Financial Layer

After Garantex: where the cash-out moved next

The takedown was real. The plumbing rerouted in days. The exchange brand was seized, rebranded, then shut down inside fifteen months. The ruble settlement rail underneath never moved, and it is bigger than any of the exchanges that ride on it.

By Reno June 18, 2026 11 min read Open Research
Federation Tower, Moscow City · illustration

On March 6, 2025, a coalition of agencies took down the largest illicit crypto exchange complex in the world. The U.S. Secret Service, FBI, Germany's BKA, Finland's NBI, Europol, the Dutch National Police, and Estonia's NCP seized three Garantex domains, pulled servers offline in Germany and Finland, and froze roughly $26 million. Tether froze another $28 million in USDT. The Justice Department unsealed indictments against two co-founders. Confirmed reporting

Within days, the same operation was back online under a new name. The successor, Grinex, had not been improvised in a panic. It had been incorporated in Kyrgyzstan in December 2024, roughly three months before the takedown. The brand was new. The interface, the Telegram channels used to migrate users, and the customer balances were not. Confirmed reporting

A takedown removes a name. The function survives until you take the function's home.

This is the pattern End Krysha exists to track, the editorial front of the Ransomware Ecosystem Network Observatory, which follows the cash-out layer through its rebrands rather than one venue at a time. A takedown removes a name, not a function. The function here is conversion: turning extortion and sanctions-evasion proceeds into spendable, cross-border value at scale, fast, with minimal friction. As long as that function has somewhere to live, the ecosystem routes around the loss. Garantex is the cleanest case study available of how quickly it reroutes, and of which layer actually has to be targeted to make a takedown stick.

The reconstitution was pre-built

Garantex was not a marginal player. The Justice Department and Elliptic put its lifetime throughput above $96 billion from 2019 to 2025, with more than $60 billion of that moving after its first OFAC designation in April 2022. Sanctions did not slow it; volume rose afterward. Confirmed reporting

The continuity between Garantex and Grinex is not analyst guesswork. OFAC's August 2025 action states plainly that Grinex was "created by Garantex employees" and that customer deposits were transferred directly into Grinex accounts. Chainalysis and TRM Labs documented a near-identical interface, shared Telegram channels, and billions in bidirectional on-chain exposure between the two and the Kyrgyz entities behind them. The bridge between old balances and new was a ruble-backed token, A7A5, which cleared roughly $93 billion in its first year. As the next section shows, that token is the part of this story that outlasts every brand change. Confirmed reporting

Fig. 1 · Disclosed throughput: Garantex, its successor, and the A7A5 rail (per cited source)
$96B
Garantexlifetime 2019–25
DOJ / Elliptic
$60B
Garantexpost-sanction 2022–25
Elliptic
$93B
A7A5 railfirst year, all venues
Chainalysis
$11B
ABCeXto date
Elliptic
Figures cover different time windows and come from different firms; shown to convey scale and continuity, not market share, and not directly comparable. Sources: DOJ and Elliptic (Garantex), Chainalysis (A7A5), Elliptic (ABCeX).

The brand churned again

On August 13 and 14, 2025, OFAC closed the loop: it re-designated Garantex under its cyber authority, designated Grinex as the sanctioned successor, and named the A7A5 token and the A7 settlement network alongside both co-founders. The EU had already made Garantex its first-ever crypto-exchange designation in February 2025; the UK followed in May 2026 with eighteen more entities targeting the same A7 network. The legal pressure was real and sustained. Confirmed reporting

Then, in April 2026, Grinex itself went dark. The exchange reported a roughly $13.7 million theft, about 1 billion rubles, and blamed "special services of unfriendly states." It suspended operations. A related front, TokenSpot, was hit in the same window. Reuters reported the shutdown but could not verify the attribution. Confirmed reporting

Chainalysis and Elliptic read the on-chain behavior differently from Grinex's own story. The stolen funds were mostly centralized stablecoins, swapped quickly into TRX through the same Tron-based DEX the operators had used before, a pattern that looks like self-directed laundering rather than a hostile state seizure. The exit-scam hypothesis is credible and, as of now, unresolved: no government has published technical attribution either way. Credible reporting

Where the volume went

The displaced flow did not scatter. Elliptic's tracking points to a short, named set of venues absorbing it, most operating from inside Russia. ABCeX is the largest, having processed an estimated $11 billion, and it runs from an office in Moscow's Federation Tower, the same building Garantex worked out of. Elliptic found roughly 5% of ABCeX's outgoing flow going to Garantex-linked entities. Alongside it sit Bitpapa, Exmo, Rapira, and Aifory Pro, all offering ruble-to-crypto conversion that exits across borders without an intermediary. Credible reporting

That concentration is itself the useful finding. Concentration is leverage. The narrower the set of venues doing the conversion, the smaller the target set for the next round of pressure. The post-Garantex landscape re-concentrated rather than dispersed, which is the opposite of what a resilient network would want. Analyst inference

The chokepoint that did not move

The exchange front-end is the cheapest, fastest part to replace. Garantex to Grinex took days: a new domain, a copied interface, the same Telegram channels. What does not get rebuilt that fast is the settlement layer underneath, and that layer is bigger than the exchanges sitting on it.

A7A5 is not a Garantex token. It is a ruble-backed stablecoin issued by A7 LLC, a Moscow cross-border payments firm owned by sanctioned financier Ilan Shor (51%) and the sanctioned, defense-linked Promsvyazbank (49%). Grinex was its largest trading venue, but the same token moves through other exchanges, Meer and Rapira among them, and in October 2025 it was approved for Russian foreign-trade settlement, with its operators openly targeting a fifth of the country's international settlements. Reported on-chain turnover, roughly $93 billion at the August 2025 designation, has since passed $100 billion, and the EU moved to sanction the token itself in 2026. Confirmed reporting

That is the durable target. Exchange brands are interchangeable front-ends; the A7 / A7A5 rail is banking access, correspondent relationships, and state alignment, none of which a rebrand replaces. Seizing a domain interrupts a venue. Reaching the settlement rail interrupts the function. Analyst inference

The August 2025 designation is worth reading not for the headline but for the network it maps.

U.S. Treasury / OFAC · Designation Action (excerpt), Aug 13–14, 2025
ActionRe-designation of Garantex under E.O. 13694; designation of successor Grinex InstrumentA7A5 ruble-backed token (issued via Old Vector, Kyrgyzstan) Settlement networkA7, A71, A7 Agent, Old Vector, InDeFi Bank, Exved A7 ownershipCo-owned by sanctioned financier Ilan Shor and sanctioned Promsvyazbank IndividualsAleksandr Mira Serda (co-founder/CCO, at large, up to $5M reward); Aleksej Besciokov (technical admin, arrested India Mar 2025, extradition pending)
Source: OFAC press release and SDN list updates, Aug 13–14, 2025. Public designation record, reproduced for analysis.

When Grinex went dark, the rail did not. A7A5 trading concentrated onto Meer (Meer.kg), a Kyrgyz exchange run by CJSC TengriCoin that had been handling the token in parallel and became its primary venue after the suspension. The EU designated Meer in its April 2026 sanctions package inside the same window. No clean operator-continuous "Grinex 2.0" has been named publicly; what moved was the venue carrying the rail, not the rail itself. Credible reporting

What this means for pressure

The lesson is not that the takedown failed. Seizing servers and freezing wallets imposed real cost and produced one arrest. The lesson is about target selection. Pressure aimed at names buys weeks; the brand was back in days, then rotated again after Grinex collapsed. Pressure aimed at the settlement function, the A7A5 rail, the small set of brokers and banks behind it, the Federation Tower address that keeps reappearing, is what buys structural change. Analyst inference

The conversion function now sits on a narrower, better-named base than it did before March 2025: fewer venues, one dominant rail, and an address in Moscow that keeps reappearing. That is a window, and windows close. The ecosystem map tracks each of these venues as nodes, with the dependency edges that decide which ones are replaceable and which are not. Grinex was replaceable. The rail, so far, has not been.

Sourcing & confidence

This dispatch draws on government actions (DOJ, OFAC, EU Council, UK) and on-chain analysis from Elliptic, Chainalysis, and TRM Labs, cross-checked against our own Garantex / Grinex exchange profile. Confidence labels follow standard analytic practice.

Confirmed · multiple independent sources, including official designation or indictment language.
Credible · single strong source or consistent industry reporting, not yet officially confirmed.
Analyst inference · End Krysha's own assessment, drawn from the evidence above.

GarantexGrinexA7A5ABCeXCash-OutOFACFinancial Layer