Escalating Sanctions on Garantex and Grinex Redefine Cryptocurrency Crime Enforcement

The intensifying sanctions against cryptocurrency exchanges Garantex and Grinex have emerged as a pivotal case in the evolution of financial crime enforcement in the digital asset era. These coordinated measures reveal how sanctions authorities, law enforcement agencies, and international partners are now deploying targeted strategies to dismantle cybercriminal networks that exploit virtual asset service providers for money laundering and sanctions evasion. At the same time, the crackdown reflects the broader struggle to preserve trust in legitimate cryptocurrency markets while shuttering exchanges that knowingly operate as conduits for illicit activity.

Garantex, which first launched operations in late 2019, quickly established itself as a platform servicing a predominantly Russian client base, with its activity centered in Moscow and Saint Petersburg. Although initially registered in Estonia, the exchange became notorious within investigative circles as a primary hub for laundering criminal proceeds, including ransomware payouts, darknet market sales, and other illicit cyber-derived revenue. Investigations ultimately traced more than $100 million in transactions on Garantex to known cybercriminal actors. Among those, significant flows were linked to ransomware groups such as Conti, Black Basta, LockBit, NetWalker, and Phoenix Cryptolocker. Reports further indicate that individuals tied to the Ryuk ransomware operation also made use of Garantex accounts and exchange services.

Regulatory authorities in Estonia revoked the company’s license to operate as a virtual asset service provider in early 2022 after uncovering glaring anti-money laundering and counter-terrorist financing deficiencies. These included lax customer due diligence practices, poor transaction monitoring, and servicing of wallets already identified as criminally tainted. Nevertheless, even after losing its Estonian registration, Garantex continued to operate openly in Russia, adopting increasingly evasive methods to stay under the radar.

In response, the United States imposed sanctions against Garantex under cyber-related executive authorities, designating the exchange for materially supporting malicious cyber-enabled activity that threatens U.S. national security. The sanctions froze any assets under U.S. jurisdiction, cut off access to the global financial system, and barred U.S. persons from engaging in transactions with the entity or its affiliates. This mirrored earlier actions against other high-risk exchanges that had emerged as payment channels for cybercriminal operations.

Instead of halting business after the sanctions took effect in March 2025, Garantex executives sought to bypass restrictions by establishing a new entity, Grinex. This successor exchange was designed as a workaround to regulatory action and asset seizures, providing a mechanism for existing Garantex clients to regain access to their funds and continue transacting. Funds were shifted to Grinex both through direct transfers and via the use of a ruble-backed token called A7A5, issued by Kyrgyzstani firm Old Vector. The token was a central part of a sanctions-evasion system built in cooperation with sanctioned entities in Russia and Moldova. It was specifically deployed to facilitate cross-border settlements and re-credit customers whose accounts were disrupted during enforcement actions.

By creating Grinex, Garantex managed to preserve its core network of clients, transaction activity, and infrastructure, while obscuring ownership and operational control. This maneuver underscores the agility of illicit virtual asset service providers, which routinely rely on successor companies and rebranding tactics to survive regulatory shutdowns. The strategy also demonstrates why sanctions authorities must target not only primary entities but also successor platforms, affiliated businesses, and the technologies that support evasion.

The network sustaining Garantex and Grinex extended beyond the exchanges themselves. Senior executives were instrumental in securing infrastructure, producing promotional campaigns, and ensuring integration with platforms that enabled sanctions evasion. Entities such as Independent Decentralized Finance Smartbank (InDeFi Bank) and the payment processor Exved, both co-founded by a Garantex executive, were implicated in facilitating crypto-based trade outside regulated financial channels. These services allegedly supported fund transfers between Russia and international partners while deliberately circumventing traditional banking restrictions and sanctions compliance checks. Ownership records tied to these companies revealed connections with sanctioned financial institutions and politically exposed figures. Faced with this interlocking structure, authorities expanded sanctions to cover the auxiliary companies and enablers, cutting off the peripheral systems that had allowed Garantex and Grinex to persist.

The sanctions campaign carries significant implications for compliance officers, regulators, and financial institutions worldwide. Above all, it highlights the speed with which illicit actors adapt by spinning up successor entities or shifting to alternative platforms. Compliance programs must therefore go beyond basic checks and continually monitor beneficial ownership changes, transaction patterns, and broader network relationships. The Garantex case also underlines the critical importance of international collaboration. The response involved coordination across U.S., European, and Asian agencies, combining domain seizures, asset freezes, and arrests. Without such cross-border cooperation, Grinex’s emergence could have remained undetected long enough to gain market foothold.

The use of the A7A5 token further illustrates how digital assets can be engineered for sanctions evasion. While fiat-backed tokens and stablecoins have legitimate applications, those issued from sanctioned jurisdictions or through compromised networks pose new regulatory blind spots. Authorities may need to create novel frameworks to assess and mitigate the risks posed by tokens specifically structured for illicit settlements.

For anti-money laundering professionals, the case reinforces the importance of conducting in-depth due diligence on virtual asset service providers. An exchange that has lost its license in one jurisdiction but continues operating in another should be considered high-risk until its compliance capabilities can be credibly verified. Leadership integrity, operational jurisdiction, and the robustness of AML and counter-terrorist financing controls must be scrutinized beyond surface-level registrations.

Ultimately, the sanctions against Garantex and Grinex mark more than a single enforcement action — they form part of a broader strategy to target cryptocurrency exchanges that serve as critical nodes in the global illicit finance ecosystem. By freezing assets, seizing infrastructure, and designating both original and successor entities, authorities are sending a clear signal that sanctions evasion via rebranding or relocation will fail. Cybercriminal networks thrive on anonymity, speed, and international reach, but the ability of regulators and investigators to disrupt them increasingly depends on rapid intelligence sharing, advanced blockchain analytics, and robust sanctions enforcement.

The lesson from Garantex and Grinex is unmistakable: sanctions remain a powerful tool when applied strategically and in cooperation across borders. At the same time, enforcement actions protect the integrity of the global financial system while leaving space for legitimate innovation in digital assets to continue. These cases demonstrate that high-risk exchanges and their enablers can be exposed and dismantled, no matter how quickly they adapt.

By fLEXI tEAM