Full Report
A new cryptocurrency exchange named Grinex is believed to be a rebrand of Garantex, a Russian cryptocurrency exchange whose domains were seized by the U.S. authorities and an admin arrested. [...]
Analysis Summary
# Threat Actor: Garantex / Grinex (Suspected Rebrand/Successor Entity)
## Attribution & Identity
The primary entity in question is **Garantex**, a cryptocurrency exchange that has been sanctioned. The current focus is on **Grinex**, which is strongly suspected to be a rebrand or direct successor entity to Garantex, attempting to absorb its staff and user base immediately following Garantex's seizure.
* **Known Aliases and Associated Groups:**
* Garantex (Sanctioned entity)
* Grinex (Suspected successor/rebrand)
* Satoshkin group (Promoted Grinex on Telegram channels)
* ABCEX (Another platform emerging as a potential replacement, linked to Garantex founder Sergey Mendeleev)
* Rapira (Another platform welcoming former Garantex users)
## Activity Summary
Garantex was sanctioned for facilitating money laundering, particularly for Conti ransomware groups and various darknet markets (Hydra, Mega, Kraken, OMG!OMG!, Solaris). Following the seizure of Garantex, **Grinex** rapidly promoted itself on Telegram channels linked to the Gantex-adjacent Satoshkin group, claiming to offer "familiar functionality." Grinex subsequently announced an agreement to onboard Garantex clients and considered hiring former Garantex employees. They began distributing former Garantex user assets via a newly created token, **A7A5**.
## Tactics, Techniques & Procedures
This analysis focuses on *operational persistence* and *sanctions evasion* tactics rather than traditional cyber attack TTPs:
* **Entity Rebranding/Succession:** Rapidly creating a new platform (Grinex) to absorb the client base and operations of a sanctioned entity (Garantex).
* **Staff Absorption:** Attempting to hire former employees of the sanctioned entity to maintain operational continuity.
* **Introduction of New Financial Instrument:** Launching a new stablecoin (**A7A5**), pegged 1:1 to the Russian ruble, possibly as an anticipatory measure before sanctions, and using it to distribute formerly frozen assets.
* **Leveraging Proximate Channels:** Utilizing existing Telegram channels associated with Garantex (e.g., Satoshkin group) to promote the new service immediately upon the predecessor's takedown.
## Targeting
* **Sectors:** Cryptocurrency exchange services, financial services involved in illicit finance/money laundering.
* **Geography:** Associated with Russian operations (stablecoin pegged to RUB), and the seizure involved arrests in India relating to Garantex administrators. Transactions involving the replacement tokens were traced to Kyrgyzstan-based firms.
* **Victims:** Users whose assets were frozen on Garantex; entities/criminals utilizing Garantex for illicit transfers, including Ransomware groups (Conti) and Darknet Markets.
## Tools & Infrastructure
* **Malware Families Used:** Not explicitly detailed as cyber tools, but the actors are linked to **Conti ransomware group** operations indirectly through the funds they laundered.
* **Infrastructure:**
* **A7A5:** A new stablecoin pegged 1:1 to the Russian Ruble, used for asset distribution.
* **Telegram Channels:** Used for immediate promotion and client migration instructions.
## Implications
The emergence of Grinex demonstrates the high adaptability of illicit financial networks, particularly those servicing sanctioned entities or cybercriminals. Blocking these mechanisms is complicated by the ability of these groups to quickly rebrand, establish successor entities, and utilize seemingly decentralized platforms to continue operations, effectively circumventing sanctions enforcement.
## Mitigations
* **Holistic Entity Tracking:** Focus monitoring efforts beyond immediate corporate names to track related user bases, infrastructure links (like Telegram channels), and financial instruments (like new stablecoins) that absorb sanctioned clientele.
* **Financial Instrument Surveillance:** Closely monitor new stablecoins emerging in proximity to sanctioned entities, especially those pegged to sanctioned national currencies, as potential vehicles for illicit asset movement.
* **Tracking Personnel Links:** Monitor known administrators and high-level personnel (like Sergey Mendeleev) when they attempt to launch parallel or successor platforms.