How Garantex launders millions for Lazarus Group by circumventing sanctions — full investigation

Russia’s largest crypto exchange was able to adapt to US sanctions and, despite restrictions, processed more than $60 billion in transactions.

Brief Facts:

• Garantex continued to process suspicious transactions for Lazarus Group hackers and Conti, Lockbit, Black Basta ransomware despite the imposition of US OFAC sanctions in April 2022;
• To conceal illegal actions, the exchange transferred operational funds to new addresses on a daily basis;
• Garantex engaged blockchain analytics organizations to identify suspicious transactions, but did not pay attention to their cautions and recommendations;
• After sanctions were imposed in April 2022, Garantex was able to process more than $60 billion in transactions.

In March 2025, the Russian crypto exchange Garantex once again attracted media attention. The platform ceased operations due to the blocking of assets by Tether. In India, one of the exchange’s administrators was detained at the request of the United States. We explain why Garantex is being prosecuted by the US authorities.

In February 2023, the Lazarus Group, a hacker group allegedly linked to North Korea, laundered more than $30 million in cryptocurrency with the help of the Russian crypto exchange Garantex, which was stolen in the summer of 2022 as a result of the Horizon Bridge hack on the Harmony network. In total, the attackers managed to steal more than $100 million in various crypto assets.

Data: Elliptic Investigator. Not all transaction flows are displayed.

According to GetBlock, 158 639 ETH ($301,6 million at the March 17 exchange rate) was withdrawn from these three addresses.

Between April 2022 and 2024, despite the sanctions, Garantex continued to launder extortion proceeds from Conti, Lockbit, and Black Basta groups.

Data: Elliptic Investigator. Not all transaction flows are displayed.

Garantex also processed transactions worth tens of millions of dollars for such darknet marketplaces as Blacksprut, Solaris, Mega, and OMG!OMG! In August 2024, Chainalysis established a connection between Garantex and the Russian design bureau Vostok, which develops and manufactures drones for military purposes. According to the analytical service, the exchange conducted transactions worth more than $100 million for DB Vostok.

According to GetBlock, between April and July 2023, 36 718 USDT was withdrawn from the address.

How Garantex manages to evade sanctions

Garantex was first sanctioned by the US Treasury Department’s Office of Foreign Assets Control (OFAC) in April 2022. The exchange was accused of laundering funds obtained by illegal means. Three addresses associated with Garantex were blocked.

After the sanctions were imposed, Garantex began adhering to additional protections to continue its illegal activities. To conceal cryptocurrency transactions and their non-compliance with AML requirements, the exchange began moving operational assets to new addresses on a daily basis, as well as utilizing transaction mixing services such as Tornado Cash. Despite the imposition of sanctions and the blocking of the web interface in 2022, the decentralized mixing smart contract is still going strong. In 2024, inflows to Tornado Cash increased by 108% from a year earlier.

From June 2023 to March 2024, Garantex engaged third parties to perform blockchain analytics and identify suspicious transactions. Even after such transactions were detected, the exchange administrators took no action. For example, between June and November 2023, an organization identified 20 transactions suspected of being used to fund terrorism, but Garantex processed them anyway.

Additional means of hiding on-chain data allowed Garantex to process more than $60 billion worth of transactions well after sanctions were imposed in 2022. In March 2025, Tether blocked 89 new Garantex addresses that held $22,8 million.

Threat to Garantex users

Illegal transactions conducted by the Garantex exchange can negatively affect ordinary users who regularly use the exchange for their own purposes. One such case occurred back in 2023. At that time, a user used Garantex to purchase 200 thousand USDT stablecoins. After sending the funds to another centralized exchange, they were blocked due to being linked to sanctioned addresses.

In this particular case, the user managed to unfreeze the funds. To do so, he provided the platform with proof of the legal origin of the funds and also engaged an analytics platform that managed to prove the cryptocurrency owner’s non-involvement in the sanctions using on-chain data.

How to avoid blocking funds

In order to protect your funds from being blocked, you should perform AML verification of the addresses used in each cryptocurrency transaction. With the help of GetBlock explorer’s AML checks, you can identify potentially dangerous addresses associated with illegal operations (hacker attacks, ransomware, gambling, sanctions, and others) in advance. This will keep your assets clean and avoid blocking them.