Garantex: How a Sanctioned Exchange Kept Operating for Three Years

Part 2 of our "Crypto Enforcement Files" series. Tornado Cash showed a designation that was legally undone; Garantex shows the opposite problem — a designation that, for three years, did almost nothing, because the entity simply kept running.

Garantex is the case study in why a designation is the start of an enforcement problem, not the end. Sanctioned by OFAC in April 2022, it processed billions more dollars before a 2025 multinational seizure took it offline — and even that didn't end it. The exchange is the clearest example on record of how a sanctioned crypto business survives, relocates, and rebrands, and of why screening the static SDN entry leaves a hole exactly where the money is.

Designated, and Still Open

OFAC designated Garantex in April 2022 for facilitating ransomware laundering. A US designation cuts an entity off from US persons and the dollar system — but Garantex was a Russia-based, ruble-and-crypto exchange whose customer base and banking did not depend on either. It kept matching orders, processing deposits and withdrawals, and serving the actors it always had. The designation made it radioactive to compliant Western firms; it did not switch off the exchange.

This is the asymmetry that catches programmes off guard. An SDN entry assumes the listed party feels the consequence. For an offshore exchange operating outside the dollar system, the consequence is reputational and indirect — and the on-chain business continues, which means the tainted flows continue to reach counterparties who are in scope.

The Seizure, and the Freeze That Bit Hardest

On 6 March 2025, a multinational law-enforcement action led by the US Secret Service, with German and Finnish authorities, seized Garantex's primary domain and infrastructure and froze tens of millions in crypto. The action that hurt most was not the domain seizure but the stablecoin freeze: Tether blacklisted Garantex-linked USDT, rendering a large balance unspendable in a single contract call — the issuer power that no offshore relocation can route around. By Garantex's own account, the freeze forced it to halt operations.

The Resurrection: Grinex and A7A5

Within days of the March 2025 seizure, Garantex operators moved. Customer balances were migrated to a successor exchange, Grinex, and value was shifted using a new ruble-backed token, A7A5, built to move funds around the sanctions. On 14 August 2025, OFAC caught up: it re-designated Garantex and separately designated Grinex, three Garantex executives, six associated companies across Russia and the Kyrgyz Republic, and the A7A5 token. The exchange had effectively re-spawned under a new name in the gap between the disruption and the new designations.

For screening, the Garantex-to-Grinex continuity is the whole point. The two are different SDN entries on different dates, but on-chain they are the same operator, the same customer balances, the same provenance. A counterparty that screened clean against Grinex during the gap was transacting with sanctioned money under a name that wasn't listed yet.

What a CASP Should Take From It

How BA does it. BA tracks designated exchanges as on-chain clusters, not list rows — mapping Garantex through its seizure to the Grinex successor and the A7A5 token, so exposure is flagged on the continuity of the funds rather than the current name on the SDN list. Combined with real-time stablecoin-freeze detection, a counterparty linked to the Garantex/Grinex cluster surfaces as sanctioned-equivalent risk the moment the on-chain footprint appears — not when the next list updates. For the broader pattern, see Garantex, Tornado Cash, Bitzlato: What Recent Enforcement Teaches CASPs.

Next in the series: FTX — Lessons for Asset Safeguarding, where the failure wasn't a hack or a sanctioned counterparty but the commingling of customer funds, and what MiCA's safeguarding rules now require to prevent it.