On March 6, 2025, the US Secret Service — in partnership with German and Finnish law enforcement — seized Garantex’s domains and froze over $26 million in cryptocurrency. The DOJ unsealed indictments against Garantex executives Aleksandr Mira Serda and Aleksej Besciokov. Besciokov was arrested in India. The operation was one of the most significant international crackdowns on a Russian-linked virtual asset service provider — the culmination of years of effort that began with OFAC’s initial designation in April 2022.
Two weeks later, Garantex was back.
Not literally — the seized domains remained under law enforcement control. But a new exchange called Grinex launched on Telegram channels previously associated with Garantex, promoting itself as “a new platform with familiar functionality.” The user interface was virtually identical. Former Garantex employees were hired. Former Garantex users were onboarded through a purpose-built token — A7A5, a ruble-backed stablecoin — that converted their frozen Garantex balances into tradeable assets on the new platform.
By August 2025, the Treasury Department designated Grinex, along with the A7A5 token, three Garantex executives, and six associated companies in Russia and Kyrgyzstan. The State Department offered a $5 million bounty for information leading to Mira Serda’s arrest. The sanctions net tightened.
And then came Exved. And MKAN Coin. And ABCEX. And Meer.
This is the crypto hydra problem. And it is the most important enforcement challenge in financial crime today.
The anatomy of a rebrand
The speed and coordination of the Garantex-to-Grinex transition was not improvised. TRM Labs’ analysis revealed that Grinex was incorporated in Kyrgyzstan in December 2024 — three months before the Garantex seizure — by an individual with no prior history in the exchange business. The A7A5 token was announced on Garantex in January 2025, weeks before the takedown. And on-chain analysis showed that Garantex wallets began moving funds into A7A5 in January, well before the March enforcement action.
The implication is clear: Garantex’s operators had foreknowledge — or at least a strong expectation — of the impending enforcement action and built their contingency plan in advance. The seizure was not a surprise that forced improvisation. It was an anticipated event for which the successor infrastructure was already in place.
This is qualitatively different from previous rebrand operations in the crypto space. When BTC-E was taken down in 2017, its successor WEX emerged somewhat haphazardly and collapsed within a year due to internal conflict. When SUEX was sanctioned in 2021, its successor Chatex was subsequently designated as well — but the transition was disorganised and lost much of the user base.
The Garantex-to-Grinex transition was planned, funded, coordinated, and executed with the operational discipline of a corporate restructuring — because that is effectively what it was. The operators treated sanctions enforcement as a business risk to be managed, not a shutdown event to be suffered. They pre-positioned the successor entity, pre-built the migration mechanism (A7A5), and pre-arranged the user communication channels (Telegram). When the seizure came, the migration was ready.
The hydra grows more heads
The Transparency International Russia investigation, published in September 2025, and the ICIJ’s subsequent reporting revealed that Grinex was not the only successor. The Garantex ecosystem had metastasised into multiple entities.
Grinex was the direct successor — same interface, same team, same user base, same operational model. It served as the primary trading hub for A7A5 and processed billions of dollars in cryptocurrency transactions before being sanctioned in August 2025.
Exved was something different and arguably more dangerous. Transparency International’s investigators described it as an intentionally designed next-generation platform — not a hasty rebrand but a strategic evolution. Run by Garantex founder Sergey Mendeleev, Exved operates as a cross-border payment processing platform that uses agent-based payment schemes to enable Russian clients to move money abroad through offshore proxies. The structure leaves no crypto footprint in Russian banking records. In undercover interviews, Transparency International’s researchers confirmed that the Exved system was being used to facilitate the financing of dual-use goods transactions — including microchips and telecommunications equipment.
MKAN Coin is a Telegram-based crypto-to-cash exchange that replicates Garantex’s core functions under a new name. Transparency International described it as having “inherited and rebranded Garantex’s laundering blueprint, extending it into a decentralised, global network designed to survive sanctions and scrutiny.” MKAN Coin has branches across jurisdictions as varied as Kyrgyzstan, Spain, Brazil, Thailand, and Georgia.
ABCEX is directly linked to Garantex founder Mendeleev. Meer was incorporated on the same date as Grinex and A7A5 — December 2024 — and was among the first exchanges to list the A7A5 token. TRM Labs found that Meer exhibited the same spending heuristics and featured an identical trading interface to other entities in the Garantex network.
The picture that emerges is not a single entity being shut down and restarting. It is an ecosystem — a distributed, modular network of platforms, tokens, agents, and offshore intermediaries that collectively perform the functions that Garantex performed alone. The network is designed to be resilient to enforcement action: when one node is sanctioned or seized, the others continue operating. When a domain is taken down, communication shifts to Telegram. When fiat accounts are frozen, transactions move to stablecoins. When stablecoins are frozen (as Tether froze $26 million in the initial Garantex action), the network creates its own stablecoin (A7A5).
As Transparency International’s lead researcher Kristine Baghdasaryan put it: “Every time regulators cut off one ‘head’ of this crypto hydra, another appears under a new name.”
The A7A5 token and sovereign financial infrastructure
The A7A5 token deserves specific attention because it represents something beyond a simple migration mechanism. A7A5 is a ruble-backed stablecoin issued by Old Vector, a Kyrgyz firm, but its ultimate ownership traces to A7 LLC — a Russian cross-border settlement platform owned by Ilan Shor, a sanctioned Moldovan oligarch, and connected to Promsvyazbank, a sanctioned Russian bank.
The A7A5 token processed $93.3 billion in transactions in 2024 alone — a staggering volume for a stablecoin that most of the crypto industry has never heard of. It was designed to operate within a narrow ecosystem of Russia-linked financial services, providing cross-border settlement capability that is independent of Western banking infrastructure, SWIFT messaging, and dollar-denominated correspondent banking.
This is not just sanctions evasion. It is the construction of a parallel financial infrastructure — a payment rail that operates outside the Western-controlled financial system, denominated in rubles, settled in crypto, and resistant to the enforcement mechanisms that the US and EU have deployed since 2022.
Whether A7A5 and its associated infrastructure represent a sustainable alternative to the dollar-based system or a fragile workaround that will eventually be dismantled is one of the most consequential questions in the intersection of financial crime and geopolitics. The sanctions against Grinex and A7A5 in August 2025 were intended to answer that question in favour of dismantlement. The emergence of yet more successor entities suggests the answer is not yet settled.
Then came the hack
In a development that adds yet another layer to an already complex story, Grinex suspended operations in April 2025 after suffering an alleged $13.7 million cyberattack. The exchange blamed “foreign intelligence agencies of unfriendly states” for the breach.
The claim is worth examining carefully. Chainalysis’s analysis of the on-chain evidence noted that the exfiltrated funds — held in centralised stablecoins — were rapidly swapped for TRX on a decentralised exchange that had previously been heavily used by Garantex itself. Western law enforcement agencies, when they seize stablecoins, typically issue freeze orders to the stablecoin issuer rather than swapping them on DEXs. The on-chain behaviour was more consistent with a criminal actor — or an insider — than with a law enforcement operation.
Chainalysis raised the possibility of a false flag: “Russia has a well-documented history of employing false flag tactics across multiple domains,” the firm noted, adding that “Russia-linked darknet markets and illicit services [have previously] suddenly shutter[ed] under the guise of an external hack, only for on-chain data to reveal administrators quietly moving user funds to their own wallets.”
Whether the Grinex “hack” was a genuine external attack, a false flag operation to cover an exit scam, or something else entirely remains unclear. What is clear is that the Grinex suspension — coming on top of the sanctions, the domain seizures, and the indictments — has not ended the Garantex ecosystem. The successor entities continue to operate.
Why takedowns are necessary but insufficient
The Garantex saga illustrates a fundamental limitation of the enforcement tools currently available for combating crypto-enabled financial crime.
Sanctions designations are powerful — they cut the designated entity off from the US dollar system and make it a crime for any US person or entity to transact with them. But sanctions are only as effective as the enforcement infrastructure behind them. When the sanctioned entity operates primarily in Russian rubles, serves primarily Russian clients, and settles transactions in crypto rather than through correspondent banking, the practical impact of a US dollar-system exclusion is limited.
Domain seizures are disruptive — they prevent users from accessing the exchange through its web interface. But when the exchange operates primarily through Telegram bots and mobile applications, the domain is one access point among many. Seizing it is inconvenient. It is not fatal.
Criminal indictments of operators are the most consequential individual action — they can result in arrest and imprisonment. But when the operators are Russian nationals operating from Russian territory, the likelihood of arrest depends on international travel patterns and bilateral cooperation. Russia does not extradite its citizens to the United States. Besciokov was arrested in India because he left Russia. Mira Serda remains at large, presumably in the UAE, with a $5 million bounty on his head.
Asset freezes are effective against centralised choke-points — Tether can freeze USDT held in designated wallets, and stablecoin issuers have cooperated with law enforcement freezes in multiple cases. But the creation of A7A5 — a sanctions-resistant stablecoin operated by sanctioned entities — demonstrates that the centralised freeze mechanism has been identified as a vulnerability and is being actively routed around.
None of this means that enforcement action is futile. Each action imposes costs on the operators: legal risk, operational disruption, loss of infrastructure, freezing of assets, and — most importantly — degradation of trust among users who cannot be certain that their funds are safe on a platform that is under active law enforcement pursuit. The cumulative effect of sanctions, seizures, indictments, and stablecoin freezes does make it progressively harder — and more expensive — for the Garantex ecosystem to operate.
But the Garantex saga demonstrates that “harder and more expensive” is not the same as “impossible.” A sufficiently motivated adversary — particularly one operating with the tolerance of a sovereign state — can absorb the costs, replace the infrastructure, and continue operating. The hydra does not die from having its heads cut off. It grows new ones.
What this means for the broader fight
The pattern I have documented here — takedown, rebrand, re-emerge — is not unique to Garantex. It is the structural response of modular criminal infrastructure to enforcement pressure.
ChipMixer was seized in March 2023. New mixing services appeared within weeks. Tornado Cash was sanctioned in August 2022 and delisted in March 2025. Forks and clones proliferated. Hydra was seized in April 2022. Successor marketplaces — including Rutor and others — absorbed its user base. In each case, the specific node was eliminated, but the function it performed — mixing, laundering, darknet commerce — continued through successor entities.
This does not mean enforcement is pointless. It means that enforcement targeting individual entities is a necessary but insufficient component of a broader strategy. The entities must be targeted. But the ecosystem conditions that enable rapid rebirth must also be addressed.
Those conditions include: jurisdictions that tolerate illicit crypto infrastructure (Russia, and to a lesser extent the UAE, Kyrgyzstan, and others); stablecoin architectures that can be replicated outside the reach of Western issuers; messaging platforms (primarily Telegram) that provide resilient communication channels for criminal operations; and a global regulatory landscape that remains fragmented enough to provide safe harbour for operators who are sanctioned in the US and EU but not in their home jurisdiction.
Addressing these conditions requires sustained international cooperation, diplomatic pressure on harboring jurisdictions, continued development of blockchain forensics capabilities, and — perhaps most importantly — realistic expectations about what enforcement can and cannot achieve against modular, state-tolerated criminal infrastructure.
The Garantex hydra is not defeated. It is contained. Whether containment is sufficient depends on what happens next — in the regulatory, diplomatic, and technical domains that determine how effectively the crypto ecosystem can be governed.
If you have information about the Garantex/Grinex network, successor entities, the A7A5 token ecosystem, or related sanctions evasion infrastructure, I would like to hear from you. Reach out at [email protected].