Garantex, Tornado Cash, Bitzlato: What Recent Enforcement Teaches CASPs

Three of the most-cited crypto enforcement names — Garantex, Tornado Cash, Bitzlato — have each moved in the last two years in ways that quietly broke the assumptions most screening programmes were built on. A sanctioned exchange came back under a new name. A sanctioned protocol came off the list entirely. An exchange was killed by an agency that isn't OFAC. If your screening logic still treats "the OFAC SDN list" as a static, complete, one-directional source of truth, each of these is a hole in your programme. Here is the pattern across the three, and what an examiner now expects you to have built for.

Garantex: A Designation Is Not the End of the Entity

OFAC first designated Garantex in April 2022 for laundering ransomware proceeds. That should have been the end of it. It wasn't. On 6 March 2025, a multinational law-enforcement action led by the US Secret Service seized Garantex's primary domain and froze tens of millions in crypto — and Tether froze the USDT side in parallel. Within days, Garantex operators stood up new infrastructure and began moving customer balances to a successor exchange, Grinex. By 14 August 2025, OFAC had re-designated Garantex and separately designated Grinex, three Garantex executives, six associated companies, and the ruble-backed A7A5 token built to move value around the sanctions.

The lesson is that a designated exchange is an organisation, not a database row. It re-hosts, rebrands, and re-emerges, and the gap between the disruption and the successor's designation — here, months — is a window where the "new" entity is fully operational and not yet on any list. Screening that matches only the exact SDN entry sees a clean counterparty during precisely the period the funds are most tainted.

Tornado Cash: Sanctions Can Run in Reverse

OFAC designated Tornado Cash in August 2022 — the website, 37 smart contracts, and donation addresses. For two and a half years it was the canonical example of a sanctioned protocol. Then it reversed. In November 2024 the Fifth Circuit held in Van Loon that immutable smart contracts are not the "property" of a foreign national and so fell outside OFAC's statutory authority to block. On 21 March 2025, OFAC removed Tornado Cash from the SDN list.

Most screening programmes are built to handle additions. Removals are the under-tested path. A delisting means a counterparty that was a hard block on Thursday is, by the letter of the list, permissible on Friday — and a programme that hard-coded the Tornado Cash addresses as permanently blocked is now over-blocking a delisted entity, which is its own compliance and customer problem. But the inverse error is worse: treating delisting as exoneration. The funds that passed through Tornado Cash during the designated period carry the exposure they always did, and the protocol's removal from the SDN list says nothing about the criminal liability of its operators — co-founder Roman Storm was convicted in August 2025 of conspiracy to run an unlicensed money-transmitting business, with the jury deadlocked (not acquitting) on the sanctions and money-laundering counts.

Bitzlato: OFAC Is Not the Only Instrument

Bitzlato was never an OFAC SDN designation. On 18 January 2023, its founder Anatoly Legkodymov was arrested in Miami, and FinCEN — not OFAC — issued the first-ever order under Section 9714(a) of the Combating Russian Money Laundering Act, naming Bitzlato a "primary money laundering concern" and cutting it off from US financial institutions. It was a coordinated DOJ-plus-FinCEN action against an exchange that had moved over $700 million in illicit funds.

The point for a CASP: an entity can be radioactive and completely absent from the OFAC SDN list. A programme that screens only the SDN list would have shown Bitzlato as clean the day it was effectively shut down. The instruments that designate, restrict, and dismantle crypto businesses now include OFAC SDN designations, FinCEN special measures (311 and 9714), DOJ indictments, EU and UK listings, and multilateral domain-and-asset seizures — and they do not all land in the same dataset or on the same day.

The Pattern, and the Programme It Demands

Read across the three cases and the same four requirements fall out:

• Multi-source, not SDN-only — OFAC SDN, OFAC Non-SDN, FinCEN special measures, EU consolidated, UK HMT, UN, plus DOJ/enforcement actions that precede formal listing. Screening one list is screening one instrument of several.
• Bidirectional — ingest removals as cleanly as additions; unblock delisted entities, but keep the historical-exposure score independent of list state.
• Cluster- and successor-aware — map a designation to the actor's address footprint and its successor entities, so the Garantex-to-Grinex gap doesn't read as clean.
• Time-aware — the window between an enforcement event and its formal list entry is where the funds move; the freeze events and seizure transactions land on-chain before the SDN file updates, and a programme watching the chain sees them first.

How BA does it. BA screens against OFAC (SDN and Non-SDN), EU, UN, UK HMT and SECO, and tracks the on-chain clusters and successor infrastructure behind designated entities — Garantex through to Grinex, the Tornado Cash contracts across their listing and delisting, mixer and exchange exposure regardless of current list state — over a graph of 1B+ labelled addresses. Removals propagate; historical exposure persists in the risk score; freeze and seizure events are picked up from the chain in real time. The result is a screening decision that survives the next re-designation, delisting, or successor exchange instead of being broken by it. For the touchpoint-level mechanics, see Real-Time Sanctions Screening for CASPs; for the OFAC framework itself, OFAC Sanctions Screening for Crypto.

This closes our "Briefings" run for the cycle. The companion "Tools for Compliance" series walks the operational workflows end to end — from sanctions screening to ongoing monitoring to the SAR that follows a confirmed hit.