OFAC designated Garantex in 2022. Europol seized it in March 2025. Within 30 days, the same operators launched Grinex. The whack-a-mole enforcement cycle has completed another rotation.
On 6 March 2025, in a coordinated action spanning four continents, Garantex's domain was seized, servers taken offline, and two Russian nationals indicted in US federal court. It was the most significant crypto money-laundering infrastructure takedown since BTC-e in 2017. Within 30 days, it was effectively meaningless. Grinex appeared. Same operators. Same customer base. Same function. The enforcement cycle had completed another rotation.
Garantex processed $96 billion over four years while under active OFAC designation. Infrastructure takedowns create a 30-day disruption and an indefinite relaunch. The only enforcement that cannot be relaunched is enforcement at the transaction layer, before the money reaches the exchange.
Garantex was a Moscow-founded exchange operating in peer-to-peer and OTC markets with minimal KYC requirements. For Conti, Cl0p, Hive, and other major ransomware operations, it was the preferred cash-out infrastructure. For Russian state actors, it was a sanctions evasion vehicle. OFAC first designated it in April 2022. The exchange continued operating for three more years, from Russia, where US sanctions have no direct enforcement mechanism. Major centralised exchanges blacklisted Garantex wallet addresses; the exchange operated primarily in peer-to-peer markets where counterparty identity was opaque.
The coordinated March 2025 action involved the US Department of Justice, US Secret Service, Europol, German BKA, and Finnish law enforcement. Domain seized. Servers offline. Two operators, Aleksej Besciokov and Aleksandr Mira Serda, indicted in US federal court. The action was genuinely significant. And within 30 days, Grinex launched: same Russian-language interface, same OTC desk structure, same operator network migrating customer accounts.
Infrastructure takedowns address the symptom, the specific exchange, not the cause. The cause is that sanctioned funds can reach any exchange that accepts them, because there is no enforcement mechanism at the transaction layer to prevent flagged funds from broadcasting in the first place. Shut down Garantex; the same wallets, operators, and flows migrate to Grinex. Shut down Grinex; a third successor appears. This pattern is not Garantex-specific. It is structural.
"Every Garantex-style takedown produces a press release and a successor. The only enforcement that does not produce a successor is enforcement before the transaction settles."
Praveen Giri, Founder · QuantChainAnalysis| Ransomware Group | Garantex Usage | Post-Takedown Status |
|---|---|---|
| Conti | Primary cash-out, 2021–2022 | Group disbanded pre-takedown; proceeds inaccessible |
| Cl0p | Major volume, 2022–2025 | Migrated to Grinex and alternative OTC desks |
| LockBit affiliates | Regular ruble conversion | Continued via Grinex successor infrastructure |
| Russian state actors | Sanctions evasion infrastructure | Migrated; new exchange expected to emerge |
The Garantex–Grinex cycle demonstrates that exchange-level enforcement has a 30-day reconstitution limit in non-cooperative jurisdictions. The only enforcement that cannot be circumvented by relaunching an exchange is enforcement that operates before the transaction reaches the exchange: at broadcast, in the mempool, before settlement. QCA's pre-mempool gate intercepts flagged transactions before they reach any exchange, Garantex-linked or otherwise.