The United States Department of the Treasury delivered a decisive blow against cryptocurrency-facilitated cybercrime on August 14, 2025, when its Office of Foreign Assets Control (OFAC) re-designated the Russian cryptocurrency exchange Garantex and sanctioned its successor platform Grinex. The coordinated action, involving the Secret Service, FBI, and international law enforcement partners, targets an exchange network responsible for processing over $100 million in transactions linked to ransomware operations, darknet markets, and sanctions evasion since 2019.
The Threat Landscape
The Garantex-Grinex network represents one of the most persistent threats in the cryptocurrency security ecosystem. Originally registered in Estonia in late 2019, Garantex operated primarily from Moscow and Saint Petersburg, building a user base of hundreds of thousands while systematically providing financial services to cybercriminals. Estonia’s Financial Intelligence Unit revoked Garantex’s digital asset license in February 2022 after discovering critical anti-money laundering deficiencies and connections to wallets used for criminal activity.
OFAC first designated Garantex in April 2022 under Executive Order 14024 for operating in Russia’s financial services sector. The March 2025 seizure of Garantex’s web domain by the U.S. Secret Service, in partnership with German and Finnish law enforcement, froze over $26 million in cryptocurrency controlled by the exchange. But rather than shutting down, Garantex migrated its entire customer base and remaining funds to Grinex, a platform specifically created to circumvent the sanctions and continue operations.
On August 14, with Bitcoin trading near $118,359 and the crypto market cap exceeding $3.5 trillion, OFAC escalated its response by designating both Garantex and Grinex under cyber authorities, while simultaneously targeting three Garantex executives and six associated companies across Russia and the Kyrgyz Republic.
Core Principles
Understanding how sanctions-evasion exchanges operate requires examining three core principles of their business model. First, these platforms exploit the pseudonymous nature of blockchain transactions to provide a haven for illicit funds. Most funds sent to Garantex originated from other cryptocurrency exchanges known for criminal conduct, creating a self-reinforcing ecosystem of money laundering.
Second, the rapid rebranding from Garantex to Grinex demonstrates the agility of illicit crypto operations. Within days of the March 2025 domain seizure, the exchange had migrated users and infrastructure to a new entity, complete with fresh branding and technical infrastructure. This whack-a-mole dynamic challenges traditional enforcement approaches.
Third, the network’s resilience depends on jurisdictional arbitrage. By operating across Russia, Estonia, and the Kyrgyz Republic, Garantex exploited gaps in international regulatory coordination to maintain operations despite being designated by the U.S. government.
Tooling and Setup
The enforcement action against Garantex and Grinex showcases the increasingly sophisticated tooling available to both sides of this conflict. On the government side, blockchain analytics firms like TRM Labs have developed the capability to trace transactions across multiple chains and protocols, identifying patterns that connect seemingly unrelated wallets to sanctioned entities.
The U.S. Secret Service’s Cyber Investigative Section employed cross-border coordination with German and Finnish law enforcement to execute the March 2025 domain seizure. The Department of Justice unsealed indictments against Garantex executives Aleksandr Mira Serda and Aleksej Besciokov, with Besciokov subsequently arrested in India.
For the exchanges, the tooling involves rapid infrastructure migration, the use of privacy-focused blockchain protocols, and exploitation of decentralized exchanges for fund conversion. The Grinex launch demonstrated pre-planned contingency infrastructure ready to deploy at a moment’s notice.
Ongoing Vigilance
The Department of State has announced rewards of up to $5 million for information leading to the arrest of Mira Serda and up to $1 million for other key Garantex leaders, signaling that this enforcement action is far from over. The message from Under Secretary John K. Hurley was unequivocal: “Digital assets play a crucial role in global innovation and economic development, and the United States will not tolerate abuse of this industry to support cybercrime and sanctions evasion.”
This action builds on a series of OFAC designations targeting cryptocurrency exchanges used for illicit purposes, including Cryptex (September 2024), SUEX (September 2021), Chatex, Bitpapa, NetEx24, and AWEX. Each designation provides new intelligence about the networks connecting cybercriminals to their financial infrastructure.
Final Takeaway
The Garantex-Grinex sanctions action demonstrates that while illicit cryptocurrency operations continue to evolve, so too does the enforcement response. For compliance officers and security professionals, the key lesson is the importance of continuous screening against updated sanctions lists and the need to monitor for rebranding and migration patterns. The crypto industry’s legitimacy depends on its ability to exclude bad actors, and enforcement actions like this one set the standard for what responsible platforms must detect and prevent.
Disclaimer: This article is for informational purposes only and does not constitute financial or legal advice. Always conduct your own research and consult qualified professionals for compliance matters.
100M in ransomware and darknet flows and it took 6 years to actually sanction them. meanwhile they freeze tornado cash users in 48 hours
chainfreeze_ the speed difference is telling. tornado cash got destroyed because it was an easy target. russian exchanges have actual state backing
estonia revoking the license in 2022 and it still operating freely until 2025. classic whack-a-mole. you sanction one exchange, three pop up
Garantex lost its Estonia license in 2022 and just kept operating from Moscow. rebranding to Grinex was the most obvious shell game ever and it still took 3 years
BTC at $118K with a $3.5T market cap and sanctioned exchanges still processing billions. the parallel financial system is fully operational
3 Garantex executives personally sanctioned plus 6 shell companies across Russia and Kyrgyzstan. going after individuals is more effective than sanctioning the entity
This crackdown on Grinex and Garantex was honestly overdue given the volume of illicit flows they were processing. It’s a tough reminder that while decentralization is the goal, centralized gateways still carry massive regulatory risk. We need more focus on compliant privacy solutions if we want the industry to survive this kind of scrutiny.
Satoshi_Seeker88 Garantex rebranding to Grinex after the domain seizure shows how resilient these operations are. OFAC designation is a speed bump not a roadblock for state backed exchanges
chain_tracer_ OFAC designation being a speed bump is right. Grinex processed $93B after the original Garantex sanctions. individual targeting is the only play
$100M through one exchange network since 2019 and it took 6 years to sanction the successor. OFAC moves at the speed of government
Always the same story with these exchanges getting hit by OFAC. 100 million sounds like a lot, but it’s probably just a drop in the bucket compared to what’s actually moving through the shadow economy. I bet they’ll just rebrand and be back up under a different name by next month. Stay safe out there folks.
Wow, this is a crazy read! It’s good to see the Treasury finally taking action against the bad actors that give the whole space a bad reputation. The more we clear out these crime networks, the faster we get to actual mainstream adoption. Decentralized finance shouldn’t be a playground for money launderers.