Repeatedly Sanctioned: What Has the Russian Exchange Garantex Done Over the Past Three Years?

7 min read4 days ago

Authors: Lisa & Keywolf
Editor: Liz

On March 6, 2025, Tether froze $28 million worth of USDT associated with the Russian-sanctioned exchange Garantex, once again sparking widespread market concerns about the risks of stablecoin freezes. This article explores Garantex’s sanction history, platform fund management strategies, and responses to stablecoin freezes, offering insights on mitigating on-chain compliance risks and ensuring fund security.

Sanction History

Founded in late 2019 and initially registered in Estonia, Garantex primarily provided fiat-to-crypto exchange services. However, due to regulatory changes, its core operations quickly shifted to Moscow, where it established offices in the Federation Tower and St. Petersburg. These locations were also hubs for other sanctioned virtual currency exchanges, such as SUEX and CHATEX. Garantex’s permissive approach to anonymous transactions and weak compliance measures gradually made it a crucial conduit for hackers, ransomware groups, and illicit funds, ultimately drawing intense scrutiny from regulators.

1. Sanctions by OFAC and FIU

In February 2022, Estonia’s Financial Intelligence Unit (FIU) investigated Garantex and discovered severe violations of Anti-Money Laundering (AML) and Counter-Terrorist Financing (CFT) regulations, as well as links to criminal funds. Consequently, Garantex’s virtual currency service provider license was revoked. Despite losing its Estonian license, Garantex continued serving customers through alternative means.

On April 6, 2022, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Garantex, alleging that the exchange facilitated illicit transactions, money laundering, and other criminal activities. OFAC found that over $100 million in transactions on Garantex involved illegal actors and darknet markets, including nearly $6 million linked to the Russian Ransomware-as-a-Service (RaaS) group Conti and approximately $2.6 million tied to the now-defunct Hydra darknet market. Additionally, OFAC added three Garantex-associated wallets to its Specially Designated Nationals and Blocked Persons List (SDN List), prohibiting U.S. individuals and entities from transacting with them. This move was part of the U.S. government’s broader crackdown on the Russian darknet market Hydra. On the same day, German law enforcement shut down Hydra and seized 543 BTC (valued at approximately $25 million at the time).

https://ofac.treasury.gov/recent-actions/20220405

2. Links to Illicit Funds

Despite sanctions from the U.S. and Estonia, Garantex continued operations and remained entangled with funds linked to hackers, ransomware groups, and criminal organizations.

June 13, 2023: According to Cointelegraph, the North Korean hacking group Lazarus Group, believed to be behind the Atomic Wallet hack (which resulted in losses of up to $35 million), transferred a portion of the stolen funds to Garantex to exchange for BTC.
July 25, 2024: TRM Labs reported that in 2023, Garantex accounted for 82% of the total crypto transaction volume of internationally sanctioned entities, significantly surpassing other sanctioned platforms.
February 12, 2025: Reports indicated that OFAC, the UK’s Foreign, Commonwealth & Development Office (FCDO), and Australia’s Department of Foreign Affairs and Trade (DFAT) jointly sanctioned the Russian Bulletproof Hosting (BPH) provider Zservers, accusing it of providing critical infrastructure support to the ransomware group LockBit. On-chain data showed that Zservers facilitated at least $5.2 million in crypto transactions, with some funds flowing to Garantex and non-KYC exchanges.

3. Stablecoin Freezes

Despite sanctions, Garantex’s user base and transaction volume did not decline significantly; in fact, it grew. According to CoinPaprika, Garantex’s daily trading volume surged by over 1,000% in three years, from approximately $11 million on March 1, 2022, to $121.6 million on March 1, 2025.

However, with heightened regulatory scrutiny, sanctions intensified. On March 6, 2025, Tether froze approximately $28 million in USDT across multiple Garantex-associated wallets. Garantex was forced to suspend all transactions and withdrawals and issued an official notice warning Russian users of potential risks to their USDT holdings. This action followed the European Union’s 16th round of sanctions against Russia on February 26, 2025, which directly sanctioned Garantex due to its close ties with sanctioned Russian banks.

Garantex’s official response stated that it would “continue to resist.”

How Garantex Manages Its Hot Wallets Post-Sanctions

According to address label data analysis from SlowMist’s Anti-Money Laundering (AML) tracking system, MistTrack, after being sanctioned by OFAC in April 2022, Garantex adopted several strategies to sustain operations, primarily focusing on continuously adjusting its platform’s hot wallet fund management strategy. The key changes in wallet rotation frequency were:

April 2022 — December 2022: Hot wallets were replaced approximately every quarter.
December 2022 — February 2023: Hot wallets were replaced approximately every week.
February 2023 — Present: Hot wallets are replaced approximately every two days.

SlowMist’s anti-money laundering tracking and analysis system, MistTrack, has accumulated over 1 million wallet addresses related to Garantex. Its internally developed label data mining system continuously identifies patterns and tags Garantex’s frequently changing hot wallet addresses. A statistical analysis of some of these hot wallet addresses is shown in the figure below:

Further analysis of Garantex’s counterparties reveals that users not only withdraw USDT to non-custodial wallets (e.g., Ledger, MetaMask) but also to other exchanges. The following figure presents sampled data for reference only and may not fully reflect actual transactions:

How to Mitigate Stablecoin Freezing Risks

According to MistTrack data, in 2024, Tether froze $540,195,442 in USDT, while Circle froze $13,359,597 in USDC. For exchanges, institutions, and individuals, minimizing the risk of stablecoin freezes while ensuring fund security within a compliance framework remains a significant challenge.

Regulators and stablecoin issuers primarily rely on on-chain data analysis tools to identify and track wallets linked to illicit activities. If a transaction address is associated with sanctioned entities or illicit funds, even indirect exposure can result in asset freezes. Know Your Transaction (KYT) feature provides real-time analysis of transaction behavior and identify suspicious fund movements, reducing the risk of frozen assets due to inadvertent exposure to non-compliant transactions.

Leveraging years of blockchain security research and risk control expertise, MistTrack has provided stable and reliable on-chain risk control support and robust AML compliance solutions to multiple exchanges and enterprises. It also offers precise data analysis, real-time risk monitoring, and comprehensive compliance support for individual users, corporate teams, and developers. MistTrack can detect fund sources, screen for exposure to sanctioned wallets or high-risk addresses, and prevent receiving tainted funds. It also enables real-time risk control by verifying addresses before transactions occur, reducing the likelihood of asset freezes. MistTrack currently supports 17 blockchain networks, including Bitcoin, Ethereum, BNB Smart Chain, TRON, Polygon, IoTeX, Avalanche-C, Arbitrum One, OP Mainnet, Base, zkSync Era, Merlin Chain, Toncoin, Litecoin, Dogecoin, Bitcoin Cash, and Solana.

From Garantex’s 2022 sanctions to Tether’s 2025 USDT freeze, we observe the long-term impact of compliance risks on exchanges, institutions, and individuals. As the regulatory landscape tightens, KYT has become an essential compliance tool in the crypto industry. If needed, feel free to contact us for a customized KYT solution to ensure secure fund flows, prevent asset freezes, and achieve sustainable growth within a legal and compliant framework!

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.

SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.