Garantex Reborn: U.S. Targets Russia’s Ransomware Laundromat and Its Grinex Successor
Category: Cyber-Financial Sanctions / Cryptocurrency Exchange Facilitation of Ransomware
Features: Designation renewal under U.S. sanctions, sanctions evasion via shell exchanges and stablecoins, direct laundering for ransomware groups, cross-border operational migration
Delivery Method: Laundering via centralized cryptocurrency exchange, ruble-to-crypto cash offices, token-based reimbursement scheme (A7A5)
Threat Actor: Garantex / Grinex leadership network — including co-founders, co-owners, and shell company operators in Russia and Kyrgyz Republic
Incident Overview
The U.S. Department of the Treasury has renewed and expanded sanctions against Russian cryptocurrency exchange Garantex, targeting its successor Grinex, three executives, six associated companies, and a Kyrgyzstani token issuer linked to a sanctions-evasion reimbursement scheme.
U.S. officials accuse Garantex of laundering more than $100 million in illicit proceeds since 2019, including ransomware payments from groups like Conti, Black Basta, Ryuk, LockBit, NetWalker, and Phoenix Cryptolocker. Despite initial sanctions in 2022, the platform continued operating through evasive redesigns, shifting infrastructure to new entities, and leveraging cross-border partnerships to shield transactions from detection.
Sanctions History & Escalation
- April 2022: U.S. Treasury sanctions Garantex for enabling ransomware laundering and sanction circumvention.
- March 2025: Joint FBI, Finnish, and German law enforcement action seizes Garantex servers, replaces domains with seizure banners, and disrupts primary web portals.
- Post-March 2025: Garantex migrates its customer base and funds to a new entity — Grinex — while reimbursing affected users with the A7A5 ruble-backed token issued by Kyrgyzstani firm Old Vector.
- August 2025: Treasury re-designates Garantex, adds Grinex, Old Vector, additional executives, and multiple shell companies to the sanctions list.
Executive and Entity Designations
The latest OFAC list now includes:
- Aleksej Besciokov — Lithuanian national, arrested in India, alleged operational lead.
- Aleksandr Mira Serda — Russian national, co-founder & CCO, $5M State Department bounty for capture.
- Sergey Mendeleev — Co-founder, owner of two sanctioned shell companies.
- Pavel Karavatsky — Co-owner with strategic oversight of platform migration.
- Old Vector — Kyrgyzstani firm issuing A7A5 token used for reimbursement and liquidity transfer.
- Six additional Russian and Kyrgyzstani companies tied to operations and asset concealment.
Modus Operandi — Sanctions Evasion Playbook
Intelligence reporting and blockchain forensics reveal Garantex’s primary sanctions evasion methods:
- Ruble-to-Crypto Conversion Hubs
- Physical offices in Moscow and St. Petersburg exchanged cash for cryptocurrency, allowing sanctioned individuals and entities to bypass banking restrictions.
- Constant Wallet Rotation
- Daily migration of operational cryptocurrency to new wallets, fragmenting the chain of custody and frustrating automated blacklists used by legitimate exchanges.
- Shell Company Integration
- Layered ownership structures and parallel company registrations to obscure beneficial ownership and transaction flows.
- Token-Based Reimbursement (A7A5)
- Following the March takedown, Garantex compensated users in ruble-backed stablecoins, preserving customer loyalty and liquidity while staying outside traditional fiat systems.
- Successor Entity Masking
- Rapid operational pivot to Grinex as the public-facing brand, effectively continuing the same laundering infrastructure under a new name.
Links to the Russian Ransomware Ecosystem
U.S. and EU investigators trace substantial transaction flows from Garantex to known ransomware affiliates, with confirmed laundering for:
- Conti — $6M+ in transactions routed through Garantex wallets.
- Black Basta — Obfuscated payment chains for ransomware settlements.
- Ryuk — Proceeds funneled through nested exchange accounts.
- LockBit — Payments converted to privacy coins via Garantex liquidity pools.
- NetWalker & Phoenix Cryptolocker — Payment washing for dark web affiliates.
These associations position Garantex as not only a sanctions evasion vehicle, but a critical financial infrastructure node in Russia’s cyber-extortion economy.
International Coordination
The renewed sanctions follow months of transnational investigative work:
- U.S. Treasury OFAC — Primary sanctions designation authority.
- FBI — Seizure coordination and ongoing criminal investigation.
- German BKA & Finnish NBI — Physical server seizures, forensic analysis.
- Europol — Digital asset tracing and blockchain intelligence sharing.
- European Union — March 2025 sanctions aligning with U.S. designations, citing links to sanctioned Russian banks.
Blockchain analytics firm Elliptic released an independent mapping of Garantex’s operational ecosystem, confirming multiple interlinked corporate and digital asset service providers facilitating illicit transactions.
30-Day Threat Forecast
| Threat Vector | Likelihood | Potential Impact | Notes |
|---|---|---|---|
| Migration of operations to additional shell exchanges | High | Severe | Expect new successor brand(s) to appear |
| Increased use of ruble-backed or USD-backed stablecoins | High | High | Will bypass traditional crypto-to-fiat monitoring |
| Continued laundering for ransomware groups | High | Severe | Strong operational demand from existing affiliates |
| Targeting of smaller CIS-region exchanges for liquidity | Medium | Moderate | Recruitment of less-regulated platforms |
| Secondary U.S./EU sanctions on associated entities | Medium | Moderate | Will push infrastructure further underground |
TRJ Verdict
This is not merely a cryptocurrency exchange gone rogue — Garantex is a sanctioned-state-aligned financial laundromat engineered to outlast enforcement. Its operational resilience comes from a deliberate blend of physical cash hubs, blockchain obfuscation, legal entity rotation, and customer loyalty programs disguised as token reimbursements.
The redesignation and expanded sanctions list signal a shift in U.S. strategy — moving from single-entity targeting to network-based sanctions that aim to dismantle the broader infrastructure enabling ransomware and sanctions evasion. However, as long as successor brands like Grinex can spin up faster than enforcement can dismantle them, the laundering pipeline will remain intact.
This case underscores the reality that crypto-based financial crime suppression requires not just disruption, but permanent disablement of laundering infrastructure — a far more resource-intensive challenge than one-off seizures or domain takedowns.
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 1 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed.
🔥 Kindle Edition 👉 https://a.co/d/9EoGKzh
🔥 Paperback 👉 https://a.co/d/9EoGKzh
🔥 Hardcover Edition 👉 https://a.co/d/0ITmDIB
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 2 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed just like the first one.
🔥 Kindle Edition 👉 https://a.co/d/1xlx7J2
🔥 Paperback 👉 https://a.co/d/a7vFHN6
🔥 Hardcover Edition 👉 https://a.co/d/efhu1ON
Get your copy today and experience poetry like never before. #InkAndFire #PoetryUnleashed #FuelTheFire
🚨 NOW AVAILABLE! 🚨
📖 THE INEVITABLE: THE DAWN OF A NEW ERA 📖
A powerful, eye-opening read that challenges the status quo and explores the future unfolding before us. Dive into a journey of truth, change, and the forces shaping our world.
🔥 Kindle Edition 👉 https://a.co/d/0FzX6MH
🔥 Paperback 👉 https://a.co/d/2IsxLof
🔥 Hardcover Edition 👉 https://a.co/d/bz01raP
Get your copy today and be part of the new era. #TheInevitable #TruthUnveiled #NewEra
🚀 NOW AVAILABLE! 🚀
📖 THE FORGOTTEN OUTPOST 📖
The Cold War Moon Base They Swore Never Existed
What if the moon landing was just the cover story?
Dive into the boldest investigation The Realist Juggernaut has ever published—featuring declassified files, ghost missions, whistleblower testimony, and black-budget secrets buried in lunar dust.
🔥 Kindle Edition 👉 https://a.co/d/2Mu03Iu
🛸 Paperback Coming Soon
Discover the base they never wanted you to find. TheForgottenOutpost #RealistJuggernaut #MoonBaseTruth #ColdWarSecrets #Declassified
Support truth, health, and preparedness by shopping the Alex Jones Store through our link. Every purchase helps sustain independent voices and earns us a 10% share to fuel our mission. Shop now and make a difference!
https://thealexjonesstore.com?sca_ref=7730615.EU54Mw6oyLATer7a
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
This is an interesting post, John. Laundering that much in illicit proceeds calls for action.
I can see why this type of thing requires permanent disablement to stop it. I hope our The Department of the Treasury can stay on top of this!
Thank you for sharing.
You’re welcome, Chris — and thank you very much. When you’re talking about laundering operations in the hundreds of millions, temporary takedowns are nothing more than a speed bump. These networks are built to rebrand, rehost, and reroute faster than most enforcement cycles can respond.
Permanent disablement means dismantling the entire ecosystem — not just the front-facing exchange, but the shell companies, token schemes, and liquidity pipelines that keep it alive. The Treasury’s latest action is a step in the right direction, but the real challenge is keeping pressure on until the infrastructure itself is unusable. Anything less, and they’ll resurface under a new name before the ink on the sanctions order dries.
Thanks for the reply, John. Permanent disablement doesn’t sound easy but it sounds like there is really no other option to stop these types of issues. I know very little about the crypto-world (and am really not that interested in it) but laundering is laundering and we need to keep the pressure on as you have mentioned.
You’re welcome, Chris — and you’re right, permanent disablement isn’t easy, but it’s the only solution that works long-term. In the crypto world, just like in traditional finance, laundering networks adapt quickly to partial takedowns — new names, new domains, new accounts — all spun up in days. The only way to stop them is to dismantle the entire operating ecosystem, from the front-facing exchange to the hidden liquidity channels that keep them alive.
Whether it’s blockchain or bank wires, laundering is laundering. The technology changes, but the principle is the same — choke off the ability to move and clean the money, and the whole operation grinds to a halt. That’s where sustained pressure matters most. 😎
Thanks for the information, John. I hope you are having a great day!
You’re very welcome, Chris — always appreciated. I hope you’re having a great day as well. 😎