The Russia-Ukraine war has waged on for nearly 4 years now. Western sanctions were meant to isolate Russia financially. Instead, they forced adaptation.
In 2025, BeInCrypto began documenting how Russia and Russia-linked actors rebuilt payment routes using crypto. What emerged was not a single exchange or token, but a resilient system designed to survive freezes, seizures, and enforcement delays.
This investigation reconstructs that system in chronological order, based on on-chain forensic analysis and interviews with investigators tracking the flows.
The First Warning Signs Were not Criminal
Early signals did not point to ransomware or darknet markets. They pointed to trade.
SponsoredAuthorities began asking new questions on how money crossed borders for imports, how dual-use goods were paid for, and how settlements occurred without banks.
At the same time, on-chain data showed Russian OTC desks surging in activity. Exchanges hosting Russian OTC liquidity also saw volumes spike, especially in Asia.
Meanwhile, Telegram groups and darknet forums discussed sanctions evasion openly. These were not hidden conversations. They described practical methods for moving value across borders without banks.
The method was simple. OTC desks accepted rubles domestically, sometimes as cash. They issued stablecoins or crypto. That crypto then settled abroad, where it could be converted into local currency.
Garantex Operated Russia’s Crypto Laundering Hub
Garantex played a critical role in this ecosystem. It functioned as a liquidity hub for OTC desks, migrants, and trade-linked payments.
Even after early sanctions, it continued interacting with regulated exchanges abroad. That activity persisted for months.
When enforcement finally escalated, the expectation was disruption. What followed instead was preparation.
“Even people who were leaving Russia were still using Garantex to move their money out. If you were trying to relocate to places like Dubai, this became one of the main ways to transfer funds once traditional banking routes were cut off. For many Russians trying to leave the country, Garantex became a practical exit route. It was one of the few ways to move money abroad after banks and SWIFT were no longer an option,” said Lex Fisun, CEO of Global Ledger
The Seizure Triggered a Reserve Scramble
On the day Garantex’s infrastructure was seized in March 2025, a linked Ethereum wallet rapidly consolidated more than 3,200 ETH. Within hours, nearly the entire balance moved into Tornado Cash.
Sponsored SponsoredThat move mattered. Tornado Cash does not facilitate payouts. It breaks transaction history.
Days later, dormant Bitcoin reserves began moving. Wallets untouched since 2022 consolidated BTC. This was not panic selling. It was treasury management under pressure.
So, it was clear that assets outside stablecoin control remained accessible.
A Successor Appeared Almost Immediately
As access to Garantex faded, a new service emerged.
Grinex launched quietly and began supporting USDT. Traced flows passed through TRON and connected to Grinex-linked infrastructure. Users reported balances reappearing under the new name.
“It was probably the most obvious rebrand we’ve seen. The name was nearly the same, the website was nearly the same, and users who lost access to Garantex saw their balances reappear on Grinex,” Fisun told BeInCrypto.
In late July 2025, Garantex publicly announced payouts to former users in Bitcoin and Ethereum. On-chain data confirmed the system was already live.
At least $25 million in crypto had been distributed. Much more remained untouched.
SponsoredThe payout structure followed a clear pattern where reserves were layered through mixers, aggregation wallets, and cross-chain bridges before reaching users.
Ethereum Payouts Relied on Complexity
Ethereum payouts used deliberate obfuscation. Funds moved through Tornado Cash, then into a DeFi protocol, then across multiple chains. Transfers bounced between Ethereum, Optimism, and Arbitrum before landing in payout wallets.
Despite the complexity, only a fraction of the ETH reserves reached users. More than 88% remained untouched, indicating payouts were still in early stages.
Bitcoin Payouts Exposed a Different Weakness
Bitcoin payouts were simpler and more centralized.
Investigators identified multiple payout wallets linked to a single aggregation hub that received nearly 200 BTC. That hub remained active months after the seizure.
More revealing was where the funds touched next.
Source wallets repeatedly interacted with deposit addresses tied to one of the world’s largest centralized exchanges. The transaction “change” consistently routed back there.
Sponsored SponsoredWhy Western Sanctions Struggled to Keep Up
Western sanctions were not absent. They were late, uneven, and slow to execute.
By the time Garantex was fully disrupted, investigators had already documented billions of dollars moving through its wallets.
Even after sanctions were applied, the exchange continued interacting with regulated platforms abroad, exploiting delays between designation, enforcement, and compliance updates.
The core problem was not a lack of legal authority. It was the speed mismatch between sanctions enforcement and crypto infrastructure. While regulators operate on weeks or months, crypto systems reroute liquidity in hours.
“Sanctions work on paper. The problem is execution. Billions can still move because enforcement is slow, fragmented, and often lags behind how fast crypto systems adapt. The issue isn’t that sanctions don’t exist. It’s that they’re enforced too slowly for a system that moves at crypto speed,” said the Global Ledger CEO.
That gap allowed Garantex to adapt. Wallets rotated frequently. Hot wallets changed unpredictably. Remaining balances were moved in ways that mimicked normal exchange activity, making automated compliance systems less effective.
The private sector struggled to keep up. Banks and exchanges balance compliance obligations against transaction speed, customer friction, and operational cost.
In that environment, sanctioned exposure can slip through when activity does not trigger obvious red flags.
By October 2025, the payout infrastructure was still active. Reserves remained. Routes stayed open.
This was not the collapse of an exchange, rather he evolution of a system.
Russia’s crypto strategy in 2025 showed how a sanctioned economy adapts by building parallel rails, preserving liquidity, and rerouting when blocked.
