Another Russia-linked crypto service discovered: dossier and details

On-chain analysis has uncovered another major cryptocurrency company engaged in illicit operations and violations of international sanctions. GetBlock AML Research exposes the schemes that allowed the Heleket service to conceal the true origin of its assets.

Key Points

• Cryptomus and Heleket—two payment services that enable users to pay for goods and services with cryptocurrency while also functioning as exchanges—are effectively connected at the operational level. This is supported by shared technical infrastructure, similar branding, overlapping personnel, common liquidity sources, and coordinated on-chain activity.
• Heleket was created by Cryptomus administrators or affiliated entities to continue large-scale cryptocurrency laundering operations, including sanctions evasion.
• There are indications that illicit users began migrating from Cryptomus to Heleket after stricter compliance measures were introduced, including users linked to sanctions and providers of cybercriminal services.
• Heleket demonstrates a significantly higher level of involvement in illicit activity compared to similar services—nearly five times the industry average among payment providers.

2025: Pressure on Cryptomus — Launch of Heleket

In October 2025, Canada’s financial regulator FINTRAC imposed a record fine of nearly CAD 177 million on Cryptomus, a Russia-linked cryptocurrency payment processor and exchange. The penalty was issued for multiple violations of anti-money laundering (AML) and counter-terrorist financing (CTF) laws.

Even before the fine, in February 2025, Cryptomus introduced mandatory user verification (KYC—Know Your Customer), likely in response to early regulatory scrutiny. This triggered user dissatisfaction and a decline in transaction volumes. As a result, blockchain transaction volume dropped from $153 million in January 2025 to $86 million in March.

In response to increased oversight, a workaround emerged: the creation of an alternative service offering the same functionality to the same audience, but without strict identity verification. This led to the launch of Heleket. Blockchain data and open-source intelligence suggest that Cryptomus or its affiliates were behind Heleket’s creation and rollout, as indicated by overlaps in architecture, launch timing, personnel, and transactional links.

Heleket positions itself as a cryptocurrency payment service primarily operating within the European Union. It allows businesses to accept crypto payments and has recently begun issuing virtual bank cards. Although the service claims in its updated AML policy to require identity verification documents, in practice, transactions have been observed occurring without them.

Why the Tron blockchain became infrastructure for the shadow crypto economy

“Pig butchering” scams rely on Tron thanks to near-zero fees and transaction speeds of about 3 seconds. This allows criminals to move stolen funds through dozens of wallets before the victim even realizes the money is gone

Читать дальше

Between 2022 and 2025, hundreds of millions of dollars linked to illicit activity flowed through Cryptomus, including transactions associated with vendors of child sexual abuse material, terrorist financing networks, human trafficking, and sanctions evasion. The service also actively interacted with the now-defunct sanctioned Russian exchange Garantex, as well as Iranian crypto exchanges.

Heleket, launched in January 2025, continued servicing similar activity—primarily related to sanctions evasion—and interacted with Russian darknet marketplaces and cybercrime services that likely migrated from Cryptomus.

The launch of a parallel service appears to have been a strategy to continue such operations under regulatory pressure by shifting users to a formally “separate” platform. However, available evidence suggests the two services remain closely linked.

Blockchain Evidence Linking Cryptomus and Heleket

Blockchain analysis reveals key indicators: synchronized timing of major changes, fluctuations in transaction volumes, shared liquidity sources, and user migration between platforms.

Liquidity Sources

Cryptomus and Heleket share a common liquidity source—the sanctioned Russian payment service Garantex. The first significant inflows to Heleket in January 2025 originated from Garantex. For a regulated Canadian-registered service, reliance on such a source is highly unusual.

Large transactions between Cryptomus and Garantex resemble typical relationships between a payment processor and a liquidity provider—common in the legitimate virtual asset economy. However, regulated firms generally do not rely on sanctioned entities for liquidity.

Grinex Hacked: Exchange Loses Around $15M and Halts Operations

The incident affected not only Grinex but also TokenSpot, a platform tied to multi-billion-dollar flows within a sanctions evasion network. Both play a key role in a parallel financial system linked to Russia.

Читать дальше

Timeline

The rise in Heleket’s transaction volume shortly after its launch coincides with a decline in Cryptomus activity following the introduction of mandatory KYC. While it is impossible to determine the exact number of users who migrated, the data strongly suggests a substantial shift.

Migration of Illicit Users

Numerous cases have been documented where cybercriminal actors—including vendors of illegal content and cybercrime service providers—moved from Cryptomus to Heleket. The timing aligns with tightened identity verification requirements, which may have pushed them to seek a more permissive platform.

Additional Evidence of Affiliation

Multiple off-chain similarities have also been identified: shared infrastructure, similar operational processes, identical phrasing, and overlapping design elements. Combined with transaction data, this strongly suggests both services were created and managed by the same organization.

Both projects use the same privacy-focused domain registrar, share nearly identical visual styles, and even replicate unique, unusual phrasing across their websites.

There are also signs of overlapping staff, including an administrator believed to be based in the Baltic region. In a Telegram discussion, a Cryptomus administrator acknowledged a connection between the two services, citing “certain arrangements,” while still claiming they are separate entities. Forum users have also noted similarities—one reported being able to log into Heleket using the same credentials as Cryptomus.

Structural Similarities Between Platforms

Both services charge the same 0.4% payment processing fee and employ so-called “project moderation”—requiring users to describe their business before onboarding. This approach is atypical for payment processors, which usually implement more formalized KYB (Know Your Business) procedures.

Both platforms also use the uncommon phrase “set a discount for a payment method,” which is not found on comparable services.

Cryptomus, Garantex, and Heleket as a Unified System

Hundreds of millions of dollars tied to illicit activity—including human trafficking and terrorist financing—have flowed through Cryptomus. More than 75,000 transactions were identified between Cryptomus and Iranian exchanges such as Nobitex, Bit Pin, and Wallex.ir.

Heleket shows a similar pattern. In 2025, approximately 0.6% of all incoming funds were linked to illicit activity—nearly five times the industry average. Around 60% of these funds originated from sanctioned entities, primarily via Garantex.

Comparing Levels of Illicit Activity

At the beginning of 2025, most illicit transaction volume was associated with Cryptomus. By April–May, however, more than 80% of such activity had shifted to Heleket. While this share later declined, it remained around 45% in the final months of the year.

[Insert: article about North Korean hackers]

Despite accounting for only about 30% of total transaction volume, Heleket exhibits a higher concentration of illicit activity—likely due to weaker user verification controls.

What This Means for Current Risk Exposure

Xeltox Enterprises Ltd., the company behind Cryptomus, is contesting the FINTRAC fine, claiming it was unaware of and did not control the transactions in question. The creation of Heleket may have been part of a broader strategy—to separate the core business from questionable activity and maintain plausible deniability.

However, if the connection between the two services is proven, it could significantly impact the outcome of the case.

Reports in 2026 highlight a growing trend dubbed the “year of Russian rebranding,” where participants in financial schemes launch new or parallel services in response to regulatory pressure. The Cryptomus–Heleket linkage serves as a clear example: creating a new platform allows continued engagement with part of the user base outside the regulated environment.