Garantex was founded in Moscow in 2019. Over four years of operation, it processed more than $96 billion in cryptocurrency transactions. It served as a preferred cash-out infrastructure for some of the most prolific ransomware operations in history — Conti, Cl0p, Hive — as well as darknet markets, sanctions evaders, and entities operating on behalf of Russian state actors. US Treasury knew it. Europol knew it. OFAC had identified Garantex as a money laundering operation as early as 2022. The exchange kept operating.
On 6 March 2025, in a coordinated action involving the US Department of Justice, the US Secret Service, Europol, German BKA, and Finnish law enforcement, Garantex's domain was seized, its servers taken offline, and two Russian nationals — Aleksej Besciokov and Aleksandr Mira Serda — were indicted in US federal court. It was the most significant takedown of a crypto money-laundering infrastructure since the BTC-e seizure in 2017. It was also, within 30 days, effectively meaningless. Grinex appeared.
What Garantex Was — And Who It Served
Garantex positioned itself as a Russian-language cryptocurrency exchange serving Russian-speaking markets. It offered peer-to-peer trading, OTC desks, and currency conversion services with minimal Know Your Customer requirements. Its operating model was simple: accept deposits in cryptocurrency from any source, convert to Russian ruble, distribute. Reverse the flow as needed.
OFAC first designated Garantex in April 2022, following Russia's invasion of Ukraine and the identification of Garantex wallets in sanctions evasion flows. The designation did not stop Garantex. The exchange continued to operate from Russia, where US sanctions have no direct enforcement mechanism. Major centralised exchanges — Binance, Coinbase, Kraken — blacklisted Garantex wallet addresses, but Garantex operated primarily in peer-to-peer markets and OTC where counterparty identity is opaque.
$96B+ total volume (2019–2025) — Of this, US prosecutors identified at minimum $6B in directly traceable illicit flows: ransomware payments ($2.7B), darknet market proceeds ($1.4B), sanctions evasion ($1.2B), and other criminal sources ($0.7B). The remaining $90B was technically unattributed — a function of incomplete forensic coverage, not presumptive legitimacy.
The Ransomware Connection
Garantex's most significant role in the global cybercrime ecosystem was as the preferred cash-out venue for major ransomware operations. When a ransomware group receives a Bitcoin or Monero payment from a victimised hospital, municipal government, or corporation, that cryptocurrency must eventually be converted to fiat currency or used to purchase goods and services. Garantex provided that conversion, consistently, at scale, without the KYC requirements that would have identified the ransomware operators.
The Conti ransomware group — responsible for attacks on the Irish Health Service Executive, the Costa Rican government, and hundreds of US companies — used Garantex extensively for ransom proceeds conversion. Cl0p, which carried out the MOVEit Transfer attacks affecting over 1,000 organisations in 2023, routed significant proceeds through Garantex before its seizure. Hive, which targeted hospitals and healthcare providers and was disrupted by the FBI in 2023, was another significant Garantex customer.
The March 2025 Seizure — And Its Immediate Failure
The coordinated March 2025 action was technically successful: Garantex's servers were taken offline, its domains seized, and operational infrastructure disrupted. German authorities seized approximately €26 million in cryptocurrency held in Garantex accounts. Two operators were indicted. By any conventional metric of law enforcement success, it was a significant operation.
Within two weeks, Garantex's Telegram channel posted an announcement. The exchange was "temporarily suspended." Users should be patient. Within 30 days, a new exchange — Grinex — appeared at a new domain, with the same team, the same operational model, and the same customer base. OFAC designated Grinex within days of its appearance. The US government was now in a race to sanction infrastructure faster than it could be reconstituted.
| Timeline | Event | Status |
|---|---|---|
| Apr 2022 | OFAC designates Garantex | Garantex keeps operating from Russia |
| Mar 6, 2025 | Europol/DOJ coordinated seizure | Domain seized, servers offline, 2 indicted |
| Mar 2025 | Garantex Telegram: "temporary suspension" | Operators communicate with customer base |
| Apr 2025 | Grinex launches — same operators | OFAC designates immediately |
| Apr 15, 2026 | Grinex drained of $13.7M via cyberattack | TRON-based USDT theft; bridge not stopped |
| May 2026 | Grinex status | Sanctioned, compromised, still partially operational |
Grinex — The Rebranding That Sanctions Couldn't Stop
Grinex is, for all practical purposes, Garantex with a new name. The same operational team. The same Russian-language customer base. The same OTC desk infrastructure. The same model of providing conversion services to entities that cannot use regulated exchanges. OFAC designated Grinex in April 2025, within weeks of its appearance. This was faster than the Garantex designation cycle — a sign that regulators had learned from the previous failure. It did not stop Grinex from operating.
In April 2026, in a twist that illustrated the chaos of the sanctioned exchange ecosystem, Grinex itself was the victim of a cyberattack. Approximately $13.7 million in TRON-based USDT was drained from Grinex's hot wallets in a coordinated exploit. The stolen funds crossed the Ethereum and TRON mempools before any blocking was possible — a criminal stealing from criminals, with legitimate law enforcement unable to intervene without risking appearing to protect a sanctioned entity.
"You cannot sanction your way out of a problem that lives on infrastructure you don't control. Every takedown of a sanctioned exchange produces a successor within weeks. The only durable solution is at the transaction layer."— Praveen Giri, QuantChainAnalysis
What Went Wrong — The Structural Problem
The Garantex/Grinex cycle reveals a fundamental weakness in the current approach to crypto enforcement. Geographic jurisdictions matter enormously for seizing servers and domains. They matter much less for blockchain transactions. A sanctioned exchange operating from Russia cannot be served with a US court order compelling it to stop. Its operators cannot be extradited without Russian cooperation that will not come. Its transactions are broadcast to a global peer-to-peer network that has no borders.
The current enforcement model is: identify the infrastructure, seize it, watch it reconstitute, repeat. The Garantex-to-Grinex transition happened in 30 days. The next successor will take less time as operators learn to pre-position alternative infrastructure before seizures occur. This is a race law enforcement cannot win by playing catch-up.
The solution is not faster sanctions. It is earlier interception.
Every transaction that enters or exits Garantex/Grinex — whether depositing ransomware proceeds or withdrawing conversion proceeds — crosses the mempool before it settles. The wallet addresses associated with Garantex and Grinex are OFAC-listed and tracked by blockchain analytics providers within hours of their identification. A pre-mempool gate that maintains a continuously updated OFAC wallet cluster database can screen outgoing transactions against those addresses before broadcast.
The quantum amplitude risk scoring for transactions interacting with Garantex/Grinex wallets produces scores consistently in the 8.5–9.8 range based on: direct OFAC designation match (0.99), known ransomware proximity clusters, Russian jurisdiction flag, and transaction pattern matching known Garantex operational signatures.
DESTINATION CLUSTER: OFAC-designated Garantex · Ransomware proximity score: 0.97
AMPLITUDE SCORE: 9.81 / 10.00 — CRITICAL
GATE DECISION: BLOCK — OFAC-designated destination · Biometric re-auth fails
OUTCOME: Ransomware proceeds cannot reach Garantex. Operator cannot cash out. Ransomware economics disrupted at the transaction layer.
Sanctioning Grinex after Garantex and designating the next successor after Grinex is a game of catch-up with no end state. Screening every transaction attempting to interact with sanctioned clusters at the mempool is a game the compliance infrastructure wins regardless of what the exchange calls itself.
Sanctions list an address.
QCA blocks every transaction to it — before settlement.
QuantChainAnalysis maintains a continuously updated OFAC/UN/EU sanctions cluster database. Every outgoing transaction is scored against it in the mempool. Sanctioned counterparties are blocked before the transaction is broadcast.