Full Report
The administrators of Garantex, Aleksej Besciokov and Aleksandr Mira Serda, allegedly knew their crypto exchange was used to launder money, according to U.S. prosecutors. © 2024 TechCrunch. All rights reserved. For personal use only.
Analysis Summary
# Threat Actor: Garantex Administrators (Aleksej Besciokov & Aleksandr Mira Serda)
## Attribution & Identity
The threat actor refers to the administrators of the Russian cryptocurrency exchange **Garantex**.
* **Aleksej Besciokov (46):** Lithuanian national residing in Russia.
* **Aleksandr Mira Serda (40):** Russian national residing in the United Arab Emirates.
* **Associated Groups/Entities:** Garantex (The sanctioned cryptocurrency exchange). The platform allegedly facilitated illicit activities for **terrorist organizations, cybercriminals (including North Korean Lazarus Group), and ransomware actors.**
## Activity Summary
The U.S. Department of Justice charged the administrators for running Garantex as a platform facilitating global money laundering, supporting criminal enterprises, and violating U.S. sanctions.
* Garantex allegedly processed at least **$96 billion in cryptocurrency transactions** since 2019.
* The platform received "hundreds of millions in criminal proceeds" connected to hacking, ransomware, terrorism, and drug trafficking.
* Besciokov is specifically accused of personally allowing transactions linked to cybercriminals, including the Lazarus Group.
* The activity was subject to recent law enforcement action, with the US Secret Service and coalition agencies seizing the official Garantex websites.
## Tactics, Techniques & Procedures
The provided context focuses primarily on the **financial facilitation** aspect rather than specific intrusion techniques:
* Facilitating money laundering for criminal/terrorist organizations.
* Knowingly processing criminal proceeds through the exchange.
* Taking steps to conceal the facilitation of illegal activities on the platform.
* Violation of U.S. sanctions.
* *No specific MITRE ATT&CK IDs are mentioned in the text.*
## Targeting
The activities described implicate a wide range of criminal and terrorist groups who utilize the exchange for illicit finance.
* **Sectors:** Implied victims or beneficiaries of the associated crimes include victims of ransomware, hacking, and drug trafficking operations, as well as designated terrorist organizations.
* **Geography:** The primary entity (Garantex) is Russian-based. Administrators are associated with Russia, Lithuania, and the UAE. The reach of the money laundering is global, involving North Korean state-backed actors.
* **Victims:** Organizations targeted by ransomware and hacking groups whose proceeds were funneled through Garantex.
## Tools & Infrastructure
* **Malware families used:** Not specified, though activities linked to **ransomware** and **hacking** groups are mentioned.
* **Infrastructure (C2, domains, IPs):**
* **Garantex:** The cryptocurrency exchange platform itself was the central infrastructure. (Official websites were seized/taken down).
## Implications
The disruption of Garantex represents a significant blow to the ransomware and state-sponsored hacking ecosystem (specifically citing the Lazarus Group) by targeting a major financial chokepoint used for cashing out illicit funds. The charges signal continued aggressive enforcement by the DOJ against cryptocurrency platforms that fail to comply with sanctions and anti-money laundering regulations, posing a direct risk to any entity associated with the platform's administration.
## Mitigations
* Enhanced transaction monitoring and due diligence on large cryptocurrency exchange flows.
* Geopolitical risk assessment for platforms operating under jurisdictions known for weak financial controls.
* Proactive compliance with U.S. sanctions concerning virtual asset service providers (VASPs).
* Collaboration with international law enforcement following the seizure of known illicit financial infrastructure.