US sanctions Garantex for laundering over $100M

Virtual currency exchange Garantex was sanctioned Tuesday for facilitating illicit transactions with cybercriminals, most notably the Conti ransomware group.

The sanctions were imposed by the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) and announced in a press release, which cited more than $100 million in illicit transactions. Nearly $6 million of that sum was associated with Conti, according to the release. Conti has publicly backed Russia in the ongoing war and appears to remain active, despite recently leaked source code.

The Garantex sanctions mark the third against a virtual currency exchange in the past year, following Suex in September and Chatex in November. The release stated that all three exchanges operated out of the Federation Tower in Moscow.

Founded in late 2019, Garantex was originally based in Estonia. However, the Estonia Financial Intelligence Unit revoked its license in February after it "found connections between Garantex and wallets used for criminal activity." That did not stop the exchange from providing "services to customers through unscrupulous means," according to the release.

The Treasury Department said it coordinated with Estonian authorities prior to imposing the sanctions. It marks the second coordination effort with the Estonian government in the last six months, according to the release.

The OFAC's sanctions against Garantex coincide with recent actions taken against Russia following the invasion of Ukraine. OFAC said it is "closely monitoring any efforts to circumvent or violate" sanctions related to Russia, which includes the use of virtual currency.

"Today's actions also reinforced OFAC's recent public guidance to further cut off avenues for potential sanctions evasion by Russia, in support of the G7 leaders' commitment to maintain the effectiveness of economic measures," the release said.

The sanctions extend to "any entities that are owned, directly or indirectly" by Garantex, which can be difficult to assess when it comes to ransom demands. For example, if a company or individual pays a ransom, then the cybercriminal uses a sanctioned exchange to launder the proceeds, the enterprise could face legal trouble.

In a blog post Tuesday, cryptocurrency analytics service Elliptic said it "recently identified more than 400 cryptoasset exchanges operating in Russia."

Blockchain analytics vendor Chainalysis also addressed the sanctions through Twitter on Tuesday. Garantex was included as a top money launderer in a report published by Chainalysis in February that assessed cryptocurrency crime. The total cryptocurrency value Garantex received between 2019 and 2021 was over $2 million, according to the report. Thirty-one percent of that was determined to be illicit.

"Garantex is one of several high-risk exchanges in Moscow City that we identified as an egregious enabler of cybercrime," the tweet said.

One month earlier, additional Chainalysis research determined that illicit cryptocurrency proceeds peaked in 2021.

Garantex addressed the sanctions through a message on its Telegram channel Tuesday, which SearchSecurity translated into English.

"Dear Clients! Garantex has no assets and does not conduct business in the United States. The liquidity of the exchange is located in neutral jurisdictions. The exchange adheres to strict AML policies and the principle of zero tolerance transactions related to criminal activity. We continue our work in the usual mode and in full," Garantex said on Telegram.

In addition to the sanctions against Garantex, OFAC blocked the darknet market Hydra, which was shut down in an international effort this week. Hydra was "Russia's most prominent darknet market" according to the release, which also stated "Russia is a haven for cybercriminals."

Elliptic applauded the recent law enforcement action against both Garantex and Hydra as a demonstration that "cybercriminals operating within Russia and surrounding countries are not immune to enforcement action."

The vendor also predicted more action to follow.

"It is likely there will be more sanctions in the future against these high-risk exchange services facilitating illicit Russian activity," the blog said.