On August 14, 2025, the US Treasury Department announced sanctions against the spiritual successor to Garantex, the Grinex crypto exchange. Following law enforcement action against Garantex in March 2025, Grinex was created by Garantex employees to support sanctions evasion efforts. Subsequently, Grinex has become a hot spot for illicitly obtained funds from ransomware, extortion, and other fraudulent activities.
Multi-Step Process
The disruptions of Grinex and Garantex took years to execute and occurred over multiple phases of sanctions and law enforcement actions.
Phase 1 – Initial Sanctions against Garantex
In April 2022, the US Treasury Department sanctioned Estonia-based crypto exchange Garantex. This came after Estonia revoked Garantex’s license in February 2022 due to a lack of anti-money laundering/know-your-customer (AML/KYC) policies. At the time of the sanctions announcement, the Office of Foreign Assets Control (OFAC) assessed Garantex to have facilitated more than $100 million USD in illicit transactions. Interestingly, these sanctions did not inhibit Garantex from continuing their operations in providing cover for criminals and sanctioned customers of the exchange.
However, the sanctions did impact the ransomware landscape. Previously used by big-name ransomware groups such as Conti, LockBit, and Ryuk, the exchange was largely no longer a viable option for groups hoping to stay in business and evade additional law enforcement scrutiny. Groups that continued to utilize the sanctioned exchange or decided to use it later often earned themselves a one-way ticket to organizations’ no-pay lists and became a target for future law enforcement takedowns. Notably, 8Base ransomware was added to Arete’s internal no-pay list in September 2023 following an identified transaction to Garantex. 8Base was then taken down by a law enforcement action in February of 2025.
Phase 2 – Law Enforcement Attempts to Dismantle Garantex
Fast-forward to March 2025, when law enforcement agencies led by the US Secret Service attempted to disrupt the sanctioned crypto exchange by seizing Garantex’s primary domain and over $26 million in cryptocurrency assets. Unfortunately, the operation didn’t entirely disrupt the exchange and led to the unveiling of Grinex, often referred to as Garantex 2.0, later that month. Grinex began serving as the nefarious new arm of Garantex, and operators almost immediately began routing illicit funds through the new exchange.
Phase 3 – US Treasury Sanctions Grinex
This brings us to August 14th, when the US Treasury announced sanctions against the newly formed Grinex crypto exchange, three Garantex executives, and the A7A5 stablecoin, which is discussed in the next section. Currently, Grinex remains operational, and Arete is monitoring for use of the exchange as part of ransomware groups money laundering efforts.
But Wait, There’s More
The A7A5 stablecoin cryptocurrency is designed to track 1:1 with the Russian Ruble and appeared to be transferring funds from Garantex in January 2025, indicating the desire to create a sanction-resistant asset even before the disruption. The A7A5 coin, launched behind a veil of shell companies based in Kyrgyzstan, was adopted as an efficient sanctions evasion tool for individuals looking to cash out their illicitly obtained funds.
Analyst Comments
The identification and subsequent sanctions of Grinex and the A7A5 stablecoin significantly impinge upon cybercriminals’ ability to launder funds. Sanctions announcements especially impact ransomware groups, as many incident response firms, especially ones registered as money services businesses (MSBs), will not facilitate payments to groups using sanctioned infrastructure. The unsealing of indictments against the Garantex leadership and increased spotlight on the use of the A7A5 stable coin as a sanctions evasion tool allow organizations additional opportunities to monitor sanctions exposure and prohibit funds from moving to sanctioned entities. Arete cautions that new money laundering techniques designed to evade sanctions are likely to emerge in the future as cybercriminals continuously evolve their tactics in this space.
Sources
- Grinex Emerges as Likely Garantex Rebrand
- Garantex, Grinex, and the A7A5 Token: A Deep Dive into Sanctions Evasion Networks
- Treasury Sanctions Cryptocurrency Exchange and Network Enabling Sanctions Evasion and Cyber Criminals
- Phobos Ransomware Affiliates Arrested in Coordinated International Disruption
Related Resources
![]()
Multiple Threat Groups Using New EDRKillShifter Builds
Multiple ransomware groups now use updated EDRKillShifter builds to disable EDR protections via BYOVD and HeartCrypt, targeting major security platforms.
Read more![]()
Client Story: The Importance of External Penetration Testing
Brandon shares how Arete’s cybersecurity penetration testing helped protect his global team from threats, giving him peace of mind and expert support.
Read more![]()
Akira Targeting SonicWall Devices (Again)
A recent wave of Akira ransomware attacks has targeted SonicWall firewall devices, exploiting a previously identified flaw.
Read more
