The U.S. Treasury Department’s Foreign Assets Office (OFAC) updated sanctions on Thursday against Russian cryptocurrency exchange platform Garantex to promote ransomware actors and other cybercriminals by processing more than $100 million transactions linked to illegal activities since 2019.
The Treasury said it was also imposing sanctions on Grinex, the successor to Garantex, and three executives of Garantex, as well as six affiliates in Russia and the Kyrgyz Republic.
Sergey Mendeleev (co-founder) Aleksandr Mira Serda (co-founder) Pavel Karavatsky (co-founder) Independent, decentralized finance Smartbank and Ecosystem (Indefi Bank) Exved Old Vector A7 LLC A71 LLC A7 Agent LLC
“Digital assets play a key role in global innovation and economic development, and the United States will not tolerate abuse in this industry to help avoid cybercrime and sanctions,” said John K. Hurley, secretary of terrorism and financial information.
“Washing funds and using cryptocurrency exchanges to promote ransomware attacks not only threaten our national security, but also undermine the reputation of legitimate virtual asset service providers.”
Garantex was first approved by the US in April 2022 to promote transactions from illegal actors such as Darknet Markets and Hydra and Conti. The Cryptocurrency Exchange website was seized in March 2025 as part of a coordinated law enforcement operation, and its co-founder, Aleksej Besciokov, was arrested in India.
Just a few months later, TRM Labs revealed that Garantex may have been rebranded as Grinex to avoid sanctions, with the former continuing to process more than $100 million in transactions since sanctions were imposed. 82% of the total amount was related to authorized entities around the world.
“A few days after Garantex’s takedown, the Telegram channels affiliated with Exchange began promoting Grinex, a platform with almost identical interfaces registered with Kyrgyzstan in December 2024,” TRM Labs said in May.
The US Treasury Department said criminal users used Garantex to wash off fraudulent funds and processed funds from funds related to variants of Conti, Black Basta, Lockbit, Netwalker and Phoenix Cryptolocker ransomware. Garantex also said it moved its infrastructure and customer deposits to Grinex shortly after the enforcement action in March.
Additionally, Garantex is said to have worked with affected customers to regain access to its accounts using Ruble-backed Stablecoin called the A7A5 token issued by the Kyrgyzstani company called Old Vector. The token is created by A7 LLC.
According to an Elliptic report, the A7A5 is used to transfer more than $1 billion per day, bringing the total amount of the A7A5 to $41.2 billion. Overall, it is estimated that Grinex has facilitated billions of dollars in cryptocurrency transactions within the next few operational months.
“Garantex also offers accounts and exchange services to actors associated with the Ryuk Ransomware gang,” the agency said. “Protracted money launderer Ekaterina Zhdanova has exchanged over $2 million in Bitcoin (USDT) via Garantex.”
Garantex’s outgoing funds will be from September 2024 to May 2025
Zhdanova was previously approved by the US in November 2023 to wash the cryptocurrency of the country’s elite and cybercriminal crews, including Ryuk.
“Senior Garantex executives support their ability to enable the avoidance of cybercrime and sanctions by procuring Garantex’s computer infrastructure, registering trademarks, and engaging in business development efforts to make activities look legal,” the Ministry of Finance added. “Garantex’s network of partner companies was also able to move money, including illegal funds outside of Russia.”
The US State Department has announced $5 million in compensation for information that led to SERDA’s arrest and $1 million in information about other major Garantex leaders. It is worth noting that the A7 was approved by the UK and the European Union last month in May 2025.
“The multinational takedown in March 2025 did not halt these activities,” TRM Labs said. “Instead, Garantex’s leadership quickly energized a contingency plan that appears to have been in place for several months.”
“The integration of the A7A5 into Grinex represents only the latest chapter in Garantex’s long-standing role in illegal finance. Before and after its designation by the US Treasury, Garantex served as a key conduit for ransomware landers, darknet market trading, sanctions avoidance, and funding movements through the high-risk Russian financial network.
A new wave of sanctions comes when the U.S. Department of Justice (DOJ) approves six unsealed warrants in cryptocurrency seizures of more than $2.8 million, $70,000 in cash and luxury cars.
According to the DOJ, the cryptocurrency was seized from a cryptocurrency wallet controlled by Ianis Aleksandrovich Antropenko, accused of using Zeppelin ransomware in the US, targeting individuals, businesses and organizations around the world.
“Cryptocurrency and other assets are revenues of ransomware activities (or were involved in the washing of revenue),” according to the DOJ.
“These assets were washed in a variety of ways, including using a cryptocurrency mixing service chip mixer that was removed in the adjusted international business in 2023. Antropenco washed the cryptocurrency by exchanging cryptocurrency for cash and depositing it into a structured cash deposit.”
In related developments, more than $300 million, including over $300 million in cryptocurrency assets (aka pig slaughter) fraud linked to cybercrime and fraud schemes, have been frozen as part of an ongoing effort to identify and disrupt criminal networks.
Source link
