Warning

Please be vigilant about TRM impersonation scams, especially those claiming to assist with fund recovery. More info

Solutions
Products
RESOURCES
Customers
Company
Request a demo
en
Search
Search
Insights
June 12, 2026

The A7 Leaks: TRM’s On-Chain Analysis of Russia’s Cryptocurrency Connections

TRM Team
The A7 Leaks: TRM’s On-Chain Analysis of Russia’s Cryptocurrency Connections

TRM partnered with the Open Source Centre (OSC) on an investigation examining the A7 network — a state-backed financial architecture established by Russia’s defense bank Promsvyazbank and fugitive oligarch Ilan Shor to process cross-border payments for Russian companies excluded from the formal banking system. 

Drawing on tens of thousands of leaked internal documents, the investigation found that A7’s on-chain volume of over USD 166 billion connects to a complex system linking traditional finance with on-chain intermediaries across the globe.

TRM’s contribution examined that portion: where A7’s digital asset activity surfaces, it connects the network to Iran’s Islamic Revolutionary Guard Corps, North Korean state hackers, Hamas, and a set of internationally designated financial facilitators using all means available to move funds and access foreign currency.

{{horizontal-line}}

Ilan Shor, the sanctioned Moldovan oligarch who co-owns A7 alongside Russia’s Promsvyazbank, minimized the role of crypto in the network in a speech at the 2025 St. Petersburg International Economic Forum (SPIEF), saying: “We are not a crypto mechanism.” 

Despite this minimization, TRM’s analysis reveals that crypto does appear in A7’s operations, where it underpins a set of financial relationships running through some of the most heavily sanctioned actors in the world.

Cryptocurrency in A7’s operations serves specific functions that its conventional infrastructure cannot. TRM identified two distinct roles. First, a domestic liquidity function, where USDT holdings are converted to rubles through Moscow’s cash markets and routed to foreign treasury pools. Second, an internal accounting function, where A7A5 moves between the network’s own addresses to maintain balance across its ledger. Beyond those operational uses, A7’s crypto activity also functions as a channel for transactions with counterparties — including the IRGC, North Korean intermediaries, and Hamas — that have been excluded from the formal financial system entirely.

North Korea, Iran, Hamas, and the financial periphery

TRM’s on-chain analysis of A7-linked addresses identifies connections to actors across the globe, including North Korean hackers, Iranian proxies, and even the IRGC. On-chain analysis shows USD 176.6 million in exposure between A7 and the IRGC, Hamas, the Houthis, Nobitex, and Alireza Derakhshan- all Iranian or Iranian-linked entities.

At least USD 590,000 in proceeds from the hacks of cryptocurrency exchanges BTCTurk and Woo X — both attributed to North Korean government hackers — moved through a series of intermediaries before reaching A7-controlled addresses and being swept onward toward likely cash conversion. North Korea regularly disposes of stolen cryptocurrency through Chinese and Russian broker networks, typically at a discount for fiat more useful in conventional trade.

Other connections involved even larger sums. One A7 address received more than USD 65 million in direct transfers from an address attributed to Iran’s Islamic Revolutionary Guard Corps, while another received the equivalent of USD 5 million from Hamas.

Several wallets central to A7’s operations appear to belong to Igor Himici, a Canada-sanctioned Moldovan former MP in Shor’s political party. His wallets transacted with a network of designated financial facilitators:

  • Alireza Derakhshan, designated in September 2025 for coordinating over USD 100 million in cryptocurrency purchases tied to Iranian oil sales on behalf of the IRGC’s Quds Force and Iran’s Ministry of Defense
  • Sa’id al-Jamal, designated for laundering IRGC-QF financial support to Ansarallah — the Houthis
  • Jorge Figueira, a Venezuelan national facing U.S. federal charges for allegedly orchestrating a money laundering conspiracy involving over USD 1 billion in cryptocurrency transactions

TRM also identified mainland Chinese electronics resellers using A7 infrastructure for cross-border payments. Some of these arrangements predated A7’s official launch, suggesting Russia incorporated pre-existing financial intermediaries into the network rather than constructing it from scratch.

The common thread across these connections is access. Crypto in A7’s operations functions as a channel for actors who have been excluded from conventional banking — and have few alternatives. Those connections are also a product of how A7’s digital asset infrastructure is actually structured, which diverges from the payment-rail narrative the network once promoted.

Crypto’s role in the A7 network

TRM’s analysis points to two distinct operational roles for A7’s cryptocurrency activity.

Internal A7 records confirm that a dedicated treasury team, led by Narine Mamikonyan, used USDT holdings to purchase rubles at Moscow’s cash-intensive wholesale markets — Sadovod and Food City, sprawling commercial hubs where large-volume cash trade happens daily. The ruble proceeds were routed into A7’s secondary infrastructure and distributed to foreign treasury pools in Kyrgyzstan, China, Egypt, Turkey, and Dubai. Internal communications indicate this function consolidated multiple foreign treasuries behind a single domestic entry point via Moscow’s informal cash economy.

The second function is internal accounting. The reported on-chain volume of USD over 166B billion in A7A5 transactions is inflated — roughly 35B appears to stem from circular transfers between A7 and other Russian sanction evasion-related actors. The circular flows appear to serve as a book-settling mechanism: a way to maintain balance across the network’s own ledger without minting new tokens, and without exposing A7’s liquidity to external interference. That resilience was tested in March 2025.

A7A5 and the Garantex migration

Ruble-backed stablecoin A7A5, issued by A7's Kyrgyz affiliate Old Vector, is used primarily for internal book-settling and as a migration vehicle for frozen assets following enforcement actions. A7A5  also played a specific and observable role following the international law enforcement action against Garantex, the sanctioned Moscow-based exchange that had processed hundreds of millions in ransomware proceeds and other illicit funds before its seizure.

In the aftermath, A7A5 served as the primary vehicle for migrating high-value Garantex account holders to Grinex, the successor platform. Former customers received A7A5 credits in amounts matching their frozen balances — an arrangement that effectively moved assets off the seized exchange under the cover of a new token.

By July 2025, a secondary spike in A7A5 activity coincided with a broader peak in network-wide transactions. The pattern was the same: circular flows, existing tokens moving between addresses, no new minting. Moving existing A7A5 rather than issuing fresh tokens insulated the network’s liquidity from smart-contract interference and targeted disruption efforts.

The bigger picture

Taken together, these findings describe a network that uses cryptocurrency selectively and for specific purposes: moving money with sanctioned counterparties, managing domestic cash liquidity, and absorbing the fallout from enforcement actions that might otherwise strand frozen balances.

{{horizontal-line}}

Frequently asked questions (FAQs)

1. What is the A7 Network?

The A7 Network is a state-backed financial architecture established by Russia’s defense bank Promsvyazbank and fugitive Moldovan oligarch Ilan Shor to process cross-border payments for Russian companies excluded from the formal banking system following sanctions. Its core mechanism is a bills-of-exchange system that routes Russian capital through front companies and state-owned intermediaries — primarily in Kyrgyzstan — to pay foreign suppliers in dollars, euros, yuan, and other currencies. Russian President Putin personally endorsed the network’s launch in September 2025.

2. What is A7A5?

A7A5 is a ruble-backed stablecoin issued by a Kyrgyz firm called Old Vector and integrated into the A7 Network’s operations. Despite media coverage positioning it as a central feature of the network, it seems to serve more as a book-settling mechanism. TRM’s forensic analysis found that roughly one-third of A7A5’s reported on-chain volume of USD 110 billion stems from circular transfers within a narrow cluster of wallets, suggesting the token functions primarily as an internal accounting instrument rather than a genuine payment rail.

3. Why does A7 use cryptocurrency at all if it’s part of a larger ecosystem connected with traditional finance?

Cryptocurrency in A7’s operations serves specific functions that its conventional infrastructure cannot. TRM identified two distinct roles: a domestic liquidity function, where USDT holdings are converted to rubles through Moscow’s cash markets and routed to foreign treasury pools; and an internal accounting function, where A7A5 moves between the network’s own addresses to maintain balance across its ledger. Beyond those operational uses, A7’s crypto activity also functions as a channel for transactions with counterparties — including the IRGC, North Korean intermediaries, and Hamas — that have been excluded from the formal financial system entirely.

4. What connections did TRM find between A7 and other sanctioned actors?

TRM’s on-chain analysis identified direct financial ties between A7-linked addresses and several heavily sanctioned actors. One A7 address received more than USD 65 million in direct transfers from an address attributed to Iran’s Islamic Revolutionary Guard Corps. Another received the equivalent of USD 5 million from Hamas. At least USD 590,000 in proceeds from exchange hacks attributed to North Korean government hackers also reached A7 addresses. Several wallets central to A7’s operations appear to belong to Igor Himici, a Canada-sanctioned Moldovan former MP whose wallets transacted with networks tied to IRGC oil financing, Houthi financial support, and an alleged USD 1 billion money laundering conspiracy.

5. What was A7A5’s role in the Garantex seizure?

Following the March 2025 international law enforcement action that seized Garantex — the sanctioned Moscow-based exchange responsible for hundreds of millions in ransomware proceeds and other illicit flows — A7A5 served as the primary vehicle for migrating high-value account holders to Grinex, Garantex’s successor platform. Former customers received A7A5 credits matching their frozen balances, effectively moving assets off the seized exchange under the cover of a new token. A secondary spike in A7A5 activity in July 2025 followed the same pattern of circular fund flows, insulating the network’s liquidity from further disruption.

6. What should compliance teams take away from this analysis?

A7’s dual-track architecture — fiat flows through correspondent banking chains for commercial trade, cryptocurrency for high-risk counterparty relationships — requires a corresponding dual-track response. Monitoring stablecoin activity linked to opaque governance structures and sanctioned financial networks is critical, particularly given A7A5’s demonstrated role as a migration vehicle following enforcement actions. 

TRM has expanded its on-chain coverage of core A7 and A7-related entities' wallets, enabling exposure identification independent of the A7A5 stablecoin connection — meaning institutions can screen for A7 risk without relying on a direct label match. For compliance teams, the practical starting point is those patterns rather than entity-level attribution alone. When B2B-style transaction flows coincide with the laundering typologies and counterparty profiles associated with the A7 network, that combination is grounds to pause and investigate further — the stablecoin is one signal among several, not a prerequisite for identifying exposure.h layered Kyrgyz intermediaries — exposure that originated in the nested structure of correspondent banking relationships, not direct dealing with sanctioned entities.

This is some text inside of a div block.

Related posts

arrow right
BLOG
August 14, 2025

Garantex, Grinex, and the A7A5 Token: A Deep Dive into Sanctions Evasion Networks

arrow right
BLOG
April 16, 2026

Sanctioned Russian Exchange Grinex and Kyrgyzstani Exchange TokenSpot Hit in USD 15 Million Theft

arrow right
BLOG
September 3, 2025

The Imitation Game: Following Garantex’s Takedown, Are These High-Risk Exchanges Copying Its Playbook?

No posts to show
No posts to show
No posts to show
No posts to show
No posts to show
Subscribe and stay up to date with our insights
No items found.
Digital illustration showing a pie chart, masked criminal figure, and crypto coin symbol on a data grid background—representing crypto crime analytics.
REPORT
See the trends and typologies that shaped the illicit crypto ecosystem in 2025
READ THE REPORT →
Blue diamond with a circle overlayed in white on a dark blue background
REPORT
Unlocking more clarity for institutional adoption with key crypto policy shifts in 2025
READ THE REPORT →
3D illustration of a blue magnifying glass hovering over a digital fingerprint on a dark background, symbolizing crypto investigations or forensic analysis.
FLIP BOOK
Learn more about common crypto-enabled scam typologies in our "Investigating Crypto Scams" flip book
Get your copy →
Illustration of a stablecoin represented by a dollar symbol surrounded by icons for growth, risk alert, user profiles, and a security shield with a target, connected through a network of hexagons — symbolizing the interconnected risks and compliance considerations in digital asset ecosystems.
USE CASE
Learn how TRM helps compliance teams monitor exposure, detect threats, and safeguard their organizations
TRM for stablecoin risk management →
A worn silver wrench tool on a brown-red background, as a metaphor for violent crime
BLOG
Learn about the recent rise of "wrench attacks" and crypto-related violent crime
Read the post →
Illustration of a financial institution icon and a compliance document with checkboxes, symbolizing regulatory due diligence and financial compliance in the digital asset ecosystem.
GUIDE
Learn best practices for evaluating the legal, operational, and financial integrity of crypto entities before engagement
Get the guide →
A judge's gavel rests beside a stack of gold-colored cryptocurrency tokens, including Bitcoin, Dogecoin, Ethereum, and others, symbolizing the intersection of digital assets and regulatory or legal oversight.
REGULATORY ACTION TRACKER
Stay updated on the latest crypto-linked regulatory actions available in the public domain
Check it out →
Screenshot of the splash page used by law enforcement agencies following the takedown of Garantex, with bold red lettering reading, "This domain has been seized," along with the logos of various international law enforcement agencies involved in the action.
BLOG
Learn more about the global law enforcement operation that took down Garantex
Read the post →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
2025 Crypto Crime Report: Explore how the crypto crime landscape evolved over the past year
DIG IN NOW →
Bright blue fiber optic cables on a dark blue background, with flashes of white sparks interspersed throughout.
REPORT
As AI technology becomes more sophisticated, so will the ways in which criminals use it. See what TRM is doing to counter AI-enabled crime.
FIGHT AI WITH AI →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
The crypto crime landscape saw significant shifts in 2024, including decreases in illicit volumes. Dig into the data here.
PREVIEW THE CRYPTO CRIME REPORT →
Cork board with mugshots of Heather "Razzlekhan" Morgan and Ilya Lichtenstein, with their names written in handwritten script below their photos, and push pins on the board connected by red string.
DOCUMENTARY
Stream “Biggest Heist Ever” and get a behind-the-scenes peek from the TRM team
CHECK IT OUT →
A light blue two dimensional circle (representing a stablecoin) floating against dark blue and white curved lines (representing waves), with thin dotted blue and white lines overhead to represent wind.
REPORT
Explore the macro trends and jurisdictional developments that shaped the global crypto policy landscape in 2024
READ THE REPORT →
Illustration on a dark blue background showing a bug and exclamation mark (representing illicit activity), a globe with pin points, a coin, and a bar chart.
REPORT
See the countries with the highest rates of crypto adoption — and the highest rates of exposure to illicit activity
READ THE REPORT NOW →
A blue rectangle with geometric shapes in the background and dots connected by thin lines in the foreground, representing connections on the bockchain.
WHITE PAPER
Explore four ways TRM improves compliance in the modern sanctions enforcement era
Download the white paper →
Illustration of a pig butchering chart featuring various cryptocurrency logos in each section, with a bright blue sheriff's badge on top, symbolizing law enforcement's role in combating fraud.
CASE STUDY
See how Deputy District Attorney Erin West and the REACT Task Force are fighting back against pig butchering
WATCH THE VIDEO →
Illustration of an eye, skull and crossbones, and a pie chart on a light blue background, symbolizing the dangers of crypto scams and financial fraud.
REPORT
Explore the key trends that shaped that the illicit crypto economy in 2023
GET THE REPORT →
Close-up photograph of the United States Capitol building with snow falling
BLOG
Learn why cryptocurrency has become a central issue in the 2024 US election
READ THE POST
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Take a deep-dive into the Russian-speaking illicit crypto ecosystem
READ THE FULL REPORT
Outline of pig with law enforcement shield overlaid
Case Study
Learn more about how the REACT Task Force is tackling pig butchering
Read the case study
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Explore recent ransomware trends in the Russian-speaking crypto ecosystem—including the role of ransomware groups in cybercrime around the world
GET THE REPORT
Person typing on a laptop keyboard with dark blue filtered overlay
BLOG POST
Learn about summer 2024’s spate of ransomware attacks, and the proliferation of RaaS around the world
READ THE POST
REPORT
Learn about cryptocurrency’s role in the international synthetic drug precursor market
GET THE REPORT