Full Report
Authorities in India today arrested the alleged co-founder of Garantex, a cryptocurrency exchange sanctioned by the U.S. government in 2022 for facilitating tens of billions of dollars in money laundering by transnational criminal and cybercriminal organizations. Sources close to the investigation told KrebsOnSecurity the Lithuanian national Aleksej Besciokov, 46, was apprehended while vacationing on the coast of India with his family.
Analysis Summary
# Threat Actor: Garantex Operators (Aleksej Besciokov & Aleksandr Mira Serda)
## Attribution & Identity
The focus of the reporting is on enforcement actions against the alleged operators of the cryptocurrency exchange Garantex.
* **Primary Individuals Indicted:** Aleksej Besciokov (Lithuanian national, alleged primary technical administrator and transaction approver) and Aleksandr Mira Serda (Russian national based in the UAE, alleged co-founder and Chief Commercial Officer).
* **Known Aliases (Besciokov):** “proforg,” “iram.”
* **Associated Group/Entity:** Garantex (Cryptocurrency Exchange).
* **Law Enforcement/Sanctioning Bodies:** U.S. Department of Justice (DOJ), U.S. Treasury Office of Foreign Assets Control (OFAC), U.S. Secret Service, German and Finnish law enforcement.
## Activity Summary
Garantex, operational since 2019, was sanctioned by OFAC in April 2022 for facilitating large-scale money laundering. Post-sanction, the platform reportedly processed over $60 billion, used for sanctions evasion, laundering proceeds from ransomware, darknet market trade, thefts attributed to North Korea's Lazarus Group, and enabling Russian oligarchs to move wealth following the invasion of Ukraine. Besciokov was arrested in India in connection with the DOJ indictment.
## Tactics, Techniques & Procedures
The provided text focuses heavily on financial facilitation rather than traditional cyber attack TTPs, specifically concerning money laundering operations:
* Facilitating transactions for criminal proceeds (ransomware, darknet activity, state-sponsored theft).
* Sanctions evasion coordinated through the crypto exchange platform.
* Maintaining critical infrastructure (technical administration by Besciokov).
* Reviewing and approving transactions.
* *No specific MITRE ATT&CK IDs are provided.*
## Targeting
* **Sectors:** Finance/Cryptocurrency (as the facilitator), and indirectly, victims of organized crime, ransomware groups, and sanctions targets (e.g., Russian elites).
* **Geography:** The operation was centered around the crypto exchange, with Besciokov arrested in India, and Mira Serda located in the UAE. The activities supported global criminal networks, linking to Russia and North Korea (via Lazarus Group attribution).
* **Victims:** Transnational criminal and cybercriminal organizations (beneficiaries), victims of ransomware, darknet market users, and Russian oligarchs.
## Tools & Infrastructure
* **Malware Families Used:** Funds were tied to proceeds from ransomware groups, but no specific Garantex-developed malware is mentioned.
* **Infrastructure:** Garantex cryptocurrency exchange servers, which were seized by German and Finnish law enforcement. Besciokov was responsible for obtaining and maintaining this infrastructure.
* **Defanged URLs/IPs:**
* `hxxps://www.justice.gov/media/1392316/dl` (Indictment link)
* `hxxps://home.treasury.gov/news/press-releases/jy0701` (OFAC Sanction Press Release)
* `hxxps://www.elliptic.co/blog/elliptic-in-action-garantex` (Elliptic report)
* `hxxps://www.secretservice.gov/investigations/mostwanted/besciokov` (USSS Most Wanted notice)
## Implications
The arrest signifies a coordinated international effort (US, India, EU partners) to dismantle high-level financial infrastructure supporting cybercrime and sanctioned entities. Garantex represents a significant channel for laundering illicit funds, particularly those derived from ransomware and state-sponsored hacking, thereby enabling continued criminal operations. The scale ($60 billion processed post-sanction) indicates a significant chokepoint in the global illicit finance ecosystem.
## Mitigations
* Enhanced blockchain monitoring and tracing capabilities to identify transactions flowing through sanctioned exchanges like Garantex; specifically tracking flows tied to known ransomware/threat groups (e.g., Lazarus Group).
* Increased scrutiny and application of sanctions against virtual asset service providers (VASPs) and their administrators/co-founders by international regulatory bodies.
* Law enforcement collaboration to target the physical locations and associated infrastructure of key financial facilitators.
* For organizations targeted by ransomware, implementing robust payment controls and analysis to ensure funds are not inadvertently routed through sanctioned entities.