A coordinated operation involving U.S., German, and Finnish law enforcement has seized the infrastructure of Garantex, the Russian cryptocurrency exchange that OFAC sanctioned in April 2022. Co-founder Aleksej Besciokov has been arrested in India on U.S. charges; a second co-founder, Aleksandr Mira Serda, remains at large.
The DOJ announced the seizure alongside the unsealing of an indictment charging both co-founders with conspiracy to commit money laundering, operating an unlicensed money-transmitting business, and sanctions evasion. Approximately $28 million in USDT was seized during the operation, and the exchange’s servers and domain have been taken down.
The scale of Garantex’s illicit activity is staggering. According to blockchain analytics from Chainalysis and TRM Labs, the exchange processed approximately $96 billion in total lifetime volume. Of that, an estimated 70 to 82 percent was linked to sanctioned entities, ransomware operations, darknet markets, or other illicit finance.
Garantex served as a primary off-ramp for some of the most prolific ransomware gangs of the past four years, including Conti, Black Basta, and LockBit. Ransomware operators used the exchange to convert Bitcoin and other cryptocurrencies received as ransom payments into rubles and other fiat currencies. The exchange also processed approximately $1.5 billion in funds connected to the February 2025 Bybit hack — the largest single crypto theft in history.
OFAC originally sanctioned Garantex in April 2022, identifying it as a conduit for sanctions evasion by Russian entities following the invasion of Ukraine. Despite the designation, Garantex continued to operate — a common challenge with Russia-based platforms that are beyond the reach of Western enforcement. The exchange ultimately rebranded as “Grinex” and launched a ruble-backed stablecoin tied to sanctioned Moldovan oligarch Ilan Shor.
The arrest of Besciokov in India is significant. Russia-based crypto operators have generally been considered unreachable by Western law enforcement. Besciokov’s travel outside Russia provided the opportunity for an arrest that would not have been possible within Russian territory.
The crypto-ransomware nexus in full view
Garantex is the most important crypto enforcement case you have probably not heard of. It lacks the celebrity drama of FTX or the policy debates of Tornado Cash, but in terms of pure illicit volume — $96 billion, the majority linked to sanctioned entities and ransomware — it dwarfs every other platform that has been shut down.
From an AML perspective, what makes Garantex significant is its function within the ransomware economy. Ransomware is not just a cybersecurity problem. It is a financial crime problem. Every ransomware attack generates proceeds that need to be laundered, and the laundering infrastructure — the exchanges, OTC desks, and mixers that convert crypto ransom payments into usable currency — is what makes the business model viable. Take away the off-ramp, and you make ransomware less profitable and therefore less prevalent.
Garantex was the off-ramp. Its willingness to process billions in ransomware proceeds without questions made it an essential piece of infrastructure for criminal groups that attacked hospitals, school districts, municipal governments, and critical infrastructure operators. The human cost of ransomware — delayed surgeries, disrupted emergency services, compromised patient data — connects directly to the financial services that Garantex provided.
The rebranding to Grinex and the launch of a ruble-backed stablecoin linked to a sanctioned oligarch demonstrates the challenge of enforcing sanctions against actors who operate in jurisdictions beyond Western reach. Russia provides a permissive environment for sanctions-evading crypto operations, and until that changes — through diplomatic pressure, asset seizures, or the kind of extraterritorial arrest we saw with Besciokov — the whack-a-mole dynamic will continue.
For the global compliance community, Garantex is a case study in why transaction monitoring must include exposure analysis for high-risk exchanges. Any institution whose customers have direct or indirect transaction flows with Garantex, Grinex, or their successors faces sanctions and AML liability. The analytics firms that identified the scale of Garantex’s illicit volume — Chainalysis and TRM Labs — provide the tools to detect that exposure. Using them is not optional.