It’s been a momentous start to 2025 for the global crypto industry.
In February, the record-breaking Bybit hack shook the crypto community. March then started with a bang, as the Russian crypto exchange, Garantex, was shut down by a multi-national law enforcement operation. In cooperation with the authorities, Tether froze $28 million of the exchange’s USDt.
Our expert team hosted a webinar to examine the reasons behind the Garantex shutdown and its impact on the crypto industry. The panel’s dissection of the event and what it means for the industry’s future will be a beneficial read for regulators, compliance officers, investigators, law enforcement officials, and crypto exchanges.
The Crystal Intelligence panel dissecting the Garantex shutdown
Nick Steegmans – VP of Training and Investigations, North America
With extensive experience in crypto forensics, Nick specializes in training law enforcement and financial institutions on blockchain investigations.
Nick Smart – VP of Intelligence
A leading expert in blockchain intelligence, Nick oversees strategic analysis on illicit crypto activities and financial crime trends.
Andrii Sovershennyi – Research & Investigations Lead
A seasoned investigator, Andrii focuses on tracking illicit blockchain activities and uncovering financial crime networks across the crypto landscape.
Federico Paesano – Financial Investigations Specialist
A financial crime expert with deep experience in forensic investigations, Federico specializes in uncovering illicit financial flows and tracing crypto-related financial crimes.
A quick history of Garantex – a timeline
- 2019: Garantex was founded by Sergey Mendeleev and Stanislav Drugalev as a cash-for-crypto service in Moscow
- 2020: In the shadow of unwelcome Russian police attention, Garantex enters the European market by registering in Estonia with Aleksandr Ntifo-Siao as Commercial Director
- 2021: Drugalev is killed in a car crash. Iryna Chernyavskaya becomes the leading shareholder, replacing Mendeleev
- March 2022: Garantex loses its license to operate in Estonia for AML violations
- April 2022: Following Russia’s invasion of Ukraine in February, the US Office of Foreign Assets Control (OFAC) imposes sanctions on Garantex and the darknet marketplace, Hydra
- April 2022 to March 2025: After an initial wobble, Garantex continues its operations unabated
- March 2025: A US-led multi-national policing operation results in servers and domains being seized in several countries, the US Department of Justice announces indictments, and Tether freezes $28 million of USDT. Garantex portrays the seizure as an anti-Russian narrative to its customers and instructs them to visit the Moscow office with their KYC documents to recover their funds.
How Garantex evaded OFAC sanctions
Garantex continued trading for three years
Garantex flouted sanctions to continue trading for three years by exploiting a central weakness of sanctions: open blockchain services do not require users to get permission from a regulating authority to create new accounts, so Garantex moved to change their hot wallets almost immediately after the sanctions were announced.
A knowledge of how attribution algorithms work
Garantex also clearly knew how blockchain analytics firms’ attribution and tracing tools work, enabling it to hide on-chain signatures from counterparty exchanges. It’s swift response to sanctions was initially hard for analytics companies to track.
In time, however, investigations revealed the following:
- Investigations of Garantex’s hot wallets reveal that almost immediately after the sanctions were imposed, their operational patterns changed: they altered their address clustering, including changing their deposit wallets.
- They started re-routing their transactions through Asian-based exchanges such as HTX and OKX, obscuring the link between their newly created hot wallets and the original deposit wallets.
- They frequently rotated hot wallets to avoid detection, initially on a quarterly basis, then weekly, and eventually daily.
Watch Andrii Sovershenny’s technical analysis of how Garantex evaded sanctions while continuing to trade here.
Above: a screenshot from Crystal Expert depicting the flow funds from Garantex in September and October 2024
The challenges faced by crypto exchanges and analytics firms
Sanctions lists alone are not sufficient to monitor wallet addresses
Exchanges thus risk unknowingly processing illicit funds due to gaps in detection and attribution. The industry should collectively be able to access a database of suspect wallets associated with certain kinds of crimes supplied by sanctioning entities. The challenge of keeping such a list updated was acknowledged, however.
Challenges in detection and attribution
Despite the efforts of reputable exchanges and analytics companies to identify illicit sources of funds, gaps still exist. Garantex and similar entities take advantage of these gaps in an ongoing cat-and-mouse game. Exchanges can unwittingly process tainted funds due to faults in detection and attribution, so a comprehensive and holistic KYC compliance program is still essential.
Ongoing monitoring is a requisite
Different blockchain companies may not identify the same transaction patterns because monitoring practices vary based on regional differences and specific priorities. While it is nearly impossible to completely avoid questionable wallet addresses, exchanges that regularly attract suspicious customers should be closely examined. Garantex, which attracted business from addresses associated with mixers, darknet markets, ransomware, sanctions and enforcement action for several years, is a prime example of this.
Watch the panel’s discussion of these issues here.
The future of Garantex, USDT, and sanctions
A new, rebranded exchange will appear
The panel agreed that Garantex has shown sufficient cunning, ingenuity, and durability to remain in operation in some capacity, though no doubt in a different guise. In likelihood, a new, rebranded exchange will appear, whether in Moscow or not, and under new leadership, but following the same business model. The prolific market for crypto-based services in Russia is likely too strong a lure for it to resist.
Industry aligned with MiCA
Criminals have historically been drawn to USDt due to its widespread adoption, relative stability (thanks to its fiat peg), and liquidity, making it attractive for money laundering. However, its centralized nature makes it susceptible to law enforcement intervention, unlike decentralized stablecoins like DAI, which criminals often exchange USDt for to evade asset seizure. It was also noted that Tether’s cooperation could indicate a desire to align more closely with the EU’s MiCA regulations as they seek to make further incursions into the European Economic Area market.
Sanctions alone are not effective
Sanctions alone are insufficient to deal with targeted entities. Without accompanying law enforcement actions, sanctioned entities can continue operating through evasive tactics.
Final thoughts on the Garantex shutdown
The need for a transparent overall sanctions framework
A more coherent and transparent overall sanctions framework is required to govern fast-moving assets like cryptocurrencies, considering that different blockchain analytics companies can have different sets of sanctioned addresses.
This, in turn, illustrates that sanctions regimes on their own are unlikely to be effective on sufficiently determined criminal organizations, as Garantex’s behavior proved. A more holistic approach should also be governed at a regulatory level, not a business one.
Meanwhile, the Garantex case serves as a watershed moment in crypto enforcement, demonstrating that coordinated actions between law enforcement and blockchain firms can disrupt illicit finance. What precedent it has set for other exchanges in sanctioned regions promises to be a fascinating question.
Watch the whole webinar here.
