The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) on Thursday renewed sanctions against Russian cryptocurrency exchange platform Garantex for facilitating ransomware actors and other cybercriminals by processing more than $100 million in transactions linked to illicit activities since 2019.
The Treasury said it’s also imposing sanctions on Garantex’s successor, Grinex, as well as three executives of Garantex and six associated companies in Russia and the Kyrgyz Republic that have enabled these activities –
- Sergey Mendeleev (Co-founder)
- Aleksandr Mira Serda (Co-founder)
- Pavel Karavatsky (Co-founder)
- Independent Decentralized Finance Smartbank and Ecosystem (InDeFi Bank)
- Exved
- Old Vector
- A7 LLC
- A71 LLC
- A7 Agent LLC
“Digital assets play a crucial role in global innovation and economic development, and the United States will not tolerate abuse of this industry to support cybercrime and sanctions evasion,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence, John K. Hurley.
“Exploiting cryptocurrency exchanges to launder money and facilitate ransomware attacks not only threatens our national security, but also tarnishes the reputations of legitimate virtual asset service providers.”
Garantex was first sanctioned by the U.S. in April 2022 for facilitating transactions from darknet markets and illicit actors such as Hydra and Conti. The cryptocurrency exchange’s website was seized as part of a coordinated law enforcement operation back in March 2025, and its co-founder, Aleksej Besciokov, was arrested in India.
Merely months later, TRM Labs revealed that Garantex may have rebranded as Grinex, likely in an effort to evade sanctions, with the former continuing to process more than $100 million in transactions since the sanctions were levied. Eighty-two percent of its total volume was linked to sanctioned entities worldwide.
“Days after Garantex’s takedown, Telegram channels affiliated with the exchange began promoting Grinex, a platform with a nearly identical interface, registered in Kyrgyzstan in December 2024,” TRM Labs noted in May.
The U.S. Treasury said criminal users use Garantex to launder their ill-gotten funds, processing funds from those related to Conti, Black Basta, LockBit, NetWalker, and Phoenix Cryptolocker ransomware variants. It also said Garantex moved its infrastructure and customer deposits to Grinex shortly after the March law enforcement actions.
Furthermore, Garantex is said to have worked with affected customers to regain access to their accounts using a ruble-backed stablecoin called A7A5 token, which is issued by a Kyrgyzstani firm called Old Vector. The token’s creator is A7 LLC.
According to a report from Elliptic, A7A5 has been used to transfer no less than $1 billion per day, with the aggregate value of A7A5 transfers pegged at $41.2 billion. In all, Grinex is estimated to have facilitated the transfer of billions of dollars in cryptocurrency transactions within the few months it has been operational.
“Garantex has also provided account and exchange services to actors associated with the Ryuk ransomware gang,” the agency said. “Ekaterina Zhdanova, a prolific money launderer, exchanged over $2 million in Bitcoin for Tether (USDT) via Garantex.”
 |
| Garantex’s outgoing funds from September 2024 through May 2025 |
Zhdanova was previously sanctioned by the U.S. in November 2023 for laundering virtual currency for the country’s elites and cybercriminal crews, including Ryuk.
“Garantex’s senior executives have supported its ability to enable cybercrime and sanctions evasion by procuring computer infrastructure for Garantex, registering its trademarks, and engaging in business development efforts to make its activities appear legitimate,” the Treasury added. “Garantex’s network of partner companies has also enabled it to move money, including illicit funds, outside of Russia.”
The U.S. Department of State has announced a $5 million reward for information leading to the arrest of Serda and $1 million for information on other key leaders of Garantex. It’s worth noting that A7 was sanctioned by the U.K. in May 2025 and by the European Union last month.
“The March 2025 multinational takedown did not halt these activities,” TRM Labs said. “Instead, Garantex’s leadership quickly activated a contingency plan that appears to have been in place for months.”
“The integration of A7A5 into Grinex represents only the most recent chapter in Garantex’s long-standing role in illicit finance. Both before and after its designation by the U.S. Treasury, Garantex operated as a key conduit for ransomware laundering, darknet market transactions, sanctions evasion, and the movement of funds through high-risk Russian financial networks.”
The new wave of sanctions comes as the U.S. Department of Justice (DoJ) unsealed six warrants authorizing the seizure of over $2.8 million in cryptocurrency, $70,000 in cash, and a luxury vehicle.
The cryptocurrency, the DoJ said, was seized from a cryptocurrency wallet controlled by Ianis Aleksandrovich Antropenko, who has been charged in the U.S. for allegedly using Zeppelin ransomware to target individuals, businesses, and organizations worldwide.
“The cryptocurrency and other assets are proceeds of (or were involved in laundering the proceeds of) ransomware activity,” according to the DoJ.
“Those assets were laundered in various ways, including by using the cryptocurrency mixing service ChipMixer, which was taken down in a coordinated international operation in 2023. Antropenko also laundered cryptocurrency by exchanging cryptocurrency for cash and depositing the cash in structured cash deposits.”
In a related development, more than $300 million in cryptocurrency assets linked to cybercrime and fraud schemes, including romance baiting (aka pig butchering) scams, have been frozen as part of an ongoing effort to identify and disrupt criminal networks.
