Full Report
The administrators of the Russian Garantex crypto-exchange have been charged in the United States with facilitating money laundering for criminal organizations and violating sanctions. [...]
Analysis Summary
# Threat Actor: Garantex Admins / Garantex (Entity)
## Attribution & Identity
The summary focuses on the operators/admins of the cryptocurrency exchange **Garantex**. This action follows sanctions against the entity itself.
## Activity Summary
US authorities charged Garantex administrators with money laundering and sanctions violations.
* The sanctions are part of the EU's 16th package targeting Russia, designating 542 individuals and entities.
* Garantex had previously been sanctioned by the Treasury Department’s Office of Foreign Assets Control (OFAC) in April 2022 for facilitating transactions linked to darknet markets and cybercrime actors.
* Garantex lost its Estonian license in February 2022 due to critical compliance issues regarding Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) policies.
* Following recent EU sanctions, Tether blocked Garantex wallets holding over 2.5 billion rubles, forcing the exchange to temporarily suspend all services.
## Tactics, Techniques & Procedures
The TTPs described relate more to financial crimes and sanctions evasion rather than traditional cyber offensive operations, although they facilitated criminal activity:
* Facilitating money laundering activities.
* Continuing to provide services through "unscrupulous means" despite losing their regulatory license.
* Handling funds linked to cybercrime operations.
- [Specific MITRE ATT&CK IDs are not provided in the source material.]
## Targeting
* Sectors: Cryptocurrency Exchange Services (Financial infrastructure).
* Geography: The exchange is linked to Russia, and victims/associated funds were tracked to Germany and Finland.
* Victims: The action targets the financial operations of Garantex itself, which has previously been linked to servicing darknet markets and ransomware groups.
## Tools & Infrastructure
* Malware families used: Linked previously to the **Conti Ransomware-as-a-Service (RaaS)** operation.
* Infrastructure (C2, domains, IPs):
* Mention of digital wallets being blocked by **Tether** (USDT).
* Previously linked to the **Hydra dark web market**.
## Implications
The action taken by the US and EU indicates a strategic effort to disrupt the financial infrastructure supporting Russian entities and criminal operations by targeting key choke points like crypto exchanges. The freezing of funds and blocking of stablecoin wallets demonstrates a potent non-traditional sanctions enforcement mechanism targeting high-risk financial intermediaries. Garantex remains operational despite previous sanctions, indicating continued risk exposure for users interacting with the platform.
## Mitigations
* Users dealing with Garantex or similar unregulated exchanges are warned that their funds (specifically USDT on Russian wallets) are now at risk due to sanctions enforcement.
* Organizations should ensure adherence to global sanctions lists (OFAC, EU) and sever relationships with entities designated for money laundering or sanctions evasion.
* Maintain robust AML/CFT compliance, as regulatory failures were a precursor to the actions taken against Garantex.