QuantChainAnalysis/Intelligence/Garantex · Grinex · Mar 2025 – ongoing
Enforcement Russian Crypto · Sanctions Mar 2025 – 2026 · 8 min read

Garantex Dies. Grinex Is Born.
Why Sanctions Against Infrastructure
Do Not Work.

OFAC designated Garantex in 2022. Europol seized it in March 2025. Within 30 days, the same operators launched Grinex. The whack-a-mole enforcement cycle has completed another rotation.

Garantex volume
$96B+
Days to reconstitute
~30
Grinex hack (Apr 2026)
$13.7M
← Back to Intelligence

On 6 March 2025, in a coordinated action spanning four continents, Garantex's domain was seized, servers taken offline, and two Russian nationals indicted in US federal court. It was the most significant crypto money-laundering infrastructure takedown since BTC-e in 2017. Within 30 days, it was effectively meaningless. Grinex appeared. Same operators. Same customer base. Same function. The enforcement cycle had completed another rotation.

// The Structural Limit

Garantex processed $96 billion over four years while under active OFAC designation. Infrastructure takedowns create a 30-day disruption and an indefinite relaunch. The only enforcement that cannot be relaunched is enforcement at the transaction layer, before the money reaches the exchange.

What Garantex Was and Who It Served

Garantex was a Moscow-founded exchange operating in peer-to-peer and OTC markets with minimal KYC requirements. For Conti, Cl0p, Hive, and other major ransomware operations, it was the preferred cash-out infrastructure. For Russian state actors, it was a sanctions evasion vehicle. OFAC first designated it in April 2022. The exchange continued operating for three more years, from Russia, where US sanctions have no direct enforcement mechanism. Major centralised exchanges blacklisted Garantex wallet addresses; the exchange operated primarily in peer-to-peer markets where counterparty identity was opaque.

The March 2025 Takedown

The coordinated March 2025 action involved the US Department of Justice, US Secret Service, Europol, German BKA, and Finnish law enforcement. Domain seized. Servers offline. Two operators, Aleksej Besciokov and Aleksandr Mira Serda, indicted in US federal court. The action was genuinely significant. And within 30 days, Grinex launched: same Russian-language interface, same OTC desk structure, same operator network migrating customer accounts.

The Garantex–Grinex Cycle
  • Apr 2022
    OFAC designates Garantex. Exchange continues operating from Russia. Major CEXs blacklist wallet addresses. Peer-to-peer volumes unaffected.
  • 2022–2025
    Three more years of operation. $96B+ processed. Conti, Cl0p, Hive, LockBit affiliates use Garantex as primary cash-out. Designation produces documentation, not enforcement.
  • 6 Mar 2025
    Takedown. Europol, US DOJ, German BKA, Finnish LE. Domains seized. Servers offline. Two operators indicted. Most significant crypto infrastructure seizure since BTC-e.
  • ~Apr 2025
    Grinex launches. Same operational structure. Customer accounts migrated. Same customer base resumes operations within 30 days of the takedown.
  • Apr 2026
    Grinex itself hacked. $13.7M drained by an unidentified attacker. A money-laundering exchange loses funds to theft, and the irony was not lost on compliance analysts.

Why Infrastructure Takedowns Have a Structural Limit

Infrastructure takedowns address the symptom, the specific exchange, not the cause. The cause is that sanctioned funds can reach any exchange that accepts them, because there is no enforcement mechanism at the transaction layer to prevent flagged funds from broadcasting in the first place. Shut down Garantex; the same wallets, operators, and flows migrate to Grinex. Shut down Grinex; a third successor appears. This pattern is not Garantex-specific. It is structural.

"Every Garantex-style takedown produces a press release and a successor. The only enforcement that does not produce a successor is enforcement before the transaction settles."

Praveen Giri, Founder · QuantChainAnalysis
Ransomware GroupGarantex UsagePost-Takedown Status
ContiPrimary cash-out, 2021–2022Group disbanded pre-takedown; proceeds inaccessible
Cl0pMajor volume, 2022–2025Migrated to Grinex and alternative OTC desks
LockBit affiliatesRegular ruble conversionContinued via Grinex successor infrastructure
Russian state actorsSanctions evasion infrastructureMigrated; new exchange expected to emerge
// QCA Analysis: Transaction-Layer Enforcement

Infrastructure takedowns are enforcement theatre. Transaction-layer enforcement is enforcement.

The Garantex–Grinex cycle demonstrates that exchange-level enforcement has a 30-day reconstitution limit in non-cooperative jurisdictions. The only enforcement that cannot be circumvented by relaunching an exchange is enforcement that operates before the transaction reaches the exchange: at broadcast, in the mempool, before settlement. QCA's pre-mempool gate intercepts flagged transactions before they reach any exchange, Garantex-linked or otherwise.

QCA POSITION: Garantex and Grinex are symptoms of post-settlement enforcement. Pre-mempool enforcement eliminates the inflow that makes such exchanges viable. Patent pending DE 10 2026 001 732.7.