Full Report
A coalition of international law enforcement agencies has seized the website associated with the cryptocurrency exchange Garantex ("garantex[.]org"), nearly three years after the service was sanctioned by the U.S. Treasury Department in April 2022. "The domain for Garantex has been seized by the United States Secret Service pursuant to a seizure warrant obtained by the United States Attorney's
Analysis Summary
# Incident Report: Seizure of Garantex Cryptocurrency Exchange Website
## Executive Summary
The U.S. Secret Service, in coordination with several international law enforcement agencies, seized the website domain (`garantex[.]org`) associated with the Russian cryptocurrency exchange Garantex. This action follows extensive prior sanctions against the exchange dating back to April 2022 for facilitating transactions for illicit actors, darknet markets (like Hydra), and subsequently for laundering ransomware proceeds. The operation resulted in the immediate suspension of all user services, including crypto withdrawals.
## Incident Details
- **Discovery Date:** March 7, 2025 (Date of seizure publication)
- **Incident Date:** Not specified (Seizure conducted around late February/early March 2025)
- **Affected Organization:** Garantex (Russian Cryptocurrency Exchange)
- **Sector:** Financial Technology / Cryptocurrency Exchange
- **Geography:** Moscow, Russia (Headquarters)
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-April 2022 (Founding/Operation)
- **Vector:** Not applicable; this was a law enforcement seizure of infrastructure, not a cyberattack on the exchange itself.
- **Details:** Garantex was founded in 2019 and operated as a gateway for illicit finance.
### Lateral Movement
- **Details:** Not applicable to this enforcement action.
### Data Exfiltration/Impact
- **Details:** The immediate impact was the seizure of the domain, rendering the website inaccessible. Separately, Tether had previously blocked Garantex wallets holding over 2.5 billion rubles due to EU sanctions.
### Detection & Response
- **How it was discovered:** Ongoing investigation and monitoring by international law enforcement.
- **Response actions taken:** USSS, working with DOJ, FBI, Europol, Dutch National Police, BKA, Frankfurt General Prosecutor's Office, Finnish NBI, and Estonian National Criminal Police, executed a seizure warrant on the domain `garantex[.]org`.
## Attack Methodology
*Note: This report details a law enforcement enforcement action, not a traditional cyberattack chain against the target.*
- **Initial Access:** N/A (Seizure of domain assets)
- **Persistence:** N/A
- **Privilege Escalation:** N/A
- **Defense Evasion:** N/A
- **Credential Access:** N/A
- **Discovery:** N/A
- **Lateral Movement:** N/A
- **Collection:** N/A
- **Exfiltration:** N/A
- **Impact:** Domain seizure, disruption of operations, and freeze on services.
## Impact Assessment
- **Financial:** Significant disruption to users; suspension of services, including crypto withdrawals. Previous sanctions led to the freezing of an estimated 2.5 billion rubles by Tether.
- **Data Breach:** No mention of data breach, but user funds/data associated with the platform are now controlled by seizing authorities.
- **Operational:** Garantex temporarily suspended all services, stating they are "fighting and will not give up."
- **Reputational:** Severe reputational damage reinforcing its status as a sanctioned entity associated with criminal finance.
## Indicators of Compromise
*Note: Indicators relate to the sanctioned entities and infrastructure rather than the seizure event itself.*
- **Network indicators:** `garantex[.]org` (Seized)
- **File indicators:** N/A
- **Behavioral indicators:** Association with confirmed illicit actors (Hydra, Conti) and sanctioned Russian banks (Sberbank, T-Bank, Alfa-Bank).
## Response Actions
- **Containment measures:** Seizure of the primary website domain (`garantex[.]org`) via a U.S. Secret Service warrant.
- **Eradication steps:** Coordination between multiple international agencies to dismantle the operational facade.
- **Recovery actions:** N/A (Actions taken by law enforcement agency).
## Lessons Learned
- **Key takeaways:** International coordinated efforts (USSS, Europol, national police forces) are effective in dismantling entities that violate sanctions and facilitate illicit finance across borders. Repeated sanctions (April 2022, Nov 2023, Feb 2025 EU) eventually lead to significant operational failure.
- **What could have been done better:** Initial sanctions in 2022 did not immediately stop operations, necessitating follow-up sanctions and physical infrastructure takedown years later.
## Recommendations
- **Prevention measures for similar incidents:** Maintain rigorous monitoring of sanctioned entities engaging in cryptocurrency services. Financial institutions and stablecoin providers (like Tether) should proactively block known sanctioned wallet addresses. Enhance international cooperation protocols for rapid domain seizure operations targeting illicit finance gateways.