Warning

Please be vigilant about TRM impersonation scams, especially those claiming to assist with fund recovery. More info

Solutions
Products
RESOURCES
Customers
Company
Request a demo
en
Search
Search
Insights
April 20, 2026

Russia-linked Payment Processor Cryptomus Likely Behind Launch of Parallel Service Heleket

TRM Team
Russia-linked Payment Processor Cryptomus Likely Behind Launch of Parallel Service Heleket

Key takeaways:

  • TRM assesses with high confidence that Cryptomus and Heleket – two payment processors that enable the purchase of goods and services with cryptocurrency, in addition to operating as exchange services are operationally linked, based on shared infrastructure, branding, personnel overlap, liquidity sourcing, and coordinated on-chain activity.
  • Heleket was likely developed by the administrators or affiliates of Cryptomus in order to continue laundering crypto at scale, including to facilitate sanctions evasion. 
  • Illicit actors appear to have migrated from Cryptomus to Heleket following compliance tightening, including sanctions-related entities and cybercrime service providers.
  • Heleket shows elevated illicit exposure relative to peers, with nearly five times the average observed across payment service providers in TRM data.
  • The case reflects a broader enforcement evasion pattern identified in TRM’s 2026 Crypto Crime Report, in which Russia-linked services relaunch parallel or successor platforms following regulatory action.

{{horizontal-line}}

2025: Cryptomus, under the microscope, pivots to open Heleket 

In October 2025, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) issued a record breaking penalty of almost CAD 177 million against Cryptomus, a Russia-linked cryptocurrency payment processor and exchange, for multiple violations of money laundering and terrorist financing legislation. Cryptomus implemented mandatory KYC controls in February 2025 prior to the penalty, possibly due to early regulatory engagement, causing disquiet amongst its user base and subsequent reduction in volumes. The introduction of KYC controls likely contributed to a drop in on-chain volume from USD 153 million in January 2025 to USD 86 million in March of the same year.

Their likely solution to increased regulatory scrutiny, as determined through TRM analysis of on-chain and open-source data, was to set up an alternate service that would offer the same services to the same user base — without comprehensive KYC controls — under the name Heleket. TRM assesses that Cryptomus — or its ultimate controllers — created and launched Heleket, based on common architecture, timing, shared personnel, and extensive on-chain connections.

Heleket is a crypto payment processor that claims to operate primarily within the European Union. They enable businesses to accept payments in crypto, and more recently have started issuing virtual bank cards. Heleket recently claimed in an update to their AML policy that they require identity documentation for their customers — however, TRM has observed that it is possible to transact without providing identity documentation.

Between 2022 and 2025, TRM observed Cryptomus processing hundreds of millions of USD in transactions associated with illicit actors, child sexual abuse material (CSAM) vendors, terrorist financing networks, human trafficking operations, and sanctions evasion, including transacting heavily with the now-closed sanctioned Russian exchange Garantex and Iranian exchanges. Heleket, since its inception in January 2025, has continued to service illicit activity — primarily linked to sanctions evasion — alongside exposure to Russian darknet markets and continued activity from cybercrime service providers that likely migrated from Cryptomus.

Cryptomus launching a parallel service is almost certainly designed to continue facilitating this type of illicit activity — even under scrutiny — by shifting over a user base to the same type of service they can nominally claim is not related to them. The evidence, however, clearly shows that the two are deeply intertwined.

Sanctions make up the majority of Cryptomus’ illicit counterparty flows.

On-chain connections support the Cryptomus-Heleket relationship

On-chain research reveals information including the timing of structural movements, fluctuation in volumes, common liquidity sourcing, and illicit actor movement that underpin TRM’s assessment that Cryptomus and Heleket are connected. 

Liquidity sourcing 

Heleket and Cryptomus share sanctioned Russian payment processor Garantex in common as a liquidity provider. The first large transactions into Heleket came from Garantex in January 2025. Sourcing of initial liquidity from a Russian exchange such as Garantex is not typical for a regulated service such as Cryptomus, which is registered in Canada.

The graph below shows total liquidity flows between Cryptomus and Garantex, including a sample of large, rounded values. These large value transactions between Cryptomus and Garantex is activity equivalent to a liquidity provider relationship often observed in the legitimate virtual asset service provider (VASP) economy, however; a regulated VASP is unlikely to use Garantex as a source.

Timeline

Heleket’s increase in on-chain transaction volume shortly after its inception lines up with the drop off Cryptomus saw after they implemented KYC controls in February 2025. It is not possible to quantify how many of the new Heleket users came from Cryptomus, however; based on the body of on and off-chain evidence, it is likely that many did.

Illicit actor movement

TRM has observed numerous cybercrime actors — including child sexual abuse material (CSAM) vendors and cybercrime services — making the switch from Cryptomus to Heleket. The graphs below highlight examples of service vendors making the shift, the timing of which lines up with the motivation to switch to a service that has less robust KYC requirements.

Detailed visual of three illicit actors switching from Cryptomus to Heleket

Graph visual of broader illicit actor movement between Cryptomus and Heleket (red nodes)

Off-chain evidence connecting Cryptomus to Heleket

TRM analysts identified numerous off-chain commonalities between Cryptomus and Heleket, including shared infrastructure, processes, and identical phrasing and branding that, when paired with the on-chain indicators, strongly suggest the two processors were created and are run by the same organization. 

The two companies have many similarities based on open-source research, such as use of the same privacy-focused domain registrar, identical branding and design elements, and unique, unusual phrasing on public-facing websites.

Crytomus and Heleket appear to share personnel, including one administrator likely located in the Baltics. In a thread on Cryptomus’ Telegram channel, another Cryptomus administrator confirmed a connection between both entities, saying they “entered into certain agreements” while simultaneously claiming that the two were distinct. Forum users have also discussed similarities in the two entities, with one posting in March 2025 that they were able to log into Heleket with their same credentials.

Screen capture from a technology forum discussing Cryptomus’ movement to Heleket.

Structural similarities include matching 0.4% fees for payment processing and the use of project moderation, or requiring users to submit descriptions of their intended business activities for approval. “Project moderation” is not a commonly observed term by B2B payment processors when onboarding clients — a function like this would typically be formalized under Know Your Business (KYB) processes in a regulated institution. Another example of unique shared language is both services use of the phrase “set discount to payment method,” which does not appear to be used by any other similar entity at the time of writing.

Cryptomus, Garantex, and Heleket: Nodes in an illicit facilitation economy

TRM has observed a broad spectrum of illicit actors transacting hundreds of millions of USD through Cryptomus, including CSAM vendors, terrorist financiers, and human traffickers since Cryptomus’ founding in 2022. As highlighted in the FINTRAC action, there were numerous transactions from Iran. TRM identified over 75,000 transactions between Cryptomus and Iranian exchanges, including Nobitex (over 50,000), Bit Pin, Wallex.ir, and many more. 

Similarly to Cryptomus, Heleket is likely a preferred service for threat actors — examining Heleket’s incoming volumes during 2025, 0.6% of total inflows have been identified as illicit. This is almost five times greater than the illicit ratio incoming to all payment service providers in TRM data during the same period. Incoming volume from sanctions-related entities accounts for 60% of illicit inflows during this period, primarily from Garantex.

Comparing Heleket and Cryptomus illicit volumes

In January and February 2025, Cryptomus accounted for the majority of combined illicit counterparty volumes between the two entities. This ratio dropped significantly, with Heleket accounting for over 80% of combined illicit flows between April and May 2025. This number has since reverted but sits closer to 45% in the last three months of 2025. This is notable because though this ratio is close to 45%, Heleket only accounts for approximately 30% of total combined volume, confirming an overall higher ratio of illicit exposure — possibly due to the lack of KYC requirements. 

What Cryptomus tells us about the current threat landscape

At the time of this report, Xeltox Enterprises Ltd. — the incorporated entity behind Cryptomus — is appealing the FINTRAC fine, claiming no knowledge or control over the transactions. The creation of Heleket to facilitate ongoing no-KYC services with illicit actors may be by design, by providing Cryptomus with sufficient degree of separation to enable plausible deniability of connections to illicit activity. However, if the two entities are connected, this could negate Cryptomus’ appeal to FINTRAC.

TRM’s 2026 Crypto Crime Report identified the past year as the “year of the Russian rebrand,” noting multiple illicit finance actors in Russia (including Garantex) that relaunched either parallel or identical services in response to enforcement action. The Cryptomus and Heleket connection is an example of this, whereby in creating or otherwise supporting the development of Heleket, Cryptomus is indirectly able to continue serving a subset of their customer base outside of a regulated environment.

TRM is the only blockchain intelligence provider with a dedicated VASP intelligence team that searches the crypto ecosystem for threat actor displacement for off-ramps, ensuring extensive coverage of illicit actors and the systems they use. 

{{horizontal-line}}

Frequently asked questions (FAQs)

1. Why did Cryptomus’ volumes decline in early 2025?

Cryptomus introduced mandatory KYC controls in February 2025. Combined with regulatory scrutiny and FINTRAC’s subsequent penalty in October 2025, this likely contributed to a decline in monthly on-chain volume from approximately USD 150 million in January to approximately USD 86 million in March 2025.

2. How confident is TRM that Cryptomus and Heleket are connected?

TRM assesses with high confidence that Cryptomus and Heleket are linked. This assessment is based on:

  • Shared infrastructure and branding elements
  • Identical unusual website phrasing
  • Personnel overlap
  • User credential crossover
  • Liquidity flows from Garantex
  • Coordinated timing of volume shifts

The convergence of these indicators strengthens the analytical assessment.

3. What role did Garantex play?

Garantex — a sanctioned Russian exchange — functioned as a liquidity provider to both Cryptomus and Heleket.

Heleket’s hot wallets received large transfers from Garantex-controlled addresses in January 2025. Similar liquidity relationships were previously observed between Garantex and Cryptomus.

This pattern resembles liquidity provisioning relationships seen among virtual asset service providers (VASPs).

4. What types of illicit activity were observed?

Between 2022 and 2025, Cryptomus processed hundreds of millions of USD associated with:

  • Child sexual abuse material (CSAM) vendors
  • Terrorist financing networks
  • Human trafficking operations
  • Sanctions evasion networks
  • Russian and Iranian exchanges

Heleket, since January 2025, has primarily shown exposure to sanctions-related entities, Russian darknet markets, and cybercrime service providers.

5. How does Heleket’s illicit exposure compare to industry benchmarks?

In 2025, approximately 0.6% of Heleket’s incoming volume was identified as illicit.

This is nearly five times higher than the average illicit inflow ratio across payment service providers in TRM data during the same period.

Although 0.6% may appear small in absolute terms, relative exposure is significantly elevated compared to peers.

6. What does this case reveal about enforcement dynamics in crypto?

This case illustrates how enforcement pressure can lead to:

  • Implementation of compliance controls at established services
  • Volume displacement
  • Launch of parallel or successor platforms
  • Continued servicing of high-risk actors under rebranded entities

7. Could Cryptomus’ appeal to FINTRAC be affected?

Xeltox Enterprises Ltd., the incorporated entity behind Cryptomus, is appealing the FINTRAC penalty, asserting lack of knowledge or control over illicit transactions.

If regulators determine that Cryptomus and Heleket are operationally linked, this could undermine claims of separation and affect the appeal outcome.

8. What should compliance teams take away from this?

Compliance and risk teams should monitor for:

  • Service rebrands following enforcement
  • Liquidity relationships with sanctioned entities
  • Migration patterns among high-risk actors
  • Discrepancies between stated AML policies and observable KYC enforcement

Threat actor displacement — particularly toward lower-friction services — remains a consistent pattern following regulatory tightening.

This is some text inside of a div block.

Related posts

arrow right
BLOG
April 16, 2026

Sanctioned Russian Exchange Grinex and Kyrgyzstani Exchange TokenSpot Hit in USD 15 Million Theft

arrow right
BLOG
January 10, 2026

2026 Crypto Crime Report Key Insights: TRM Identifies Record USD 158 Billion in Illicit Crypto Flows in 2025, Reversing a Multi-year Decline

arrow right
BLOG
October 25, 2024

Crypto Crime in Russia: Ransomware, Sanctions Evasion, and Disinformation

No posts to show
No posts to show
No posts to show
No posts to show
No posts to show
Subscribe and stay up to date with our insights
No items found.
Digital illustration showing a pie chart, masked criminal figure, and crypto coin symbol on a data grid background—representing crypto crime analytics.
REPORT
See the trends and typologies that shaped the illicit crypto ecosystem in 2025
READ THE REPORT →
Blue diamond with a circle overlayed in white on a dark blue background
REPORT
Unlocking more clarity for institutional adoption with key crypto policy shifts in 2025
READ THE REPORT →
3D illustration of a blue magnifying glass hovering over a digital fingerprint on a dark background, symbolizing crypto investigations or forensic analysis.
FLIP BOOK
Learn more about common crypto-enabled scam typologies in our "Investigating Crypto Scams" flip book
Get your copy →
Illustration of a stablecoin represented by a dollar symbol surrounded by icons for growth, risk alert, user profiles, and a security shield with a target, connected through a network of hexagons — symbolizing the interconnected risks and compliance considerations in digital asset ecosystems.
USE CASE
Learn how TRM helps compliance teams monitor exposure, detect threats, and safeguard their organizations
TRM for stablecoin risk management →
A worn silver wrench tool on a brown-red background, as a metaphor for violent crime
BLOG
Learn about the recent rise of "wrench attacks" and crypto-related violent crime
Read the post →
Illustration of a financial institution icon and a compliance document with checkboxes, symbolizing regulatory due diligence and financial compliance in the digital asset ecosystem.
GUIDE
Learn best practices for evaluating the legal, operational, and financial integrity of crypto entities before engagement
Get the guide →
A judge's gavel rests beside a stack of gold-colored cryptocurrency tokens, including Bitcoin, Dogecoin, Ethereum, and others, symbolizing the intersection of digital assets and regulatory or legal oversight.
REGULATORY ACTION TRACKER
Stay updated on the latest crypto-linked regulatory actions available in the public domain
Check it out →
Screenshot of the splash page used by law enforcement agencies following the takedown of Garantex, with bold red lettering reading, "This domain has been seized," along with the logos of various international law enforcement agencies involved in the action.
BLOG
Learn more about the global law enforcement operation that took down Garantex
Read the post →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
2025 Crypto Crime Report: Explore how the crypto crime landscape evolved over the past year
DIG IN NOW →
Bright blue fiber optic cables on a dark blue background, with flashes of white sparks interspersed throughout.
REPORT
As AI technology becomes more sophisticated, so will the ways in which criminals use it. See what TRM is doing to counter AI-enabled crime.
FIGHT AI WITH AI →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
The crypto crime landscape saw significant shifts in 2024, including decreases in illicit volumes. Dig into the data here.
PREVIEW THE CRYPTO CRIME REPORT →
Cork board with mugshots of Heather "Razzlekhan" Morgan and Ilya Lichtenstein, with their names written in handwritten script below their photos, and push pins on the board connected by red string.
DOCUMENTARY
Stream “Biggest Heist Ever” and get a behind-the-scenes peek from the TRM team
CHECK IT OUT →
A light blue two dimensional circle (representing a stablecoin) floating against dark blue and white curved lines (representing waves), with thin dotted blue and white lines overhead to represent wind.
REPORT
Explore the macro trends and jurisdictional developments that shaped the global crypto policy landscape in 2024
READ THE REPORT →
Illustration on a dark blue background showing a bug and exclamation mark (representing illicit activity), a globe with pin points, a coin, and a bar chart.
REPORT
See the countries with the highest rates of crypto adoption — and the highest rates of exposure to illicit activity
READ THE REPORT NOW →
A blue rectangle with geometric shapes in the background and dots connected by thin lines in the foreground, representing connections on the bockchain.
WHITE PAPER
Explore four ways TRM improves compliance in the modern sanctions enforcement era
Download the white paper →
Illustration of a pig butchering chart featuring various cryptocurrency logos in each section, with a bright blue sheriff's badge on top, symbolizing law enforcement's role in combating fraud.
CASE STUDY
See how Deputy District Attorney Erin West and the REACT Task Force are fighting back against pig butchering
WATCH THE VIDEO →
Illustration of an eye, skull and crossbones, and a pie chart on a light blue background, symbolizing the dangers of crypto scams and financial fraud.
REPORT
Explore the key trends that shaped that the illicit crypto economy in 2023
GET THE REPORT →
Close-up photograph of the United States Capitol building with snow falling
BLOG
Learn why cryptocurrency has become a central issue in the 2024 US election
READ THE POST
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Take a deep-dive into the Russian-speaking illicit crypto ecosystem
READ THE FULL REPORT
Outline of pig with law enforcement shield overlaid
Case Study
Learn more about how the REACT Task Force is tackling pig butchering
Read the case study
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Explore recent ransomware trends in the Russian-speaking crypto ecosystem—including the role of ransomware groups in cybercrime around the world
GET THE REPORT
Person typing on a laptop keyboard with dark blue filtered overlay
BLOG POST
Learn about summer 2024’s spate of ransomware attacks, and the proliferation of RaaS around the world
READ THE POST
REPORT
Learn about cryptocurrency’s role in the international synthetic drug precursor market
GET THE REPORT