The war between Russia and Ukraine has now lasted almost 4 years. Western sanctions were meant to financially isolate Russia. Instead, they forced Russia to adapt.
In 2025, BeInCrypto began documenting how Russia and individuals linked to Russia rebuilt payment routes using crypto. No exchange or coin emerged, but a flexible system that withstands freezes, seizures, and delayed enforcement was created.
This research lays out that system in chronological order, based on on-chain forensic analysis and interviews with researchers tracking the flow of funds.
The first warning signs were not criminal.
Initial signals did not indicate ransomware or darknet markets. They indicated trade.
Authorities raised new questions about how money crossed borders for imports, how dual-use goods were paid for, and how settlements occurred without banks.
At the same time, on-chain data showed that Russian OTC desks became much more active. Exchanges offering Russian OTC liquidity also saw suddenly higher volumes, especially in Asia.
Meanwhile, Telegram groups and darknet forums openly discussed evading sanctions. These conversations were not secret. People discussed practical ways to move money cross-border without banks.
The method was simple. OTC desks accepted rubles in their own country, sometimes as cash. In return, they issued stablecoins or crypto. That crypto was settled abroad and converted to local currency there.
Garantex managed a Russian crypto laundering hub.
Garantex played a crucial role in this ecosystem. It was the liquidity center for OTC desks, migrants, and trade-linked payments.
Even after the initial sanctions, it continued to collaborate with regulated exchanges abroad. These activities continued for months.
When oversight eventually increased, disruption was expected. Instead, preparation followed.
"Even people who left Russia continued to use Garantex to get their money out of the country. If you wanted to move to places like Dubai, this became one of the main ways to transfer money when traditional bank routes were no longer feasible. For many Russians wanting to leave the country, Garantex became a practical way out. It was one of the few ways to get money abroad once banks and SWIFT were no longer an option," said Lex Fisun, CEO of Global Ledger.
The seizure led to a scramble for reserves.
On the day Garantex's infrastructure was seized in March 2025, a linked Ethereum wallet quickly accumulated more than 3,200 ETH. Within hours, nearly the entire balance was moved to Tornado Cash.
That step was important. Tornado Cash does not facilitate payouts, but breaks the transaction history.
A few days later, dormant Bitcoin reserves began to move. Wallets that hadn't been touched since 2022 consolidated BTC. This was not a panic sell-off, but treasury management under pressure.
This showed that assets outside of stablecoins remained accessible.
A successor appeared immediately.
When access to Garantex diminished, a new service emerged.
Grinex was quietly launched and began supporting USDT. Traced money flows went through TRON and were connected to Grinex infrastructure. Users reported that their balances were available again under the new name.
"It was probably the most obvious name change we ever saw. The name looked almost the same, the website looked almost the same, and users who lost access to Garantex saw their balance reappear at Grinex," Fisun told BeInCrypto.
At the end of July 2025, Garantex publicly announced payouts for former users in Bitcoin and Ethereum. On-chain data showed that the system was already operational.
At least $25 million in crypto was distributed. Much more remained untouched.
The payout structure followed a clear pattern where reserves were moved in layers through mixers, aggregation wallets, and cross-chain bridges before reaching the users.
Ethereum payouts deliberately utilized obfuscation. Funds went through Tornado Cash, then to a DeFi protocol, and subsequently across multiple chains. Transfers occurred between Ethereum, Optimism, and Arbitrum before being paid out to wallets.
Despite the complex approach, only a small portion of the ETH reserves reached users. More than 88% remained untouched, indicating that payouts had only just begun.
Bitcoin payouts reveal other weaknesses.
Bitcoin payouts were simpler and more centralized.
Researchers found multiple payout wallets linked to a central aggregation hub that received nearly 200 BTC. This hub remained active for months following the seizure.
Even more striking was where the money ended up afterwards.
Source wallets had repeatedly contacted deposit addresses of one of the world's largest centralized exchanges. The 'change' from the transactions was repeatedly sent there.
Why Western sanctions struggled to keep up.
Western sanctions were not absent. However, they came late, were irregular, and were implemented slowly.
By the time Garantex was fully addressed, researchers had already recorded billions of dollars in transactions via the wallets.
Even after sanctions were imposed, the exchange continued to conduct transactions with regulated platforms abroad, cleverly taking advantage of delays between designation, enforcement, and compliance updates.
The main issue was not a lack of legal authority, but the speed gap between enforcing sanctions and the crypto infrastructure. While regulators may need weeks or months, the crypto system sometimes redistributes its liquidity within hours.
"Sanctions work on paper. The problem is enforcement. Billions can still be moved because enforcement is slow and fragmented and often lags behind how quickly crypto systems adapt. The issue is not that sanctions do not exist. It is that they are enforced too slowly for a system that moves at crypto speed," said the CEO of Global Ledger.
Due to that gap, Garantex was able to adapt. Wallets were often rotated. Hot wallets changed unpredictably. The remaining balances were moved in ways that mimicked ordinary exchange activity, causing automatic compliance systems to work less effectively.
The private sector could hardly keep pace. Banks and exchanges balance their compliance obligations, transaction speed, customer convenience, and operational costs.
In such a situation, sanctioned exposure can slip through when activity does not present clear warning signs.
In October 2025, the payout infrastructure was still active. There were still reserves, and routes remained open.
This was not the downfall of an exchange, but the evolution of a system.
Russia's crypto strategy in 2025 demonstrated how an economy under sanctions adapts by building parallel networks, maintaining liquidity, and seeking workarounds when routes become blocked.
