The Takedown of Garantex: A Notorious Crypto Exchange’s Role in Illicit Finance

Today, global law enforcement seized the primary domain of Garantex, the notorious sanctioned cryptocurrency exchange. The action involved coordinated efforts between Europol, the US Department of Justice, the Federal Bureau of Investigation, the US Secret Service, the Dutch National Police, the German Federal Criminal Police Office, the Frankfurt General Prosecutor’s Office, the Finnish National Bureau of Investigation, and the Estonian National Criminal Police.

Earlier in the day, Garantex announced via one of its primary Telegram channels that it would be temporarily seizing operations after Tether blocked approximately USD 28 million in USDT from the service. The exchange also shared 89 cryptocurrency addresses that they claimed were frozen by Tether. The subsequent takedown move marks one of the most significant international crackdowns on illicit cryptocurrency operations to date.

‍What is Garantex? A History of Crime and Sanctions

Garantex was initially sanctioned by the U.S. Office of Foreign Assets Control (OFAC) in April 2022, for its facilitation of over USD 100 million in transactions associated with illicit actors and darknet markets, including ransomware groups like Conti and the now-defunct Hydra Market. The United Kingdom followed with similar sanctions, and in February 2025, the European Union designated Garantex and six associated cryptocurrency addresses, marking the EU’s first-ever sanctioning of specific cryptocurrency addresses.

Since its designation by OFAC on April 5, 2022, Garantex has been responsible for over USD 100 billion worth of transfers, accounting for over 70% of volume to and from sanctioned entities and jurisdictions during that time. The exchange has continued to facilitate hundreds of millions of dollars in illicit transactions for criminal actors, sanctioned entities, and individuals.

Garantex’s Role in Illicit Finance

Overall Exposure to Illicit Activity

Garantex, according to TRM, has been responsible for 82% of all crypto volumes associated with sanctioned entities worldwide and 70% since it was sanctioned by OFAC in April 2022. Its ties to ransomware operators, darknet markets, and sanctioned financial networks have cemented its status as one of the highest-risk cryptocurrency exchanges ever sanctioned.

‍Ransomware Payments & Cybercriminal Networks

In 2023, Russian-speaking ransomware groups accounted for at least 69% of all crypto proceeds from ransomware, exceeding USD 500 million. Garantex played a key role in laundering these proceeds, processing transactions linked to ransomware groups such as Ryuk, Conti, and LockBit. The Ryuk ransomware group laundered over USD 2.3 million through Garantex, using the exchange to convert stolen funds into fiat currency.

Darknet Market Transactions

Hydra Market, the largest darknet market in history, was sanctioned by OFAC in the same designation as Garantex for facilitating billions in illicit crypto transactions. Hydra’s offerings included ransomware-as-a-service, hacking services and software, stolen personal information, counterfeit currency, stolen virtual currency, and illicit drugs.Prior to its takedown, Garantex was one of the primary financial enablers of Hydra Market, facilitating tens of millions in transaction volume for the now-defunct darknet market. According to TRM, after the takedown of Hydra, twelve Russian-language marketplaces amassed approximately 24% more volume in a period of five months than Hydra did in the first five months of the year when it was still live, with the largest ones having millions in exposure to Garantex.

Sanctions Evasion & Russian Financial Networks

Garantex has been a major enabler of sanctions evasion. In 2024, Garantex and Nobitex accounted for over 85% of crypto inflows to sanctioned entities and jurisdictions. The exchange has also been linked to high-risk Russian entities (HREs), which use it to circumvent international financial restrictions and move funds to offshore accounts.

For example, in March 2024, OFAC announced sanctions on Bitpapa, a cryptocurrency exchange offering services to Russian nationals and NetEx24, a Moscow-based company operating a cryptocurrency exchange and other Russian entities. Both Bitpapa and NetEx24 facilitated millions of dollars worth of transactions for OFAC-designated entities including Hydra Market and Garantex.

‍Money Laundering & Connections to Other Illicit Entities

Garantex has been widely used by Russian money laundering networks. Individuals such as Ekaterina Zhdanova, a sanctioned Russian money launderer, relied on Garantex to move illicit funds linked to Russian elites and ransomware operators. In addition, Garantex has also been linked to payments to companies responsible for components of weapons used by Russia in its invasion of Ukraine.

The Compliance and Regulatory Impact of the Garantex Takedown

The recent seizure of Garantex’s domain underscores the importance of real-time intelligence and robust compliance measures. Organizations must continue to screen for Garantex-related addresses, as historical and future exposure to the exchange could result in heightened regulatory scrutiny.

Despite the seizure, Garantex is likely to rebrand, migrate its operations, or launch affiliated entities to continue its illicit financial activities. Compliance teams may see a temporary decrease in direct alerts linked to Garantex, but they should expect an increase in indirect risk exposure as illicit actors channel funds through new addresses.

How TRM Labs Can Help Compliance Teams

TRM Labs enables compliance teams to monitor for these shifts in various ways. The TRM Intelligence Team will provide real-time updates on any rebranding or operational changes by Garantex, as seen in previous cases with other sanctioned entities. TRM’s Transaction Monitoring tools allow users to set jurisdictional controls and alerting thresholds, ensuring that exposure to Russian exchanges can be monitored and flagged in real-time.

For identifying indirect risk, TRM’s advanced analytics platform provides granular insights into risk exposure, tracking transaction paths, the number of intermediary addresses, transaction timestamps, and indirect financial flows. This allows compliance teams to detect hidden links to illicit entities, rather than relying on a black-box risk score.

‍A Landmark Moment for Crypto Sanctions

The takedown of Garantex marks a major milestone in the fight against illicit finance. However, this is not the end of the story. Sanctioned exchanges often attempt to evade restrictions by creating new entities, operating under different domains, or shifting their infrastructure to alternative jurisdictions. Other high risk services may also attempt to take over the volumes that Garantex once processed. 

Authorities and compliance professionals must remain vigilant. The global response to Garantex demonstrates a growing willingness to target crypto-enabled financial crime aggressively. Law enforcement agencies worldwide are leveraging blockchain intelligence tools, like those provided by TRM Labs, to track illicit activity in real-time, freeze assets, and disrupt criminal operations.

For compliance teams, this case highlights the importance of continuous monitoring, real-time intelligence, and robust risk mitigation strategies. As the illicit crypto ecosystem continues to evolve, compliance professionals, regulators, and law enforcement must work together to ensure that exchanges like Garantex cannot re-emerge under new names.