On March 7, 2025, the U.S. Department of Justice (DOJ), in coordination with authorities in Germany and Finland, announced the disruption of Garantex — a Russia-based cryptocurrency exchange deeply embedded in the global cybercrime economy.
The operation resulted in the seizure of Garantex’s domains and servers in Germany and Finland, the freezing of over $26 million in illicit funds, and criminal charges against its administrators Aleksej Besciokov and Aleksandr Mira Serda, who allegedly oversaw the laundering of hundreds of millions of dollars worth of cryptocurrency.
For years, Garantex was a major enabler of financial crime, facilitating money laundering for ransomware groups, darknet markets (DNMs), and other sanctioned entities. Despite being sanctioned by the U.S. Treasury’s Office of Foreign Asset Control (OFAC) in April 2022, Garantex continued to evade restrictions and conduct transactions with U.S.-based entities. The takedown marks a significant victory as international efforts escalate to disrupt illicit crypto activity.
What is Garantex?
More than just an unregulated crypto exchange, Garantex was a cornerstone of Russia’s illicit crypto economy and a key financial facilitator for illicit actors across the world.
While the shutdown of Hydra Market in 2022 was a major blow to the cybercriminal landscape, Garantex remained operational and provided services to transnational criminal organizations including ransomware groups, drug traffickers, and sanctioned entities, processing at least $96 billion in transactions since 2019.
Garantex’s role in illicit finance:
- Served as a major laundering hub for ransomware groups like Conti, Black Basta, and Play, including for some of the largest attacks in the last three years, with substantial impacts to U.S.-based victims
- Moved millions of funds linked to DNMs, including drug trafficking proceeds and child sex abuse materials (CSAM)
- Laundered at least $22 million stolen from a hacked U.S.-based blockchain platform
- Linked to high-risk Russian cybercriminal forums and terrorist financing
According to the unsealed indictment, Garantex administrators took deliberate steps to conceal illicit activity. When Russian authorities requested records on Mira Serda’s account, Garantex provided false information. After being sanctioned by OFAC in 2022, Garantex continued transacting with U.S.-based entities and redesigned its operations to evade detection, including frequent wallet address changes to bypass compliance measures. Additionally, despite conducting extensive financial dealings in the U.S., Garantex never registered with FinCEN as required by federal regulations.
Examining Garantex’s illicit on-chain footprint
Garantex was among the most prolific money laundering platforms in the crypto ecosystem, facilitating cybercrime on a global scale. While the true volume of illicit activity linked to Garantex is likely much higher — as illicit addresses continue to be identified — the available data provides a clear picture of its role in enabling cybercrime.
Illicit activity accounted for at least 1.35% of Garantex’s total transactions. This may seem like a small percentage at first glance, but at a scale of $96 billion, that translates to over $1.3 billion in illicit funds funneled through the exchange. In comparison, most compliant centralized exchanges (CEXs) see illicit transactions account for just 0.14% of their total volume. This means that Garantex’s illicit transaction share was nearly ten times higher — an 871% difference.
When broken down by entity type, we can see that the majority of illicit funds received by Garantex originated from scams, DNMs, and illicit actor organizations.
The Reactor graph below shows Garantex’s on-chain connections with a wide assortment of illicit entities.
Garantex’s on-chain relationships include:
- Lazarus Group: A North Korean state-sponsored hacking group linked to major crypto heists, including the recent ~$1.5 billion dollar Bybit hack.
- SouthFront: A pro-Russian disinformation outlet sanctioned for malign influence operations.
- OMG!OMG! Market: DNM that facilitates illicit transactions
- Mega Darknet Market: A major marketplace for illicit goods and services
- Solaris Market: Another prominent DNM tied to cybercrime
- Ekaterina Valeryevna Zhdanova: A Russian national sanctioned for large-scale crypto money laundering for Russian elites and ransomware gangs
As well as CSAM, scams, stolen funds, ransomware operators and administrators, exploit kit developers, and illegal goods vendors.
The disruption of Garantex is among the most significant actions against illicit crypto use in recent years, demonstrating the growing impact of international collaboration and blockchain intelligence in dismantling financial networks that support cybercrime.
What’s next for Garantex: Rebrands, fragmentation, migration
With Garantex’s core infrastructure dismantled, its illicit client base will likely seek new avenues to launder funds. One possibility is the emergence of a successor exchange, leveraging similar infrastructure and client bases under a different name. We have seen other sanctioned Russian exchanges attempt rebrands in the past, such as Suex reemerging as Chatex.
Alternatively, rather than a single replacement, a network of smaller, harder-to-track exchanges and brokers could appear. Such is the case with Hydra Market’s takedown, after which dozens of smaller darknet markets emerged to fill the gap. Some illicit actors may simply move to other existing high-risk exchanges, particularly in areas with weak anti-money laundering (AML) controls, including Russia-based platforms that operate outside of U.S. jurisdiction.
Chainalysis is actively monitoring how illicit flows shift in the wake of the Garantex takedown, tracking potential successor entities, and the movement of illicit funds to other platforms.
Public-private partnerships power the fight against transnational cybercrime
The successful dismantling of Garantex was made possible through coordinated efforts between international law enforcement agencies, blockchain analytics providers, and industry partners, demonstrating how advanced blockchain tooling and enforcement can disrupt prolific illicit financial networks.
With real-time transaction monitoring, Chainalysis equips investigators with the tools and training to trace illicit funds across even the most complex laundering networks. The dismantling of Garantex marks a major milestone, cutting off transnational crime from its core financial infrastructure. Nevertheless, as history shows, illicit actors are swift to adapt. Chainalysis will continue to track where Garantex’s criminal client base migrates, identifying other high-risk exchanges that may take its place, as well as potential successor entities and rebrands attempting to reestablish operations.
As global law enforcement and private and public sector partners continue to strengthen collaboration, blockchain is becoming an increasingly poor vehicle for criminal exploitation, making it more difficult than ever for illicit actors to operate unchecked.
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.