Ukraine war-related procurement | Garantex linked to payments to companies supplying components of weapons used by Russia in Ukraine invasion (NCA Operation Destabilise). | Credible | Structural enablement | UK NCA Single Source |
| Broader cybercrime / fraud | Garantex described as central node for generic illicit flows beyond ransomware and DNM; granular attribution less documented in public sources. | Credible | Structural enablement | TRM Labs, Chainalysis |
Geographic Patterns
Heavily Russia-centric customer base; CIS users; Middle East and Central Asia for sanctions evasion and OTC flows (assessed from Grinex Kyrgyzstan registration and Mira Serda UAE location). Credible [OFAC, Elliptic, TRM Labs]
State Nexus Assessment
No single tier fully captures the relationship. The exchange operated openly in Moscow for years without domestic enforcement (consistent with Tolerated Safe Harbor), while its deep integration with state-linked financial infrastructure (Promsvyazbank, A7, Ilan Shor network) and its role in Russia's formal sanctions-evasion ecosystem indicates a degree of state alignment beyond mere tolerance. Direct control by a named Russian state body is not documented.
Evidence Supporting Tolerated Safe Harbor (Minimum)
- Garantex operated openly at Moscow Federation Tower alongside other subsequently sanctioned exchanges (SUEX, Chatex) with no Russian domestic enforcement. Confirmed
- Russia has a documented pattern of tolerating cybercriminal infrastructure useful for external operations. [OFAC, TRM Labs]
- All enforcement actions against Garantex have been external (U.S., EU, UK, Finland, Germany). Confirmed
Evidence Supporting Probable Cooperation (Elevated)
- Integration with Promsvyazbank (sanctioned Russian state-linked bank) via the A7 ecosystem indicates structural alignment with Russian state financial interests. Confirmed [OFAC August 2025]
- Coordinated build-out of A7/A7A5 with Ilan Shor's network : a known Kremlin-linked figure : to create a state-useful cross-border ruble evasion rail. Confirmed [OFAC, LBK&M]
- Garantex operators provided selective, false information to Russian law enforcement requests (protecting Mira Serda's account while disclosing others). This implies a negotiated, cooperative relationship with Russian LE rather than full arms-length status. Credible [DOJ indictment]
- Garantex linked to payments to weapons-component suppliers in the Ukraine war context. Credible
Negative Evidence : Against Direct Control
- No open-source document names FSB, GRU, Rosfinmonitoring, or any Russian state body as direct operator or co-owner of Garantex/Grinex. Confirmed
- Russia has not formally nationalized or officially endorsed either platform.
- Operators are private individuals (Besciokov, Mira Serda, Mendeleev), not identified government officials.
Jurisdictional Separation (Mandatory)
| Registration jurisdiction (Garantex) | Estonia (Tallinn). OFAC, UK, EU designated. License revoked Feb. 2022. |
| Registration jurisdiction (Grinex) | Kyrgyzstan (December 2024 incorporation). Old Vector entity. |
| Infrastructure hosting jurisdiction | Russia (primary, Moscow and St. Petersburg). EU nodes seized March 2025 by German and Finnish police. |
| Assessed operator location | Principally Russia. Mira Serda: UAE at time of indictment. Besciokov: Lithuania (nationality), Russia (resident), India (arrested). Mendeleev: Russia (assessed). |
Law Enforcement and Regulatory Response
Criminal Indictments
| Defendant | Charges | Max sentence | Status (June 2026) |
|---|---|---|---|
| Aleksej Besciokov Lithuanian, age 46 |
Conspiracy to commit money laundering; conspiracy to violate IEEPA (sanctions); conspiracy to operate unlicensed MTB | 45 years total (20 + 20 + 5) | Arrested March 12, 2025, Varkala, Kerala, India. Extradition proceedings underway under India's Extradition Act 1962. Not yet extradited as of June 2026. |
| Aleksandr Mira Serda Russian, age 40; formerly Ntifo-Siaw |
Conspiracy to commit money laundering | 20 years | At large. State Dept. reward: up to $5M (Transnational Organized Crime Rewards Program). |
Case prosecuted by USAO-EDVA (Asst. U.S. Attorney Zoe Bedell) and DOJ Criminal Division CCIPS National Cryptocurrency Enforcement Team (Trial Attorney Tamara Livshiz). Investigating agencies: USSS and FBI. [DOJ March 7, 2025]
Sanctions Chronology
| Date | Authority | Action | Legal basis |
|---|---|---|---|
| April 5, 2022 | OFAC | Garantex Europe OU designated. 3 wallet addresses added to SDN. Designated in same action as Hydra Market. | EO 14024 (Russia-related) |
| Feb. 24, 2025 | EU Council | Garantex in 16th Russia sanctions package. First-ever EU crypto exchange designation. 6 wallet addresses. Linked to Sberbank, Alfa-Bank, T-Bank. | EU Russia sanctions regime |
| March 2025 | UK FCDO | Garantex Europe OU designated. RUS1421 : "involved person" operating crypto exchange supporting Ukraine destabilization. | Russia (Sanctions) (EU Exit) Regulations 2019 |
| August 13–14, 2025 | OFAC | Garantex re-designated; Grinex designated as successor; Mira Serda, Besciokov designated as individuals; A7, A71, A7 Agent, Old Vector, InDeFi Bank, Exved designated as network entities. | EO 13694 as amended (cyber) |
Infrastructure Actions
Confirmed March 6, 2025: USSS executed seizure order (EDVA, 18 U.S.C. §§ 981 and 982) against three domain names: garantex.org, garantex.io, garantex.academy. German and Finnish LE simultaneously seized servers. Over $26M frozen. Tether separately froze $28M USDT across 89 addresses. [DOJ, Elliptic, TRM Labs]
Post-Disruption Reconstitution Assessment (Mandatory)
Confirmed Garantex brand: unlikely to re-emerge under original name given SDN listing in three major jurisdictions and destroyed domain infrastructure. [OFAC, DOJ]
Credible Grinex brand: suspended April 2026 following hack. Exit-scam hypothesis not ruled out. If operator network is intact, a successor to Grinex is probable based on demonstrated behavior pattern. [Chainalysis, Elliptic April 2026]
Connected Entities and Ecosystem Relationships
Two-tier model applied to all entries. Tier 1 : Transaction confidence: how confident are we that funds transited this exchange from/to the entity? Tier 2 : Facilitation assessment: characterization of the exchange's role (Active facilitation / Structural enablement / Incidental processing). These are independent assessments and must not be collapsed.
| Entity | Relationship type | Tier 1: Transaction confidence | Tier 2: Facilitation assessment | Corroborating vendors | Notes |
|---|---|---|---|---|---|
| Hydra Market | Darknet market : primary financial enabler | CONFIRMED ~$2.6M direct flows; 86% of Russian DNM illicit BTC to exchanges flowed through Hydra/Garantex nexus. OFAC joint designation. |
Structural enablement Lax AML/KYC predictably enabled large-scale Hydra vendor use. |
OFAC, Elliptic, TRM Labs | Hydra also sanctioned April 5, 2022 in same action. |
| Conti / Black Basta / LockBit / NetWalker / Phoenix / Ryuk | Ransomware groups : direct deposit of proceeds | CONFIRMED Direct wallet-level attribution in OFAC designation and Elliptic/TRM on-chain reporting. Ryuk: $2.3M+ confirmed. |
Structural enablement / Active facilitation Post-sanction evasion infrastructure built specifically to continue serving these actors despite OFAC designation. |
OFAC, Elliptic, TRM Labs | All groups have strong Russia ties. Besciokov alleged to have personally approved some transactions. |
| Lazarus Group (DPRK) | State-sponsored hacker : funds laundering | CONFIRMED $30M+ from Horizon Bridge hack ($100M total) traced to Garantex Feb. 2023 by Elliptic. |
Active facilitation DOJ alleges Besciokov personally approved transactions linked to DPRK hackers. |
Elliptic; DOJ indictment | Corroborating: Elliptic. No disagreeing vendor. TRM Labs has not published entity-specific Lazarus/Garantex detail. |
| Blacksprut, Solaris, Mega, OMG!OMG! | Post-Hydra Russian darknet markets | CONFIRMED Tens of millions in transactions documented by Elliptic. |
Structural enablement | Elliptic 2025 | TRM Labs has not published specific figures for these markets. Single Source for market-level breakdown. |
| A7 / A71 / A7 Agent (Russia) | Cross-border settlement partners; owners of A7A5 ecosystem | CONFIRMED OFAC explicitly describes coordination; $2B+ bidirectional exposure (Chainalysis). Co-owned by Ilan Shor and Promsvyazbank. |
Active facilitation Direct coordination between A7 and Garantex operators to build a shared sanctions-evasion rail. |
OFAC, Chainalysis, LBK&M | All three A7 entities designated August 2025. |
| Old Vector (Kyrgyzstan) | A7A5 token issuer; Grinex hosting entity | CONFIRMED OFAC identifies Old Vector as the A7A5 token issuer working with Garantex. Designated August 2025. |
Active facilitation Created specifically to operationalize the A7A5 token as a sanctions-evasion instrument. |
OFAC August 2025 | |
| Grinex | Successor exchange : created by Garantex employees | CONFIRMED OFAC explicit: "created by Garantex employees." Customer funds transferred directly. $93.3B processed in 2025. |
Active facilitation Grinex IS Garantex operationally; the designation of Grinex reflects this continuity. |
OFAC, TRM Labs, Chainalysis, Elliptic | Multiple corroborating vendors. No disagreeing vendor on successor status. |
| TokenSpot (Kyrgyzstan) | Assessed Garantex front company; co-hacked April 2026 | CREDIBLE TRM Labs on-chain analysis identifies co-spending patterns consistent with common control. Simultaneously hacked April 2026. |
Active facilitation (assessed) If TRM front-company assessment is correct, TokenSpot is an operational arm, not a separate entity. |
TRM Labs 2026 | Single Source for front-company assessment. Chainalysis and Elliptic have not published entity-specific TokenSpot analysis. |
| ABCex / AEXbit | Third-tier successor platforms with Garantex-pattern UIs | CREDIBLE TRM Labs: address co-spending analysis indicates ABCex and AEXbit almost certainly same entity. ABCex processed at least $11B. |
Structural enablement Replicating Garantex's KYC-deficient model; not confirmed as operator-controlled successor. |
TRM Labs 2025–2026 | Elliptic names ABCex in post-Garantex void report. No Chainalysis entity-specific disclosure. Operator link is single-source (TRM). |
| Rapira (Georgia-registered) | High-risk exchange with direct Grinex transactions | CREDIBLE $72M+ in direct transactions with Grinex documented by TRM Labs. Moscow office. |
Structural enablement | TRM Labs, Elliptic | Both TRM and Elliptic name Rapira. Corroborated by two vendors. |
| Bitpapa / Aifory Pro / Exmo | Russian-market exchanges absorbing post-Garantex volume | CREDIBLE Named by Elliptic in five-exchange post-Garantex void analysis. Bitpapa previously sanctioned by OFAC (March 2024). |
Structural enablement | Elliptic 2026 | TRM Labs does not publish a matching grouped analysis. Single Source for grouped attribution. |
| Promsvyazbank (Russia) | State-linked bank; co-owner of A7 entities | CREDIBLE OFAC identifies Promsvyazbank as co-owner of A7 ecosystem used by Garantex. Bank-to-exchange direct flows not separately quantified in public sources. |
Active facilitation (via A7 co-ownership) | OFAC August 2025 | Promsvyazbank separately designated. Connection runs through A7 co-ownership, not direct Garantex transaction. |
Trajectory Assessment
Market Position and Volume Trends
Confirmed Pre-disruption: Garantex accounted for 82% of global crypto volume to/from sanctioned entities : the single largest illicit exchange complex globally. Despite the April 2022 OFAC designation and Estonia license revocation, volume grew rather than contracted, with Elliptic's post-sanction lower bound reaching $60B. [TRM Labs, Elliptic]
Confirmed Grinex 2025: Processed $93.3B in 2025, demonstrating that the March 2025 disruption produced no sustained volume reduction : it produced a brand migration. [Chainalysis]
Credible Post-Grinex (April 2026 onward): volume distributing across ABCex/AEXbit, Rapira, Bitpapa, Aifory Pro, and other grey-zone exchanges. No single successor has demonstrated Garantex-scale consolidation as of June 2026. [Elliptic, TRM Labs]
Disruption Impact
Reconstitution Status
Garantex brand: Not reconstituted. Domain infrastructure destroyed; multi-jurisdictional SDN listing. Confirmed
Grinex brand: Suspended as of April 2026. Sanctions active. No public announcement of a third brand as of June 2026. Credible
Operator network: Partially intact. Mira Serda at large; Besciokov in custody pending extradition; Mendeleev status unknown. A7 ecosystem designated but not dismantled operationally. Credible
Intelligence Gaps
Recent Reporting
[April 2026] Grinex and TokenSpot simultaneously hacked for ~$15M combined. Grinex blames Western intelligence. Chainalysis raises exit-scam hypothesis. Grinex suspends operations. [Elliptic, Chainalysis, Reuters, TRM Labs]
[August 2025] OFAC re-designates Garantex under cyber authorities and designates Grinex plus eight additional network entities. State Dept. announces $5M reward for Mira Serda. [OFAC, State Dept.]
[June 2025 onward] Elliptic publishes report identifying five exchanges absorbing post-Garantex illicit volume: Bitpapa, ABCex, Exmo, Rapira, Aifory Pro : all offering ruble-to-crypto with weak or no KYC. [Elliptic 2026]
[March 2025] TRM Labs identifies ABCex and AEXbit as almost certainly the same entity via co-spending analysis; documents $11B+ in ABCex processing. [TRM Labs]
Sources
- U.S. Treasury: Sanctions Cryptocurrency Exchange and Network Enabling Sanctions Evasion : August 2025
- OFAC: Russia-related Designation / Cyber-related Designation : April 5, 2022
- U.S. Treasury: Sanctions Russia-Based Hydra and GARANTEX : April 5, 2022
- LBK&M: OFAC Sanctions Cryptocurrency Exchange and Network (Garantex/Grinex/A7)
- FSRC: Treasury Sanctions : August 14, 2025
- CyberScoop: U.S. widens sanctions on Russian crypto exchange (Grinex)
- ICIJ: EU sanctions Russian crypto exchange Garantex : March 2025
- OpenSanctions: GARANTEX EUROPE OU entity record
- OFAC SDN: Garantex Europe OU : sanctions list search
- JD Supra: OFAC Focuses on Cybercrime by Sanctioning Hydra and GARANTEX
- Global Sanctions: New U.S. Russia and Cyber Designations : April 2022
- DOJ: Garantex Cryptocurrency Exchange Disrupted in International Operation : March 7, 2025
- TRM Labs: The Imitation Game : High-Risk Exchanges Copying Garantex's Playbook
- Federal Register: Notice of OFAC Sanctions Action : August 18, 2025
- Elliptic: Sanctioned Russia-linked crypto exchange Grinex halts operations : April 2026
- Reuters: Russia-linked Grinex suspends operations after cyber attack : April 16, 2026
- UK Sanctions List: GARANTEX EUROPE OU : RUS1421
- TRM Labs: The Takedown of Garantex : A Notorious Crypto Exchange's Role in Illicit Finance
- State Dept.: U.S. Targets Cryptocurrency Exchange, Offering Rewards Up to $6M : August 2025
- Wikipedia: Garantex
- Elliptic: Uncloaking Garantex for law enforcement and sanctions compliance : March 2025
- Chainalysis: Sanctioned Russia-Linked Exchange Grinex Suspends Operations : April 2026
- TRM Labs: Sanctioned Russian Exchange Grinex and TokenSpot Hit in USD 15M Theft
- TRM Labs: 2026 Crypto Crime Report
- TechCrunch: Garantex administrator arrested in India : March 12, 2025
- Krebs on Security: Alleged Co-Founder of Garantex Arrested in India
- The Block: Five crypto exchanges helping Russia evade sanctions, filling Garantex's void (Elliptic)
- TRM Labs: EU Includes Crypto Exchange Garantex in 16th Sanctions Package
Profile produced using open-source intelligence. Confidence labels applied per schema: CONFIRMED (multiple independent sources), CREDIBLE (single strong source or multiple weaker sources), ANALYST INFERENCE (logical extrapolation from confirmed facts). All volume figures cited with source and methodology; figures from different vendors are not averaged. Two-tier connected entity model applied throughout Section 09.