On March 6, 2025, a coalition of agencies took down the largest illicit crypto exchange complex in the world. The U.S. Secret Service, FBI, Germany's BKA, Finland's NBI, Europol, the Dutch National Police, and Estonia's NCP seized three Garantex domains, pulled servers offline in Germany and Finland, and froze roughly $26 million. Tether froze another $28 million in USDT. The Justice Department unsealed indictments against two co-founders. Confirmed reporting
Within days, the same operation was back online under a new name. The successor, Grinex, had not been improvised in a panic. It had been incorporated in Kyrgyzstan in December 2024, roughly three months before the takedown. The brand was new. The interface, the Telegram channels used to migrate users, and the customer balances were not. Confirmed reporting
This is the pattern End Krysha exists to track, the editorial front of the Ransomware Ecosystem Network Observatory, which follows the cash-out layer through its rebrands rather than one venue at a time. A takedown removes a name, not a function. The function here is conversion: turning extortion and sanctions-evasion proceeds into spendable, cross-border value at scale, fast, with minimal friction. As long as that function has somewhere to live, the ecosystem routes around the loss. Garantex is the cleanest case study available of how quickly it reroutes, and of which layer actually has to be targeted to make a takedown stick.
The reconstitution was pre-built
Garantex was not a marginal player. The Justice Department and Elliptic put its lifetime throughput above $96 billion from 2019 to 2025, with more than $60 billion of that moving after its first OFAC designation in April 2022. Sanctions did not slow it; volume rose afterward. Confirmed reporting
The continuity between Garantex and Grinex is not analyst guesswork. OFAC's August 2025 action states plainly that Grinex was "created by Garantex employees" and that customer deposits were transferred directly into Grinex accounts. Chainalysis and TRM Labs documented a near-identical interface, shared Telegram channels, and billions in bidirectional on-chain exposure between the two and the Kyrgyz entities behind them. The bridge between old balances and new was a ruble-backed token, A7A5, which cleared roughly $93 billion in its first year. As the next section shows, that token is the part of this story that outlasts every brand change. Confirmed reporting
The brand churned again
On August 13 and 14, 2025, OFAC closed the loop: it re-designated Garantex under its cyber authority, designated Grinex as the sanctioned successor, and named the A7A5 token and the A7 settlement network alongside both co-founders. The EU had already made Garantex its first-ever crypto-exchange designation in February 2025; the UK followed in May 2026 with eighteen more entities targeting the same A7 network. The legal pressure was real and sustained. Confirmed reporting
Then, in April 2026, Grinex itself went dark. The exchange reported a roughly $13.7 million theft, about 1 billion rubles, and blamed "special services of unfriendly states." It suspended operations. A related front, TokenSpot, was hit in the same window. Reuters reported the shutdown but could not verify the attribution. Confirmed reporting
Chainalysis and Elliptic read the on-chain behavior differently from Grinex's own story. The stolen funds were mostly centralized stablecoins, swapped quickly into TRX through the same Tron-based DEX the operators had used before, a pattern that looks like self-directed laundering rather than a hostile state seizure. The exit-scam hypothesis is credible and, as of now, unresolved: no government has published technical attribution either way. Credible reporting
Where the volume went
The displaced flow did not scatter. Elliptic's tracking points to a short, named set of venues absorbing it, most operating from inside Russia. ABCeX is the largest, having processed an estimated $11 billion, and it runs from an office in Moscow's Federation Tower, the same building Garantex worked out of. Elliptic found roughly 5% of ABCeX's outgoing flow going to Garantex-linked entities. Alongside it sit Bitpapa, Exmo, Rapira, and Aifory Pro, all offering ruble-to-crypto conversion that exits across borders without an intermediary. Credible reporting
That concentration is itself the useful finding. Concentration is leverage. The narrower the set of venues doing the conversion, the smaller the target set for the next round of pressure. The post-Garantex landscape re-concentrated rather than dispersed, which is the opposite of what a resilient network would want. Analyst inference
The chokepoint that did not move
The exchange front-end is the cheapest, fastest part to replace. Garantex to Grinex took days: a new domain, a copied interface, the same Telegram channels. What does not get rebuilt that fast is the settlement layer underneath, and that layer is bigger than the exchanges sitting on it.
A7A5 is not a Garantex token. It is a ruble-backed stablecoin issued by A7 LLC, a Moscow cross-border payments firm owned by sanctioned financier Ilan Shor (51%) and the sanctioned, defense-linked Promsvyazbank (49%). Grinex was its largest trading venue, but the same token moves through other exchanges, Meer and Rapira among them, and in October 2025 it was approved for Russian foreign-trade settlement, with its operators openly targeting a fifth of the country's international settlements. Reported on-chain turnover, roughly $93 billion at the August 2025 designation, has since passed $100 billion, and the EU moved to sanction the token itself in 2026. Confirmed reporting
That is the durable target. Exchange brands are interchangeable front-ends; the A7 / A7A5 rail is banking access, correspondent relationships, and state alignment, none of which a rebrand replaces. Seizing a domain interrupts a venue. Reaching the settlement rail interrupts the function. Analyst inference
The August 2025 designation is worth reading not for the headline but for the network it maps.
When Grinex went dark, the rail did not. A7A5 trading concentrated onto Meer (Meer.kg), a Kyrgyz exchange run by CJSC TengriCoin that had been handling the token in parallel and became its primary venue after the suspension. The EU designated Meer in its April 2026 sanctions package inside the same window. No clean operator-continuous "Grinex 2.0" has been named publicly; what moved was the venue carrying the rail, not the rail itself. Credible reporting
What this means for pressure
The lesson is not that the takedown failed. Seizing servers and freezing wallets imposed real cost and produced one arrest. The lesson is about target selection. Pressure aimed at names buys weeks; the brand was back in days, then rotated again after Grinex collapsed. Pressure aimed at the settlement function, the A7A5 rail, the small set of brokers and banks behind it, the Federation Tower address that keeps reappearing, is what buys structural change. Analyst inference
The conversion function now sits on a narrower, better-named base than it did before March 2025: fewer venues, one dominant rail, and an address in Moscow that keeps reappearing. That is a window, and windows close. The ecosystem map tracks each of these venues as nodes, with the dependency edges that decide which ones are replaceable and which are not. Grinex was replaceable. The rail, so far, has not been.
Sourcing & confidence
This dispatch draws on government actions (DOJ, OFAC, EU Council, UK) and on-chain analysis from Elliptic, Chainalysis, and TRM Labs, cross-checked against our own Garantex / Grinex exchange profile. Confidence labels follow standard analytic practice.
Confirmed · multiple independent sources, including official designation or indictment language.
Credible · single strong source or consistent industry reporting, not yet officially confirmed.
Analyst inference · End Krysha's own assessment, drawn from the evidence above.
- OFAC, designation of Grinex and the A7A5 network (Aug 14, 2025; via Chainalysis).
- Chainalysis, Grinex suspends operations (Apr 2026).
- Elliptic, five exchanges filling the Garantex gap (ABCeX, Bitpapa, Exmo, Rapira, Aifory Pro).
- TRM Labs, Grinex and TokenSpot $15M theft (Apr 2026).
- The Block, successor-exchange landscape; FinanceFeeds, ABCeX $11B from Federation Tower.
- Chainalysis, EU 20th sanctions package (Meer as primary A7A5 venue after Grinex).