Warning

Please be vigilant about TRM impersonation scams, especially those claiming to assist with fund recovery. More info

Solutions
Products
RESOURCES
Customers
Company
Request a demo
en
Search
Search
Insights
September 3, 2025

The Imitation Game: Following Garantex’s Takedown, Are These High-Risk Exchanges Copying Its Playbook?

TRM BlogInsightsInsights
The Imitation Game: Following Garantex’s Takedown, Are These High-Risk Exchanges Copying Its Playbook?

On August 14, 2025, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced actions targeting the founder and co-owners of the previously sanctioned cryptocurrency exchange Garantex — one of the most prolific high-risk cryptocurrency exchanges in the world. The actions also targeted one of its successor platforms, Grinex, and the ruble-backed A7A5 token. 

This followed global law enforcement dismantling Garantex on March 6, 2025. In the aftermath, TRM Labs has identified a network of Kyrgyz-registered platforms likely connected to Garantex and used by Russia for sanctions evasion. These entities displayed similar on-chain behavior and featured identical user interfaces (UIs). Around the time of the law enforcement operation targeting Garantex, the entities received Garantex-linked funds, indicating they are highly likely associated with the exchange. 

These developments come amid renewed activity around other high-risk exchanges. Another exchange, ABCex, went offline due to a distributed denial of service (DDoS) attack around the time of the Garantex takedown. Then on July 31, 2025, ABCex announced on Telegram that it had resumed operations. Just weeks before its return, a platform called AEXbit, featuring an identical UI to ABCex, appeared in Garantex-linked channels, suggesting it may be a successor service. 

This blogpost explores the on-chain and behavioral connections between ABCex and AEXbit — including their use of tactics previously employed by Garantex and Grinex — and how this will likely impact the behavior of other high-risk exchanges facing heightened law enforcement pressure.

Key takeaways

  • In the weeks following the Garantex takedown, TRM observed a sharp increase in inbound flows to ABCex from Garantex-linked sources. This surge coincided with ABCex experiencing a DDoS attack and temporarily going offline, suggesting it may be connected to Garantex. 
  • AEXbit, a likely rebrand of ABCex, emerged in July 2025, sharing an identical UI and being promoted in a near-identical fashion on Telegram
  • TRM has identified addresses attributed with near certainty to ABCex and AEXbit co-spending, which indicates they are almost certainly controlled by the same entity
  • ABCex and AEXbit’s tactics closely mirror those previously employed by Garantex and its partial successor platform Grinex. This underscores how high-risk exchanges emulate other bad actors’ tactics in an attempt to evade law enforcement attention.

An overview of Garantex, Grinex, ABCex, and AEXbit

Garantex: The exchange has played a central role in facilitating illicit financial activity, sanctions evasion, and money laundering, processing over USD 100 million in transactions tied to ransomware groups like Conti and darknet markets such as the now-defunct Hydra Market. According to TRM, Garantex has been responsible for 82% of all crypto volumes associated with sanctioned entities worldwide and 70% since it was sanctioned by OFAC in April 2022.

Grinex: Likely a rebrand or partial successor to Garantex. Soon after Garantex’s takedown, Grinex emerged via Telegram channels closely tied to Garantex affiliates, featuring an identical UI and similar promotional narratives. 

ABCex: The exchange has historic ties to Garantex co-founder Sergey Mendeleev and was Garantex’s third-largest on-chain counterparty at one point. It has faced allegations of facilitating transactions linked to the March 2024 Crocus City Hall terrorist attack in Moscow, as well as enabling illicit gambling activity. Russian authorities were also rumored to have detained Mendeleev in late 2024 for his ties to this illicit gambling activity. However, he has since made frequent guest appearances on social media, suggesting the rumor was false. 

AEXbit: A new platform, announced in July 2025, with an identical interface to ABCex’s, leading to speculation that it’s a rebrand.

Is AEXbit an ABCex rebrand?

AEXbit’s timing, design, and promotional rollout have led Telegram users to speculate that the platform is a rebranded version of ABCex. The exchange even offers the same limited choice of coin swaps: TRON, Bitcoin, Ethereum, and Ruble. These factors suggest the operators are re-using ABCex’s infrastructure for continuity purposes — a tactic also employed by Garantex with Grinex in the wake of law enforcement actions.

Furthermore, TRM Labs has identified co-spending by addresses attributed with near certainty to AEXBit and ABCex, indicating that they are almost certainly controlled by the same entity. 

TRM’s Graph Visualizer showing ABCex and AEXbit addresses co-spending

But what prompted ABCex to set up an alternate, identical exchange? It likely did so for one of the following reasons:

  • Concerns over additional DDoS attacks
  • Potentially being targeted by law enforcement

However, the latter approach to law enforcement evasion is unlikely to work given the successful uncovering of the connections between Garantex and Grinex.

Telegram users on AEXbit’s channel asking if it has the same office address (presumably as ABCex)
“That’s good news. So what is Aexbit then?” — Telegram user responding to ABCex announcing its return on Telegram 

ABCex’s post-takedown activity suggests operational overlap with Garantex

In the weeks following the Garantex takedown, TRM observed a notable rise in Garantex-linked funds flowing to ABCex. While transaction volumes for ABCex dropped in April 2025, they had reached similar highs in November 2024 — before falling after reports of legal actions against senior members of the exchange. 

ABCex has since resumed operations, following a period marked by repeated DDoS incidents and “technical work” announcements. The timing of the initial DDoS attack and subsequent increase in Garantex-linked flows to ABCex suggest a potential operational link between the two services. 

How are ABCex and AEXbit emulating Garantex and Grinex’s tactics?

ABCex and AEXbit’s behavior mirrors that of Garantex and Grinex in two ways:

  • Allegedly separate entities displaying identical UIs echoes the tactics Garantex used following its law enforcement takedown. Garantex launched Grinex, a similarly designed platform, to facilitate ongoing fund movements and sustain operational continuity.
  • Both Garantex and Grinex displayed identical and unique structural indicators — signatures that advanced blockchain analytics can detect. The overlaps between ABCex and AEXbit are even stronger — they don’t appear to be using identical infrastructures, but are operating within the same infrastructure.

These similarities indicate that ABCEx and Garantex may have shared management. 

Conclusion

There’s insufficient information to confidently assess whether Garantex is directly linked to ABCex or AEXbit. However, the timing and tactics surrounding these platforms are consistent with Garantex’s behavior following its law enforcement takedown.

ABCex and AExbit likely following Garantex’s playbook underscores how bad actors’ law enforcement evasion tactics can act as a template for other criminals. We will likely continue to see other illicit actors borrowing techniques from one another to adapt to enforcement pressure, including replicating infrastructure, rebranding services, or shifting operational models to maintain access to client assets.

TRM will continue to monitor on-chain activity associated with these entities to assess potential overlap in infrastructure, funding mechanisms, and user behavior.

{{horiztonal-line}}

Frequently asked questions (FAQs)

What happened to Garantex, and why does it matter for high-risk exchanges?

Garantex, one of the world’s most prolific high-risk cryptocurrency exchanges, was dismantled by global law enforcement on March 6, 2025, after facilitating over USD 100 million in transactions linked to ransomware and darknet markets. The exchange had accounted for 82% of all crypto volumes associated with sanctioned entities globally. Its takedown marked a pivotal moment in enforcement against crypto-enabled illicit finance and prompted a wave of activity among similar platforms — some of which now appear to be adopting Garantex’s tactics to maintain continuity.

Is AEXbit a rebrand of ABCex?

AEXbit emerged in July 2025 with a nearly identical user interface and promotional rollout to ABCex, leading many Telegram users to speculate that it is a continuation of the same service. TRM Labs identified co-spending behavior involving addresses attributed with near certainty to both platforms — a strong signal that they are almost certainly operated by the same entity. These overlaps mirror the tactics used by Garantex when it launched Grinex following its takedown, suggesting a recurring pattern of rebranding to maintain continuity.

How are high-risk exchanges using rebranding to avoid enforcement scrutiny?

Some high-risk exchanges appear to be mirroring Garantex’s playbook by replicating platforms with identical interfaces and minimal technical variation. This tactic — designed to preserve access to user funds and infrastructure — may help operators evade initial enforcement actions or buy time before additional scrutiny. However, on-chain analysis often reveals overlaps in transaction flows and wallet activity that can expose such connections, as seen with ABCex and AEXbit.

Why is Kyrgyzstan emerging in the post-Garantex ecosystem?

TRM Labs has observed a cluster of Kyrgyz-registered entities that are highly likely connected to Garantex, including Grinex — a platform that helped users recover large TRON-denominated balances following the takedown. These entities displayed strong on-chain links to Garantex, mirrored its user interface, and were promoted via affiliated Telegram channels. Their emergence highlights the use of jurisdictional arbitrage by illicit actors seeking operational footholds outside major enforcement regimes.

What are the implications for sanctions evasion and law enforcement?

In the months following the Garantex takedown, platforms like ABCex and AEXbit have exhibited on-chain behaviors and operational patterns that closely resemble those previously used by Garantex and its successor, Grinex. While there is no confirmed link between ABCex or AEXbit and Garantex, their use of shared infrastructure, similar user interfaces, and co-spending activity suggests these platforms may be drawing from a common set of tactics. For law enforcement and compliance teams, this highlights the importance of monitoring behavioral signals — not just entity names — as high-risk exchanges adapt to enforcement pressure.

This is some text inside of a div block.
TRM Team

Related posts

arrow right
BLOG
August 14, 2025

Garantex, Grinex, and the A7A5 Token: A Deep Dive into Sanctions Evasion Networks

arrow right
BLOG
April 28, 2025

Grinex Emerges as Likely Garantex Rebrand

arrow right
BLOG
March 6, 2025

The Takedown of Garantex: A Notorious Crypto Exchange’s Role in Illicit Finance

No posts to show
No posts to show
No posts to show
No posts to show
No posts to show

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Select
Transaction Monitoring/Wallet Screening
Training Services
Training Services
 
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Subscribe and stay up to date with our insights
No items found.
3D illustration of a blue magnifying glass hovering over a digital fingerprint on a dark background, symbolizing crypto investigations or forensic analysis.
FLIP BOOK
Learn more about common crypto-enabled scam typologies in our "Investigating Crypto Scams" flip book
Get your copy →
Illustration of a stablecoin represented by a dollar symbol surrounded by icons for growth, risk alert, user profiles, and a security shield with a target, connected through a network of hexagons — symbolizing the interconnected risks and compliance considerations in digital asset ecosystems.
USE CASE
Learn how TRM helps compliance teams monitor exposure, detect threats, and safeguard their organizations
TRM for stablecoin risk management →
A worn silver wrench tool on a brown-red background, as a metaphor for violent crime
BLOG
Learn about the recent rise of "wrench attacks" and crypto-related violent crime
Read the post →
Illustration of a financial institution icon and a compliance document with checkboxes, symbolizing regulatory due diligence and financial compliance in the digital asset ecosystem.
GUIDE
Learn best practices for evaluating the legal, operational, and financial integrity of crypto entities before engagement
Get the guide →
A judge's gavel rests beside a stack of gold-colored cryptocurrency tokens, including Bitcoin, Dogecoin, Ethereum, and others, symbolizing the intersection of digital assets and regulatory or legal oversight.
REGULATORY ACTION TRACKER
Stay updated on the latest crypto-linked regulatory actions available in the public domain
Check it out →
Screenshot of the splash page used by law enforcement agencies following the takedown of Garantex, with bold red lettering reading, "This domain has been seized," along with the logos of various international law enforcement agencies involved in the action.
BLOG
Learn more about the global law enforcement operation that took down Garantex
Read the post →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
2025 Crypto Crime Report: Explore how the crypto crime landscape evolved over the past year
DIG IN NOW →
Bright blue fiber optic cables on a dark blue background, with flashes of white sparks interspersed throughout.
REPORT
As AI technology becomes more sophisticated, so will the ways in which criminals use it. See what TRM is doing to counter AI-enabled crime.
FIGHT AI WITH AI →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
The crypto crime landscape saw significant shifts in 2024, including decreases in illicit volumes. Dig into the data here.
PREVIEW THE CRYPTO CRIME REPORT →
Cork board with mugshots of Heather "Razzlekhan" Morgan and Ilya Lichtenstein, with their names written in handwritten script below their photos, and push pins on the board connected by red string.
DOCUMENTARY
Stream “Biggest Heist Ever” and get a behind-the-scenes peek from the TRM team
CHECK IT OUT →
A light blue two dimensional circle (representing a stablecoin) floating against dark blue and white curved lines (representing waves), with thin dotted blue and white lines overhead to represent wind.
REPORT
Explore the macro trends and jurisdictional developments that shaped the global crypto policy landscape in 2024
READ THE REPORT →
Illustration on a dark blue background showing a bug and exclamation mark (representing illicit activity), a globe with pin points, a coin, and a bar chart.
REPORT
See the countries with the highest rates of crypto adoption — and the highest rates of exposure to illicit activity
READ THE REPORT NOW →
A blue rectangle with geometric shapes in the background and dots connected by thin lines in the foreground, representing connections on the bockchain.
WHITE PAPER
Explore four ways TRM improves compliance in the modern sanctions enforcement era
Download the white paper →
Illustration of a pig butchering chart featuring various cryptocurrency logos in each section, with a bright blue sheriff's badge on top, symbolizing law enforcement's role in combating fraud.
CASE STUDY
See how Deputy District Attorney Erin West and the REACT Task Force are fighting back against pig butchering
WATCH THE VIDEO →
Illustration of an eye, skull and crossbones, and a pie chart on a light blue background, symbolizing the dangers of crypto scams and financial fraud.
REPORT
Explore the key trends that shaped that the illicit crypto economy in 2023
GET THE REPORT →
Close-up photograph of the United States Capitol building with snow falling
BLOG
Learn why cryptocurrency has become a central issue in the 2024 US election
READ THE POST
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Take a deep-dive into the Russian-speaking illicit crypto ecosystem
READ THE FULL REPORT
Outline of pig with law enforcement shield overlaid
Case Study
Learn more about how the REACT Task Force is tackling pig butchering
Read the case study
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Explore recent ransomware trends in the Russian-speaking crypto ecosystem—including the role of ransomware groups in cybercrime around the world
GET THE REPORT
Person typing on a laptop keyboard with dark blue filtered overlay
BLOG POST
Learn about summer 2024’s spate of ransomware attacks, and the proliferation of RaaS around the world
READ THE POST
REPORT
Learn about cryptocurrency’s role in the international synthetic drug precursor market
GET THE REPORT